User: Password:
|
|
Subscribe / Log in / New account

Security

Calibre and setuid

By Jake Edge
November 2, 2011

Programs that regular users can run with root privileges (i.e. setuid programs) are tricky to write correctly, which is why they are best avoided whenever possible. But there are, of course, things that users need to be able to do that require privileges (changing passwords is a canonical example), which is why the setuid/setgid facility exists in Unix. When the need arises, however, a great deal of care should be taken before writing and releasing a program that is meant to be installed as setuid (aka SUID). A recent bug report for the Calibre e-book reader shows the kinds of problems that can come about if proper care is not exercised.

Jason Donenfeld reported several bugs in the setuid calibre-mount-helper program to the project's Launchpad bug tracker on November 1. Essentially, the program is meant to allow Calibre users to mount various removable devices (like e-book readers connected via USB) to update the content on readers. Unfortunately, it suffered from five separate problems that Donenfeld reported, some of which could be easily used as a local privilege escalation—to root.

The problems themselves read like a laundry list of things not to do in a setuid program including not sanitizing user input, not setting the PATH environment variable before calling exec(), and not sanity checking arguments. It's not completely surprising that Calibre got these things wrong, as they are fairly common programming mistakes. For programs running with a user's privileges, those kinds of errors typically just lead to bugs of various sorts (some of which could have fairly catastrophic consequences for the user, but not the system as a whole). For setuid programs, though, errors like those can lead to very serious security holes—as they did here.

Something that was a bit surprising was the combative tone that Calibre's lead developer Kovid Goyal took in the comments on the bug. Rather than working with Donenfeld to see what the problems were, he dismissed most of the bugs as invalid. Even after Donenfeld tried to further point out the problems, Goyal was rather sarcastic in response:

You mean that a program designed to let an unprivileged user mount/unmount/eject anything he wants has a security flaw because it allows him to mount/unmount/eject anything he wants? I'm shocked.

The proof-of-concept that Donenfeld posted with the bug—fairly snarky in tone, which may not have helped—clearly showed how to exploit the lack of PATH sanitization to get root privileges, but didn't demonstrate a different reported problem with argument injection to the mount program. That particular problem results from not sanitizing the user input and passing it on to mount. The other three problems (arbitrary root-owned directory creation, arbitrary empty directory removal, and creating .created_by_calibre_mount_helper files anywhere in the filesystem) are going to be harder to exploit, but they certainly aren't capabilities that regular users should have.

Goyal fixed the PATH issue immediately, but didn't see the argument injection problem, and therefore didn't fix it. Dan Rosenberg pointed out that there was still a bug:

Unfortunately, sarcasm does not make you right. Yes, this is a critical security flaw, because anyone with calibre installed on their system now allows any user to gain root privileges by mounting on top of important directories. Just because your application allows this by design rather than by mistake doesn't make this less of a problem.

In addition, Rosenberg suggested that there were safer ways to allow users to mount removable media, rather than writing a setuid application specific to Calibre. Once again, though, Goyal takes the combative approach. He committed a fix (though it doesn't really solve the problem) for the problem of "mounting on top of important directories", but seems affronted by the bug comments:

Sarcasm doesn't make me right, being right makes me right. The sarcasm was just a bonus earned by the [sanctimoniousness] of the post I was responding to.

Part of the problem is that Goyal is looking for a single solution to the mounting problem that works "on *every single linux distro that the current technique works on* not just version >= x of distro y". While that complaint has some merit, it is hardly an excuse to introduce security holes into the system. Though Goyal claims to be aware of the "dangers" of setuid programs, the code in calibre-mount-helper does not really bear that out.

In fact, Donenfeld quickly came back with an example exploit that routed around Goyal's fix. The fix just disallows mounting in /usr, /bin, or /sbin, but Donenfeld's example mounts a /etc filesystem (with a chosen root password in passwd), thus allowing the user to log in as root. Obviously, /etc can be added to the disallowed list, but that becomes something of an arms race. A whitelisting approach might be more reasonable, but a better solution would be to use the distribution-supplied mechanisms for mounting the e-book readers. Those solutions should have had most of the obvious (and some non-obvious) problems shaken out, though there is no universal cross-distribution mechanism as Goyal would like to see.

