By Jonathan Corbet
May 27, 2013
Certain projects are known for disclosing a large number of vulnerabilities
at once; such behavior is especially common in company-owned projects where
fixes are released in batches. Even those projects, though, rarely turn up with 30
new CVE numbers in a single day. But, on May 23, the X.org project
did exactly that when it
disclosed a large
number of security vulnerabilities in various X client libraries — some of
which could be more than two decades old.
The vulnerabilities
The X Window System has a classic client/server architecture, with the X
server providing display and input services for a range of client
applications. The two sides communicate via a well-defined (if much extended)
protocol that, in theory, provides for network-transparent operation. In
any protocol implementation, developers must take into account the
possibility that one of the participants is compromised or overtly
hostile. In short, that is what did not happen in the X client
libraries.
In particular, the client libraries contained many assumptions about the
trustworthiness of the data coming from the X server. Keymap indexes were
not checked to verify that they fell in the range of known keys. Very
large buffer size values from the server could
cause integer overflows on the client side; that, in turn, could lead
to the allocation of undersized buffers that could subsequently be
overflowed. File-processing code could be forced
into unbounded recursion by hostile input. And so on. The bottom line
is that an attacker who controls an X server has a long list of possible
ways to compromise the clients connected to that server.
Despite the seemingly scary nature of most of these vulnerabilities, the impact on
most users should be minimal. Most of the time, the user is in control of
the server, which is usually running in a privileged mode. Any remote
attacker who can compromise such a server will not need to be concerned
with client library exploits; the game will have already been lost. The
biggest threat, arguably, is attacks against setuid programs by a local
user. If the user can control the server (perhaps by using one of the
virtual X server applications), it may be possible to subvert a privileged
program, enabling privilege escalation on the local machine. For this
reason, applying the updates makes sense in many situations, but it may not
be a matter of immediate urgency.
Many of these vulnerabilities have been around for a long time; the
advisory states that "X.Org believes all prior versions of these
libraries contain these flaws, dating back to their introduction."
That introduction, for the bulk of the libraries involved, was in the
1990's. That is a long time for some (in retrospect) fairly obvious errors
to go undetected in code that is this widely used.
Some thoughts
One can certainly make excuses for the developers who implemented those
libraries 20 years or so ago. The net was not so hostile — or so pervasive
— and it hadn't yet occurred to developers that their code might have to
interact with overly hostile peers. A lot of code written in those days
has needed refurbishing since.
It is a bit more interesting to ponder why that refurbishing took so long
to happen
in this case. X has long inspired fears of security issues, after all.
But, traditionally, those fears have been centered around the server, since
that is where the privilege lies. If you operate under the assumption that
the server is the line of defense, there is little reason to be concerned
about the prospect of the server attacking its clients. It undoubtedly
seemed better to focus on reinforcing the server itself.
Even so, one might think that somebody would have gotten around to looking
at the X library code before Ilja van Sprundel took on the task in 2013.
After all, if vulnerable code exists, somebody, somewhere will figure out a
way to exploit it, and attackers have no qualms about looking for problems
in ancient code. The X libraries are widely used and, for better or worse,
they do often get linked into privileged programs that, arguably, should
not be mixing interface and privilege in this way. It seems fairly likely
that at least some of these vulnerabilities have been known to attackers
for some time.
Speaking of review
As Al Viro has pointed out, the security
updates caused some problems of their own due to bugs that would have been
caught in a proper review process. Given the age and impact of the
vulnerabilities, it arguably would have been better to skip the embargo
process and post the fixes publicly before shipping them. After all, as Al
notes, unreviewed "security" fixes could be a way to slip new
vulnerabilities into a system.
In the free software community, we tend to take pride in our review
processes which, we hope, keep bugs out of our code and vulnerabilities out
of our system. In this case, though, it is now clear that some of our most
widely used library code has not seen a serious review pass for a long
time. Recent kernel vulnerabilities, too, have shown that our code is not
as well reviewed as we might like to think. Often, it seems, the
black hats are scrutinizing our code more closely than our developers and
maintainers are.
Fixing this will not be easy. Deep code review has always been in short
supply in our community, and for easily understandable reasons: the work is
tedious, painstaking, and often unrewarding. Developers with the skill to
perform this kind of review tend to be happier when they are writing code
of their own. Getting these developers to volunteer more of their time for
code review is always going to be an uphill battle.
The various companies working in this area could help the situation by
paying for more security review work. There are some signs that more of
this is happening than in the past, but this, too, has tended to be a hard
sell. Most companies sponsor development work to help ensure that their
own needs are adequately met by the project(s) in question. General
security work does not add features or enable more hardware; the rewards
from doing this work may seem nebulous at best. So most companies,
especially if they do not feel threatened by the current level of security
in our code, feel that security work is something they can leave to others.