As Donenfeld points out, Debian does not install the mount helper, and instead uses a wrapper script around udisks. Fedora also avoids the mount helper. Judging from this bug report, Ubuntu has picked up the Debian fix as well. It is unclear whether any of those distributions made an effort to get the word out about the problem or get a fix upstream. openSUSE seems to install calibre-mount-helper, however, and various other distributions may as well. In any case, anyone who picks up the source package and installs it will get the program installed as a setuid binary in /opt/calibre/bin.

Writing secure code is hard. Programmers tend to focus on what they are trying to accomplish, rather than all of the different ways the program can be abused. That's not an excuse, but it is an explanation of sorts. Distributions and users should be especially vigilant about setuid programs that come in from packages that, arguably anyway, shouldn't need them. Projects should probably also try to engage with folks that report security problems, rather than attacking them.

As of this writing, the Calibre trunk is still vulnerable to the example exploit that Donenfeld posted. One would expect to see a fix for it soon, and that any distributions that install calibre-mount-helper to issue updates. Users that have it installed from source may want to investigate using a wrapper script or other means to disarm the bug until the fix is made, at least on shared machines.

Comments (17 posted)

Brief items

Security quotes of the week

Key signing events are boring.
-- Alan Cox forgets "mind-numbingly"

People often say to me "well, don't you know why this is happening to you?" and I reply that while we may all speculate, I have been refused official answers. The little official correspondence I received said it was probably a mistake. It took months and they assure me that things will be better someday, probably. I've been detained multiple times since that letter, both in the U.S. and abroad. The DHS won't share a copy of my files with me or my lawyers. It says that I have no right to know what is in them.

The redress letter suggests that even though nothing is wrong, I'll still be selected for "random" screenings. Consider what they tell us of safety and justice, and ask yourself: is it possible that a system full of such obvious and casual dishonesty will provide it?

-- Tor developer (and Wikileaks supporter) Jacob Appelbaum gets another "random" airport security screening

Security experts have said that RSA wasn't the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit. Today's post features a never-before-published list of those victim organizations. The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.
-- Brian Krebs

Comments (none posted)

Blaze: Key escrow from a safe distance

Mat Blaze has published a look back at the clipper chip controversy [PDF] for an upcoming conference. It is a good retrospective of a crucial moment in the crypto wars. "And so even before the Web became synonymous with the Internet, before a single bit of encrypted SSL traffic was generated, lines were being drawn for what would become an epic battle that would preoccupy a generation of cryptographers. (And it was a bad time for that community to be preoccupied; this was the same time that the basic foundations of the of web and other critical communications technologies were designed and put into place. We've been living with the security, or lack of security, built in to that infrastructure ever since)."

Comments (3 posted)

New vulnerabilities

backuppc: cross-site scripting

Package(s):backuppc CVE #(s):CVE-2011-3361
Created:October 28, 2011 Updated:February 2, 2012
Description: From the Ubuntu advisory:

It was discovered that BackupPC did not properly sanitize its input when processing backup browser error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.

Alerts:
Fedora FEDORA-2012-0825 BackupPC 2012-02-01
Fedora FEDORA-2012-0826 BackupPC 2012-02-01
Ubuntu USN-1249-1 backuppc 2011-10-27

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2011-2345 CVE-2011-2346 CVE-2011-2347 CVE-2011-2348 CVE-2011-2349 CVE-2011-2350 CVE-2011-2351 CVE-2011-2835 CVE-2011-2837 CVE-2011-2838 CVE-2011-2839 CVE-2011-2840 CVE-2011-2841 CVE-2011-2843 CVE-2011-2844 CVE-2011-2845 CVE-2011-2846 CVE-2011-2847 CVE-2011-2848 CVE-2011-2849 CVE-2011-2850 CVE-2011-2851 CVE-2011-2852 CVE-2011-2853 CVE-2011-2854 CVE-2011-2855 CVE-2011-2856 CVE-2011-2857 CVE-2011-2858 CVE-2011-2859 CVE-2011-2860 CVE-2011-2861 CVE-2011-2862 CVE-2011-2864 CVE-2011-2874 CVE-2011-3234 CVE-2011-3873 CVE-2011-3875 CVE-2011-3876 CVE-2011-3877 CVE-2011-3878 CVE-2011-3879 CVE-2011-3880 CVE-2011-3881 CVE-2011-3882 CVE-2011-3883 CVE-2011-3884 CVE-2011-3885 CVE-2011-3886 CVE-2011-3887 CVE-2011-3888 CVE-2011-3889 CVE-2011-3890 CVE-2011-3891
Created:November 1, 2011 Updated:November 9, 2011
Description: From the CVE entries:

The NPAPI implementation in Google Chrome before 12.0.742.112 does not properly handle strings, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2345)

Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG fonts. (CVE-2011-2346)

Google Chrome before 12.0.742.112 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. (CVE-2011-2347)

Google V8, as used in Google Chrome before 12.0.742.112, performs an incorrect bounds check, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2348)

Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text selection. (CVE-2011-2349)

The HTML parser in Google Chrome before 12.0.742.112 does not properly address "lifetime and re-entrancy issues," which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2350)

Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG use elements. (CVE-2011-2351)

Race condition in Google Chrome before 14.0.835.163 allows attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the certificate cache. (CVE-2011-2835)

Google Chrome before 14.0.835.163 on Linux does not use the PIC and PIE compiler options for position-independent code, which has unspecified impact and attack vectors. (CVE-2011-2837)

Google Chrome before 14.0.835.163 does not properly consider the MIME type during the loading of a plug-in, which has unspecified impact and remote attack vectors. (CVE-2011-2838)

The PDF implementation in Google Chrome before 13.0.782.215 on Linux does not properly use the memset library function, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2839)

Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to "unusual user interaction." (CVE-2011-2840)

Google Chrome before 14.0.835.163 does not properly perform garbage collection during the processing of PDF documents, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-2841)

Google Chrome before 14.0.835.163 does not properly handle media buffers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2843)

Google Chrome before 14.0.835.163 does not properly process MP3 files, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2844)

Google Chrome before 15.0.874.102 does not properly handle history data, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors. (CVE-2011-2845)

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unload event handling. (CVE-2011-2846)

Use-after-free vulnerability in the document loader in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-2847)

Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to the forward button. (CVE-2011-2848)

The WebSockets implementation in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. (CVE-2011-2849)

Google Chrome before 14.0.835.163 does not properly handle Khmer characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2850)

Google Chrome before 14.0.835.163 does not properly handle video, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2851)

Off-by-one error in Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2852)

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to plug-in handling. (CVE-2011-2853)

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to "ruby / table style handing." (CVE-2011-2854)

Google Chrome before 14.0.835.163 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node." (CVE-2011-2855)

Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. (CVE-2011-2856)

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the focus controller. (CVE-2011-2857)

Google Chrome before 14.0.835.163 does not properly handle triangle arrays, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2858)

Google Chrome before 14.0.835.163 uses incorrect permissions for non-gallery pages, which has unspecified impact and attack vectors. (CVE-2011-2859)

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to table styles. (CVE-2011-2860)

Google Chrome before 14.0.835.163 does not properly handle strings in PDF documents, which allows remote attackers to have an unspecified impact via a crafted document that triggers an incorrect read operation. (CVE-2011-2861)

Google V8, as used in Google Chrome before 14.0.835.163, does not properly restrict access to built-in objects, which has unspecified impact and remote attack vectors. (CVE-2011-2862)

Google Chrome before 14.0.835.163 does not properly handle Tibetan characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2864)

Google Chrome before 14.0.835.163 does not perform an expected pin operation for a self-signed certificate during a session, which has unspecified impact and remote attack vectors. (CVE-2011-2874)

Google Chrome before 14.0.835.163 does not properly handle boxes, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3234)

Google Chrome before 14.0.835.202 does not properly implement shader translation, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. (CVE-2011-3873)

Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors. (CVE-2011-3875)

Google Chrome before 15.0.874.102 does not properly handle downloading files that have whitespace characters at the end of a filename, which has unspecified impact and user-assisted remote attack vectors. (CVE-2011-3876)

Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. (CVE-2011-3877)

Race condition in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker process initialization. (CVE-2011-3878)

Google Chrome before 15.0.874.102 does not prevent redirects to chrome: URLs, which has unspecified impact and remote attack vectors. (CVE-2011-3879)

Google Chrome before 15.0.874.102 does not prevent use of an unspecified special character as a delimiter in HTTP headers, which has unknown impact and remote attack vectors. (CVE-2011-3880)

Google Chrome before 15.0.874.102 allows remote attackers to bypass the Same Origin Policy via unspecified vectors. (CVE-2011-3881)

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media buffers. (CVE-2011-3882)

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to counters. (CVE-2011-3883)