So we will probably continue to muddle along with code that contains a
variety of vulnerabilities, both old and new. Most of the time, it works
well enough — at least, as far as we know. And on that cheery note, your
editor has to run; there's a whole set of new security updates to apply.
Comments (66 posted)
Brief items
With a guarantee of secure Internet access points, opposition groups would be able to link their terrestrial and wireless networks with those of like-minded groups. This would enable them to reach deeper into the country, giving broad sections of the Syrian populace Internet access. And because the United States would be able to monitor those networks, we could make sure that moderate opposition elements would be the primary beneficiaries.
—
The
New York Times puts out a call for a "cyberattack" for Syria
You can trade a little security for a bit of convenience. Then sacrifice some more security for some extra convenience. Then buy even more convenience at expense of security. There’s nothing particularly bad in this tradeoff in non-mission critical applications, but where should it stop? Apparently, Apple decided to maintain its image as being more of a “user-friendly” rather than “secure” company.
In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.
—
Vladimir Katalov of ElcomSoft finds some dubious Apple
security decisions
For any given politician, the implications of these four reasons are
straightforward. Overestimating the threat is better than underestimating
it. Doing something about the threat is better than doing nothing. Doing
something that is explicitly reactive is better than being proactive. (If
you're proactive and you're wrong, you've wasted money. If you're proactive
and you're right but no longer in power, whoever is in power is going to
get the credit for what you did.) Visible is better than
invisible. Creating something new is better than fixing something old.
Those last two maxims are why it's better for a politician to fund a
terrorist fusion center than to pay for more Arabic translators for the
National Security Agency. No one's going to see the additional
appropriation in the NSA's secret budget. On the other hand, a high-tech
computerized fusion center is going to make front page news, even if it
doesn't actually do anything useful.
—
Bruce
Schneier
Comments (none posted)
X.Org has disclosed a long list of vulnerabilities that have been fixed in
the X Window System client libraries; most of them expose clients to
attacks by a hostile server. "
Most of the time X clients & servers
are run by the same user, with the server more privileged from the clients,
so this is not a problem, but there are scenarios in which a privileged
client can be connected to an unprivileged server, for instance, connecting
a setuid X client (such as a screen lock program) to a virtual X server
(such as Xvfb or Xephyr) which the user has modified to return invalid
data, potentially allowing the user to escalate their privileges."
There are 30 CVE numbers assigned to these vulnerabilities; expect the
distributor updates to start flowing shortly.
Full Story (comments: 55)
A security issue has been identified in the tool used by the Fedora Project
to create cloud images. "
Images generated by this tool, including
Fedora Project “official” AMIs (Amazon Machine Images), AMIs whose heritage
can be traced to official Fedora AMIs, as well as some images using the AMI
format in non-Amazon clouds, are affected, as described below." The
flaw has been assigned
CVE-2013-2069.
Full Story (comments: none)
The H
reports
increasing attempts to compromise servers via a security hole in Ruby
on Rails. "
On his blog, security expert Jeff Jarmoc reports
that the criminals are trying to exploit one of the vulnerabilities
described by CVE identifier 2013-0156. Although the holes were closed
back in January, more than enough servers on the net are probably still
running an obsolete version of Ruby." The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18.
Comments (none posted)
Google has
announced
that it will be disclosing information on actively-exploited
vulnerabilities after seven days. "
Seven days is an aggressive
timeline and may be too short for some vendors to update their products,
but it should be enough time to publish advice about possible mitigations,
such as temporarily disabling a service, restricting access, or contacting
the vendor for more information. As a result, after 7 days have elapsed
without a patch or advisory, we will support researchers making details
available so that users can take steps to protect themselves."
Comments (2 posted)
New vulnerabilities
chromium: multiple vulnerabilities
| Package(s): | chromium-browser |
CVE #(s): | CVE-2013-2837
CVE-2013-2838
CVE-2013-2839
CVE-2013-2840
CVE-2013-2841
CVE-2013-2842
CVE-2013-2843
CVE-2013-2844
CVE-2013-2845
CVE-2013-2846
CVE-2013-2847
CVE-2013-2848
CVE-2013-2849
|
| Created: | May 29, 2013 |
Updated: | July 15, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-2837:
Use-after-free vulnerability in the SVG implementation allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
CVE-2013-2838:
Google V8, as used in Chromium before 27.0.1453.93, allows
remote attackers to cause a denial of service (out-of-bounds read)
via unspecified vectors.
CVE-2013-2839:
Chromium before 27.0.1453.93 does not properly perform a cast
of an unspecified variable during handling of clipboard data, which
allows remote attackers to cause a denial of service or possibly
have other impact via unknown vectors.
CVE-2013-2840:
Use-after-free vulnerability in the media loader in Chromium
before 27.0.1453.93 allows remote attackers to cause a denial of
service or possibly have unspecified other impact via unknown
vectors, a different vulnerability than CVE-2013-2846.
CVE-2013-2841:
Use-after-free vulnerability in Chromium before 27.0.1453.93
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
Pepper resources.
CVE-2013-2842:
Use-after-free vulnerability in Chromium before 27.0.1453.93
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
widgets.
CVE-2013-2843:
Use-after-free vulnerability in Chromium before 27.0.1453.93
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
speech data.
CVE-2013-2844:
Use-after-free vulnerability in the Cascading Style Sheets (CSS)
implementation in Chromium before 27.0.1453.93 allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to style resolution.
CVE-2013-2845:
The Web Audio implementation in Google Chrome before 27.0.1453.93
allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via unknown
vectors.
CVE-2013-2846:
Use-after-free vulnerability in the media loader in Google Chrome
before 27.0.1453.93 allows remote attackers to cause a denial of
service or possibly have unspecified other impact via unknown
vectors, a different vulnerability than CVE-2013-2840.
CVE-2013-2847:
Race condition in the workers implementation in Google Chrome before
27.0.1453.93 allows remote attackers to cause a denial of service
(use-after-free and application crash) or possibly have unspecified
other impact via unknown vectors.
CVE-2013-2848:
The XSS Auditor in Google Chrome before 27.0.1453.93 might allow
remote attackers to obtain sensitive information via unspecified
vectors.
CVE-2013-2849:
Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
before 27.0.1453.93 allow user-assisted remote attackers to inject
arbitrary web script or HTML via vectors involving a (1)
drag-and-drop or (2) copy-and-paste operation.
|
| Alerts: |
|
Comments (none posted)
FlightGear: code execution
| Package(s): | FlightGear |
CVE #(s): | |
| Created: | May 29, 2013 |
Updated: | June 7, 2013 |
| Description: |
From the FlightGear blog:
FlightGear generates a remote format string vulnerability that could crash the application or potentially execute arbitrary code under certain conditions. |
| Alerts: |
|
Comments (none posted)
gnutls: denial of service
| Package(s): | gnutls26 |
CVE #(s): | CVE-2013-2116
|
| Created: | May 30, 2013 |
Updated: | July 5, 2013 |
| Description: |
From the Debian advisory:
It was discovered that a malicious client could crash a GNUTLS server
and vice versa, by sending TLS records encrypted with a block cipher
which contain invalid padding. |
| Alerts: |
|
Comments (none posted)
kernel: information leak
| Package(s): | linux |
CVE #(s): | CVE-2013-3226
|
| Created: | May 24, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the CVE entry:
The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. |
| Alerts: |
|
Comments (none posted)
kvm guest image: no root password
| Package(s): | kvm guest image |
CVE #(s): | CVE-2013-2069
|
| Created: | May 24, 2013 |
Updated: | June 11, 2013 |
| Description: |
From the Red Hat advisory:
It was discovered that when no 'rootpw' command was specified in a
Kickstart file, the image creator tools gave the root user an empty
password rather than leaving the password locked, which could allow a local
user to gain access to the root account. |
| Alerts: |
|
Comments (2 posted)
moodle: multiple vulnerabilities
| Package(s): | moodle |
CVE #(s): | CVE-2013-2079
CVE-2013-2080
CVE-2013-2081
CVE-2013-2082
CVE-2013-2083
|
| Created: | May 29, 2013 |
Updated: | June 7, 2013 |
| Description: |
From the CVE entries:
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role. (CVE-2013-2079)
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report. (CVE-2013-2080)
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. (CVE-2013-2081)
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. (CVE-2013-2082)
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. (CVE-2013-2083)
|
| Alerts: |
|
Comments (none posted)
nginx: denial of service and information disclosure
| Package(s): | nginx |
CVE #(s): | CVE-2013-2070
|
| Created: | May 23, 2013 |
Updated: | July 8, 2013 |
| Description: |
The nginx web server suffers from a vulnerability that can lead to denial of service or information disclosure problems when the proxy_pass option is used with an untrusted upstream server. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
otrs2: privilege escalation
| Package(s): | otrs2 |
CVE #(s): | CVE-2013-3551
|
| Created: | May 29, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Debian advisory:
A vulnerability has been discovered in the Open Ticket Request System,
which can be exploited by malicious users to disclose potentially
sensitive information.
An attacker with a valid agent login could manipulate URLs in the ticket
split mechanism to see contents of tickets and they are not permitted to
see. |
| Alerts: |
|
Comments (none posted)
owncloud: multiple vulnerabilities
| Package(s): | owncloud |
CVE #(s): | CVE-2013-2045
CVE-2013-2046
CVE-2013-2039
CVE-2013-2085
CVE-2013-2040
CVE-2013-2041
CVE-2013-2042
CVE-2013-2044
CVE-2013-2047
CVE-2013-2043
CVE-2013-2048
CVE-2013-2089
CVE-2013-2086
CVE-2013-2049
|
| Created: | May 28, 2013 |
Updated: | June 24, 2013 |
| Description: |
From the Mageia advisory:
ownCloud before 5.0.6 does not neutralize special elements that are
passed to the SQL query in lib/db.php which therefore allows an
authenticated attacker to execute arbitrary SQL commands (CVE-2013-2045).
ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements
that are passed to the SQL query in lib/bookmarks.php which therefore
allows an authenticated attacker to execute arbitrary SQL commands
(CVE-2013-2046).
Multiple directory traversal vulnerabilities in (1)
apps/files_trashbin/index.php via the "dir" GET parameter and (2)
lib/files/view.php via undefined vectors in all ownCloud versions
prior to 5.0.6 and other versions before 4.0.15, allow authenticated
remote attackers to get access to arbitrary local files (CVE-2013-2039,
CVE-2013-2085).
Cross-site scripting (XSS) vulnerabilities in multiple files inside
the media application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.6 and other versions before 4.0.15 allows
authenticated remote attackers to inject arbitrary web script or HTML
(CVE-2013-2040).
Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/editBookmark.php via the "tag" GET parameter
(CVE-2013-2041) and in (2) apps/files/js/files.js via the "dir" GET
parameter to apps/files/ajax/newfile.php in ownCloud 5.0.x before 5.0.6
allows authenticated remote attackers to inject arbitrary web script or
HTML (CVE-2013-2041).
Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/addBookmark.php via the "url" GET parameter and in
(2) apps/bookmarks/ajax/editBookmark.php via the "url" POST parameter
in ownCloud 5.0.x before 5.0.6 allows authenticated remote attackers
to inject arbitrary web script or HTML (CVE-2013-2042).
Open redirect vulnerability in index.php (aka the Login Page) in
ownCloud before 5.0.6 allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in the
redirect_url parameter (CVE-2013-2044).
Index.php (aka the login page) contains a form that does not disable
the autocomplete setting for the password parameter, which makes it
easier for local users or physically proximate attackers to obtain the
password from web browsers that support autocomplete (CVE-2013-2047).
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calendar_id" GET parameter to /apps/calendar/ajax/events.php.
Note: Successful exploitation of this privilege escalation requires
the "calendar" app to be enabled (enabled by default) (CVE-2013-2043).
Due to an insufficient permission check, an authenticated attacker is
able to execute API commands as administrator. Additionally, an
unauthenticated attacker could abuse this flaw as a cross-site request
forgery vulnerability (CVE-2013-2048).
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows
authenticated remote attackers to execute arbitrary PHP code by
uploading a crafted file and accessing an uploaded PHP file.
Note: Successful exploitation requires that the /data/ directory is
stored inside the webroot and a webserver that interprets .htaccess
files (e.g. Apache) (CVE-2013-2089).
The configuration loader in ownCloud 5.0.x before 5.0.6 includes
private data such as CSRF tokens in a JavaScript file, which allows
remote attackers to obtain sensitive information (CVE-2013-2086). |
| Alerts: |
|
Comments (1 posted)
pmount: should be built with PIE flags
| Package(s): | pmount |
CVE #(s): | |
| Created: | May 30, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Red Hat bugzilla:
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package has suid binaries...".
However, currently pmount is not being built with PIE flags. This is a
clear violation of the packaging guidelines. |
| Alerts: |
|
Comments (none posted)
python-backports-ssl_match_hostname: denial of service
| Package(s): | python-backports-ssl_match_hostname |
CVE #(s): | CVE-2013-2098
|
| Created: | May 30, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Red Hat bugzilla:
A denial of service flaw was found in the way python-backports-ssl_match_hostname, an implementation that brings the ssl.match_hostname() function from Python 3.2 to users of earlier versions of Python, performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters, could use this flaw to cause denial of service (excessive CPU time consumption) by issuing request to validate that certificate for / in an application using the python-backports-ssl_match_hostname functionality.
See the upstream bug report for additional information. |
| Alerts: |
|
Comments (none posted)
request-tracker: multiple vulnerabilities
Comments (none posted)
socat: denial of service
| Package(s): | socat |
CVE #(s): | CVE-2013-3571
|
| Created: | May 29, 2013 |
Updated: | June 11, 2013 |
| Description: |
From the Mandriva advisory:
Under certain circumstances an FD leak occurs and can be misused
for denial of service attacks against socat running in server mode. |
| Alerts: |
|
Comments (none posted)
spip: privilege escalation
| Package(s): | spip |
CVE #(s): | |
| Created: | May 28, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Debian advisory:
A privilege escalation vulnerability has been found in SPIP, a website
engine for publishing, which allows anyone to take control of the
website. |
| Alerts: |
|
Comments (none posted)
spnavcfg: should be built with PIE flags
| Package(s): | spnavcfg |
CVE #(s): | |
| Created: | May 30, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Red Hat bugzilla:
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package has suid binaries...".
However, currently spnavcfg is not being built with PIE flags. This is a
clear violation of the packaging guidelines. |
| Alerts: |
|
Comments (none posted)
SUSE Manager: authentication checking problem
| Package(s): | SUSE Manager |
CVE #(s): | CVE-2013-2056
|
| Created: | May 30, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the SUSE advisory:
spacewalk-backend has been updated to fix an authentication
checking problem. (bnc#819365, CVE-2013-2056) |
| Alerts: |
|
Comments (none posted)
tomcat: multiple vulnerabilities
| Package(s): | tomcat6 |
CVE #(s): | CVE-2013-1976
CVE-2013-2051
|
| Created: | May 29, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way the tomcat6 init script handled the
tomcat6-initd.log log file. A malicious web application deployed on Tomcat
could use this flaw to perform a symbolic link attack to change the
ownership of an arbitrary system file to that of the tomcat user, allowing
them to escalate their privileges to root. (CVE-2013-1976)
Note: With this update, tomcat6-initd.log has been moved from
/var/log/tomcat6/ to the /var/log/ directory.
It was found that the RHSA-2013:0623 update did not correctly fix
CVE-2012-5887, a weakness in the Tomcat DIGEST authentication
implementation. A remote attacker could use this flaw to perform replay
attacks in some circumstances. Additionally, this problem also prevented
users from being able to authenticate using DIGEST authentication.
(CVE-2013-2051) |
| Alerts: |
|
Comments (none posted)
tomcat: multiple vulnerabilities
| Package(s): | tomcat6, tomcat7 |
CVE #(s): | CVE-2012-3544
CVE-2013-2067
|
| Created: | May 29, 2013 |
Updated: | August 7, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that Tomcat incorrectly handled certain requests
submitted using chunked transfer encoding. A remote attacker could use this
flaw to cause the Tomcat server to stop responding, resulting in a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2012-3544)
It was discovered that Tomcat incorrectly handled certain authentication
requests. A remote attacker could possibly use this flaw to inject a
request that would get executed with a victim's credentials. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 12.10.
(CVE-2013-2067) |
| Alerts: |
|
Comments (none posted)
varnish: should be built with PIE flags
| Package(s): | varnish |
CVE #(s): | |
| Created: | May 29, 2013 |
Updated: | June 27, 2013 |
| Description: |
From the Red Hat bugzilla:
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE
says that "you MUST
enable the PIE compiler flags if your package is long running ...".
However, currently varnish is not being built with PIE flags. This is a
clear violation of the packaging guidelines.
|
| Alerts: |
|
Comments (none posted)
X.Org: many, many vulnerabilities
Comments (none posted)
xen: possible privilege escalation
| Package(s): | xen |
CVE #(s): | CVE-2013-2072
|
| Created: | May 28, 2013 |
Updated: | May 30, 2013 |
| Description: |
From the Red Hat bugzilla:
The Python bindings for the xc_vcpu_setaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer
overrun and corrupt memory.
An attacker who is able to configure a specific vcpu affinity via a toolstack which uses the Python bindings is able to exploit this issue.
Exploiting this issue leads to memory corruption which may result in a DoS against the system by crashing the toolstack. The possibility of code execution (privilege escalation) has not been ruled out.
The xend toolstack passes a cpumap to this function without sanitization. xend allows the cpumap to be configured via the guest configuration file or the SXP/XenAPI interface. Normally these interfaces are not considered safe to expose to non-trusted parties. However systems which attempt to allow guest administrator control of VCPU affinity in a safe way via xend may expose this issue. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