Google Chrome before 15.0.874.102 does not properly address timing issues during DOM traversal, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-3884)

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to stale Cascading Style Sheets (CSS) token-sequence data. (CVE-2011-3885)

Google V8, as used in Google Chrome before 15.0.874.102, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers out-of-bounds write operations. (CVE-2011-3886)

Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors. (CVE-2011-3887)

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to editing operations in conjunction with an unknown plug-in. (CVE-2011-3888)

Heap-based buffer overflow in the Web Audio implementation in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3889)

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to video source handling. (CVE-2011-3890)

Google Chrome before 15.0.874.102 does not properly restrict access to internal Google V8 functions, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3891)

Alerts:
Gentoo 201111-01 chromium 2011-11-01

Comments (3 posted)

empathy: cross-site scripting

Package(s):empathy CVE #(s):CVE-2011-3635 CVE-2011-4170
Created:October 28, 2011 Updated:November 18, 2011
Description: From the Ubuntu advisory:

It was discovered that a cross-site scripting (XSS) vulnerability in the Adium theme allows remote attackers to inject arbitrary javascript or HTML via a crafted nickname in XMPP group conversations.

Alerts:
openSUSE openSUSE-SU-2011:1257-1 empathy 2011-11-18
Ubuntu USN-1250-1 empathy 2011-10-28

Comments (none posted)

kernel: file corruption

Package(s):kernel CVE #(s):CVE-2011-3638
Created:October 31, 2011 Updated:April 25, 2012
Description: From the Red Hat bugzilla:

A flaw was found in the way splitting two extents in ext4_ext_convert_to_initialized() worked. Although ex has been updated in memory, it is not dirtied both in ext4_ext_convert_to_initialized() and ext4_ext_insert_extent(). The disk layout is corrupted. Then it will meet with a BUG_ON() when writing at the start of that extent again.

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Oracle ELSA-2013-0512 httpd 2013-02-25
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
openSUSE openSUSE-SU-2012:0799-1 kernel 2012-06-28
Red Hat RHSA-2012:0517-01 kernel 2012-04-24
Oracle ELSA-2012-0323 httpd 2012-03-09
Oracle ELSA-2012-0150 kernel 2012-03-07
Red Hat RHSA-2012:0116-01 kernel 2012-02-15
Oracle ELSA-2012-0128 httpd 2012-02-14
Oracle ELSA-2012-0107 kernel 2012-02-10
Scientific Linux SL-kern-20120213 kernel 2012-02-13
CentOS CESA-2012:0107 kernel 2012-02-09
Red Hat RHSA-2012:0107-01 kernel 2012-02-09
Oracle ELSA-2011-2037 enterprise kernel 2011-12-15
Scientific Linux SL-Kern-20111206 kernel 2011-12-06
Ubuntu USN-1294-1 linux-lts-backport-oneiric 2011-12-08
Red Hat RHSA-2011:1530-03 kernel 2011-12-06
Fedora FEDORA-2011-14747 kernel 2011-10-22

Comments (none posted)

phpldapadmin: multiple vulnerabilities

Package(s):phpldapadmin CVE #(s):CVE-2011-4075 CVE-2011-4074
Created:October 31, 2011 Updated:November 25, 2011
Description: From the Debian advisory:

CVE-2011-4074: Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

CVE-2011-4075: Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to "query_engine", "query" is set to "none", and "search" is set to e.g. "1") is not properly sanitised in lib/functions.php before being used in a "create_function()" function call. This can be exploited to inject and execute arbitrary PHP code.

Alerts:
Fedora FEDORA-2011-14986 phpldapadmin 2011-10-27
Fedora FEDORA-2011-14993 phpldapadmin 2011-10-27
Fedora FEDORA-2011-14924 phpldapadmin 2011-10-25
Mandriva MDVSA-2011:163 phpldapadmin 2011-11-02
Debian DSA-2333-1 phpldapadmin 2011-10-31

Comments (none posted)

python-django: multiple vulnerabilities

Package(s):python-django CVE #(s):CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140
Created:October 31, 2011 Updated:May 29, 2012
Description: From the Debian advisory:

Paul McMillan, Mozilla and the Django core team discovered several vulnerabilities in Django, a Python web framework:

CVE-2011-4136: When using memory-based sessions and caching, Django sessions are stored directly in the root namespace of the cache. When user data is stored in the same cache, a remote user may take over a session.

CVE-2011-4137, CVE-2011-4138: Django's field type URLfield by default checks supplied URL's by issuing a request to it, which doesn't time out. A Denial of Service is possible by supplying specially prepared URL's that keep the connection open indefinitely or fill the Django's server memory.

CVE-2011-4139: Django used X-Forwarded-Host headers to construct full URL's. This header may not contain trusted input and could be used to poison the cache.

CVE-2011-4140: The CSRF protection mechanism in Django does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests.

Alerts:
openSUSE openSUSE-SU-2012:0653-1 python-django 2012-05-29
Ubuntu USN-1297-1 python-django 2011-12-09
Debian DSA-2332-1 python-django 2011-10-29

Comments (none posted)

radvd: multiple vulnerabilities

Package(s):radvd CVE #(s):CVE-2011-3601 CVE-2011-3602 CVE-2011-3603 CVE-2011-3604 CVE-2011-3605
Created:October 27, 2011 Updated:November 21, 2011
Description: From the Fedora advisory:

CVE-2011-3601 radvd: privilege escalation flaw in process_ra()

CVE-2011-3602 radvd: arbitrary file overwrite flaw in set_interface_var()

CVE-2011-3603 radvd: daemon would not fail on privsep_init() causing it to run with full root privileges

CVE-2011-3603 radvd: daemon would not fail on privsep_init() causing it to run with full root privileges

CVE-2011-3604 radvd: numerous buffer overread flaws in process_ra() may lead to crash

CVE-2011-3605 radvd: temporary denial of service flaw in process_rs()

Alerts:
openSUSE openSUSE-SU-2011:1247-1 radvd 2011-11-15
Gentoo 201111-08 radvd 2011-11-20
Ubuntu USN-1257-1 radvd 2011-11-10
Debian DSA-2323-1 radvd 2011-10-26
Fedora FEDORA-2011-14000 radvd 2011-10-09
Fedora FEDORA-2011-14022 radvd 2011-10-09

Comments (none posted)

simplesamlphp: xml encryption weakness

Package(s):simplesamlphp CVE #(s):
Created:October 27, 2011 Updated:November 2, 2011
Description: From the Debian advisory:

Issues were found in the handling of XML encryption in simpleSAMLphp, an application for federated authentication. The following two issues have been addressed:

It may be possible to use an SP as an oracle to decrypt encrypted messages sent to that SP.

It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP.

Alerts:
Debian DSA-2330-1 simplesamlphp 2011-10-27

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CVE-2010-2951
Created:October 27, 2011 Updated:November 2, 2011
Description: From the CVE entry:

dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the TC bit set.

Alerts:
Gentoo 201110-24 squid 2011-10-26

Comments (none posted)

tor: information disclosure

Package(s):tor CVE #(s):CVE-2011-2768 CVE-2011-2769
Created:October 28, 2011 Updated:November 10, 2011
Description: It has been discovered by "frosty_un" that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. See the tor advisory for details.
Alerts:
Mandriva MDVSA-2013:132 tor 2013-04-10
Mageia MGASA-2012-0276 tor 2012-09-30
Gentoo 201201-12 tor 2012-01-23
Fedora FEDORA-2011-15208 tor 2011-11-01
Fedora FEDORA-2011-15117 tor 2011-10-29
Debian DSA-2331-1 tor 2011-10-28

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2011-4100 CVE-2011-4101 CVE-2011-4102
Created:November 2, 2011 Updated:November 23, 2011
Description: Wireshark suffers from two denial-of-service vulnerabilities, one in the CSN.1 dissector (CVE-2011-4100) and one in the Infiniband dissector (CVE-2011-4101). There is also a buffer overflow in the ERF file reader (CVE-2011-4102) that, presumably, could be exploited to execute arbitrary code.
Alerts:
Oracle ELSA-2013-1569 wireshark 2013-11-26
Oracle ELSA-2013-0125 wireshark 2013-01-12
Scientific Linux SL-wire-20130116 wireshark 2013-01-16
CentOS CESA-2012:0509 wireshark 2012-04-24
Oracle ELSA-2012-0509 wireshark 2012-04-23
Scientific Linux SL-wire-20120423 wireshark 2012-04-23
Red Hat RHSA-2012:0509-01 wireshark 2012-04-23
Debian DSA-2351-1 wireshark 2011-11-21
Mandriva MDVSA-2011:164 wireshark 2011-11-02

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds