User: Password:
|
|
Subscribe / Log in / New account

Security

Responsible disclosure in open source: The crypt() vulnerability

June 6, 2012

This article was contributed by Josh Berkus

At the end of May, five separate open source projects released patches to close the same security hole in their software. This coordinated release and vulnerability handling is a demonstration that "responsible disclosure" can work, especially in open source.

Responsible disclosure is the practice of security researchers discovering a vulnerability and contacting the software vendor to give them a reasonable time to fix it before the vulnerability is published. It contrasts with the policy of "full disclosure" in which security people publish the full details of any vulnerability immediately, in order to get information to the public as quickly as possible. Mostly, these two terms have shown up in the media as part of controversies, or even legal battles, which pit security researchers against software companies and each other.

While the inflammatory confrontations gain most of the news headlines, it doesn't have to be that way. In fact, among open source projects, it isn't that way most of the time. The recent multi-product Crypt-DES vulnerability patch shows that responsible disclosure can and does work well in the open source world.

The Crypt-DES vulnerability

Robin Xu and Joseph Bonneau at Cambridge University had been investigating how non-ASCII passwords were handled by various systems for more than a year. Bonneau started on this research because of the massive Gawker security breach in 2010. In the course of investigating that, his team uncovered several issues with non-ASCII passwords in commonly used software. While the one at Gawker was quickly addressed — to some degree — he and Xu began a research project on the insecurities introduced by applying algorithms designed for ASCII to Unicode text.

The version of crypt() using the DES algorithm (hereafter crypt-DES) is a simple irreversible hash designed to prevent storing passwords in plain text. Introduced in old Unix days, it had the advantages of easy implementation, portability between systems and programming languages, computational speed, and is hard enough to crack that dictionary attacks and social engineering were generally easier ways to grab passwords. Given the age and limited computational "strength" of crypt-DES, however, this is no longer true; brute-force computation of crypt() passwords is easily done. Programmers are encouraged to use more modern hashing and encryption algorithms, such as SHA1 and Blowfish. The "extended" DES version was introduced in BSDi in the early 1990's, improving the algorithm to have a larger "salt", more rounds of encryption, and also to support passwords longer than eight characters by "folding" them down to eight 7-bit characters using a first round of DES hashing.

The last improvement is the problem which causes the crypt() vulnerability. Crypt-DES was designed for ASCII characters, and programmers who upgraded systems to support Unicode didn't really check to see how crypt-DES would work with Unicode passwords, since by that point crypt-DES was no longer mainstream. As it turns out, the folding is broken; the algorithm regards characters containing the byte 0x80 as a "stop" character and disregards any parts of the password after that byte. In many Unicode encodings, characters — such as the common character À — can contain a 0x80 byte, causing all characters after that one to be disregarded. This means if your password was Àlbanez60, then crypt-DES would match it with any password beginning with À.

This is also a good illustration of how security is a process and not an end result. Crypt-DES was an adequately secure password hashing approach well into the mid 1990's, which is why people stopped testing it. It was the introduction of popular Unicode-compliant versions of programming languages and databases which has made it less secure than anyone realized.

Contacting projects

Having found this issue, Xu, Bonneau, and other Cambridge graduate students spent several weeks examining some common software and found that the defective version of Crypt-DES was still shipping with several open source software packages, among them PostgreSQL and FreeBSD. Having found the vulnerability, they emailed the private security mailing lists for the affected projects.

The PostgreSQL security team received this email on April 24th:

My name is Rubin Xu, a PhD student at University of Cambridge. While my colleague and I were investigating how websites handle non-ASCII passwords, we noticed a glitch in one of the standard DES crypt() implementation which causes certain Unicode passwords to be truncated before being DES digested. Unfortunately PostgreSQL seems to be shipping with the offending code as well.

The Cambridge team had previously contacted a few other projects, including FreeBSD. The FreeBSD and PostgreSQL projects had to decide what to do about patching the vulnerability. For anyone affected by it, an updated version of crypt-DES would require that all affected passwords (ones containing the 0x80 byte) be regenerated. While neither PostgreSQL nor FreeBSD used crypt-DES for system authentication, both supply functions which are used to hash application passwords. Because of this disruption to some users' applications, it couldn't be done casually.

The FreeBSD security team contacted the OpenBSD, NetBSD and DragonflyBSD projects. Rubin Xu's research indicated that PHP's crypt() also had the faulty algorithm, and had attempted to contact the PHP security team without success. Members of FreeBSD contacted them and brought them into the discussion. NetBSD turned out not to be vulnerable.

Coordinating a release

Among the affected projects, this vulnerability was considered moderate in severity, since it only affected a minority of users of each project. Not only did users need to build applications using crypt() with DES, despite other, more modern hashing options being available, but the password vulnerability only affects passwords with Unicode characters including the 0x80 byte. Specifically, the vulnerability was limited to:

  • BSD users who used the included crypt() library with DES (the default) to support their applications.
  • PostgreSQL users who installed the optional pgCrypto extension and used its crypt() function with the default DES encryption.
  • PHP users who used the PHP crypt() function with DES on platforms without native encryption support, most notably Windows.

On the other hand, the vulnerability affects passwords, which means it's specifically a hole in code people have written to secure their systems. That raised this vulnerability from obscure to moderately serious. So FreeBSD filed for a Common Vulnerability and Exposure number (CVE), and the projects began trying to coordinate a release.

From the perspective of the projects, once one project announced a release and CVE-2012-2143 became public, it wouldn't take much cleverness for a even a newbie black hat to figure out the vulnerability in other products. That meant coordinating a release date among five different projects. In surprisingly short order, they reached a compromise date of May 30th, which was the earliest reasonable release date. On that date:

The entire timeline from the discovery of the vulnerability to deploying fixes for multiple projects took about three months. The majority of this time (about seven weeks) was taken up by the researchers finding and contacting affected projects. If there's room for improvement in the process of responsible discovery, it's that finding affected projects or products and contacting their security teams is slow and time-consuming. The remaining five weeks is only two weeks longer than the minimum time for most packaged projects to do a release at all, due to packaging, scheduling, testing, and coordination requirements. One could easily argue that immediate disclosure would have gotten the news about the vulnerability out much sooner, but it's not clear how that would have benefited affected users until fixes for their software were available.

In relatively short order, five major open source projects were updated to close it. Nobody was threatened, no single project's users or developers were singled out, the security researchers were thanked for their work, and nobody needed to spend more than a few hours of their time getting the fixes made and released. At least from the perspective of software maintainers and regular users, this episode looks like a success.

Why it worked this time

This whole episode had two important factors to make it a relative success: the security researchers were university staff unmotivated by fame or profit, and the open source projects are community non-profits lacking incentives to defer or deny patching security holes. This meant that everyone involved was motivated to fix the vulnerability in the fastest, most responsible way possible.

This is by no means exceptional in the open source world. On the PostgreSQL project today, as with many other open source projects, companies and academic researchers regularly practice responsible disclosure, letting the developers know about a security issue in a reasonable time to fix it. If anything, this is the rule in the non-profit open source world. So why does disclosure cause friction, user exposure, blog wars, and legal threats in the for-profit world?

Well, when you look at failures of security disclosure, the overwhelming trend is bad faith. Software companies don't want to do expensive releases and get bad press for security issues, so they put off security researchers forever, or even threaten them. Security people or their employers want fame and attention so they publicize security holes as widely as possible without verification, or giving the vendor a chance to patch issues. Or worse, researchers, companies and agencies participate in a marketplace of secret security exploits.

So, while responsible disclosure can and does work in the non-profit open source world, it's not clear how to transfer these practices to the for-profit world, or even if it's possible to do so. Maybe the answer is simply to use more open source software.

[ Note that MITRE has not updated their CVE database. As such, the CVE link for the exploit will still show as "pending". ]

Comments (26 posted)

Brief items

Security quotes of the week

One of the nastier effects of this (and it didn't start with EFI and 'secure' boot but with Android) is that people are now hoarding kernel security holes rather than reporting them. Previously bad guys hoard them, good ones fixed them. Now everyone is hoarding them so end user security will suffer drastically.
-- Alan Cox

Why not just avoid the entire Secure Boot problem by using Coreboot? Because the reason we have the Secure Boot problem is because Microsoft's Windows 8 certification requirements mean vendors have to ship a UEFI implementation with Secure Boot. You could satisfy that by using Coreboot with a Tiano payload, but it'll still have Secure Boot enabled so you still have the same set of problems. But maybe you could just reflash your system with Coreboot? No, because another part of the requirements states that all firmware updates have to be cryptographically signed now. The only way to reflash will be to attach a flash programmer directly to your motherboard.

So why not just use Coreboot? Because it doesn't help solve this problem in any way.

-- Matthew Garrett

Deleting intermediate certificates is pointless. You can only rely on revocation (which is known to be very unreliable), _or_ (preferably) you should import the same certificate in the _revocation_ branch of the SYSTEM certificate store. Only in that case you can be certain that the particular certificate will be untrusted (regardless of whether it is present in one of the _trusted_ stores or not).
-- Erik van Straten

As the article makes clear, the 6.5 million hashes are likely just those the hackers couldn't crack. The take-away from this is: It means nothing that you don't find your password in the list. Out of an abundance of caution, readers should presume the entire list has been obtained and change their password no matter what.
-- Dan Goodin

Comments (none posted)

Critical vulnerability derails Ruby on Rails (The H)

The H reports on a newly-discovered SQL injection vulnerability in Ruby on Rails, affecting the 3.0.x, 3.1.x, and 3.2.x versions. "The vulnerability exists in versions 3.0 and later of Active Record, Rail's database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a where method, is affected. For example, using the common idiom params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table." The Rails team pushed out a fix, but shortly thereafter had to follow it up with another.

Comments (4 posted)

New vulnerabilities

apache-commons-compress: denial of service

Package(s):apache-commons-compress CVE #(s):CVE-2012-2098
Created:June 4, 2012 Updated:February 13, 2014
Description: From the CVE entry:

Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.

Fixed in version 1.4.1.

Alerts:
Mageia MGASA-2014-0056 plexus-archiver 2014-02-12
Fedora FEDORA-2013-5546 plexus-archiver 2013-05-11
Fedora FEDORA-2013-5548 plexus-archiver 2013-05-11
Fedora FEDORA-2012-8465 apache-commons-compress 2012-06-03
Fedora FEDORA-2012-8428 apache-commons-compress 2012-06-02

Comments (none posted)

arpwatch: privilege escalation

Package(s):arpwatch CVE #(s):CVE-2012-2653
Created:June 4, 2012 Updated:July 20, 2016
Description: From the Debian advisory:

Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at least in Red Hat and Debian distributions) in order to make it drop root privileges would fail to do so and instead add the root group to the list of the daemon uses.

Alerts:
Mandriva MDVSA-2013:017 arpwatch 2013-04-04
Mandriva MDVSA-2013:030 arpwatch 2013-04-05
Mandriva MDVSA-2012:113 arpwatch 2012-07-26
openSUSE openSUSE-SU-2012:0915-1 arpwatch 2012-07-25
Mageia MGASA-2012-0129 arpwatch 2012-06-27
Fedora FEDORA-2012-8677 arpwatch 2012-06-20
Debian DSA-2482-1 libgdata 2012-06-02
Fedora FEDORA-2012-8702 arpwatch 2012-06-20
Fedora FEDORA-2012-8675 arpwatch 2012-06-20
Debian DSA-2481-1 arpwatch 2012-06-02
Gentoo 201607-16 arpwatch 2016-07-20

Comments (none posted)

bind: multiple vulnerabilities

Package(s):bind9 CVE #(s):CVE-2012-1667 CVE-2012-1033
Created:June 6, 2012 Updated:August 7, 2012
Description: From the

Dan Luther discovered that Bind incorrectly handled zero length rdata fields. A remote attacker could use this flaw to cause Bind to crash or behave erratically, resulting in a denial of service. (CVE-2012-1667)

It was discovered that Bind incorrectly handled revoked domain names. A remote attacker could use this flaw to cause malicious domain names to be continuously resolvable even after they have been revoked. (CVE-2012-1033)

Alerts:
Oracle ELSA-2014-1984 bind 2014-12-12
openSUSE openSUSE-SU-2013:0605-1 bind 2013-04-03
Slackware SSA:2012-341-01 bind 2012-12-06
Gentoo 201209-04 bind 2012-09-23
Red Hat RHSA-2012:1110-01 bind 2012-07-23
Oracle ELSA-2012-2028 bind 2012-08-06
SUSE SUSE-SU-2012:0741-6 bind 2012-07-13
openSUSE openSUSE-SU-2012:0864-1 bind 2012-07-11
openSUSE openSUSE-SU-2012:0863-1 bind 2012-07-11
SUSE SUSE-SU-2012:0741-5 bind 2012-06-27
CentOS CESA-2012:0716 bind 2012-06-07
Slackware SSA:2012-166-01 bind 2012-06-14
openSUSE openSUSE-SU-2012:0722-1 bind 2012-06-11
Scientific Linux SL-bind-20120607 bind 2012-06-07
Oracle ELSA-2012-0717 bind97 2012-06-08
Oracle ELSA-2012-0716 bind 2012-06-08
CentOS CESA-2012:0716 bind 2012-06-07
Debian DSA-2486-1 bind9 2012-06-05
SUSE SUSE-SU-2012:0741-4 bind 2012-06-18
SUSE SUSE-SU-2012:0741-3 bind 2012-06-16
Fedora FEDORA-2012-8968 bind 2012-06-13
Mandriva MDVSA-2012:089 bind 2012-06-10
Ubuntu USN-1462-1 bind9 2012-06-05
SUSE SUSE-SU-2012:0741-1 bind 2012-06-15
Red Hat RHSA-2012:0717-01 bind97 2012-06-07
Red Hat RHSA-2012:0716-01 bind 2012-06-07
Fedora FEDORA-2012-8946 bind 2012-06-15
Fedora FEDORA-2012-8962 bind 2012-06-15
SUSE SUSE-SU-2012:0741-2 bind 2012-06-15
Scientific Linux SL-bind-20120607 bind97 2012-06-07
Oracle ELSA-2012-0716 bind 2012-06-08
CentOS CESA-2012:0717 bind97 2012-06-07

Comments (none posted)

drupal7: full path disclosure

Package(s):drupal7 CVE #(s):CVE-2012-2922
Created:June 4, 2012 Updated:November 2, 2012
Description: From the CVE entry:

The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.

Alerts:
Mandriva MDVSA-2013:074 drupal 2013-04-08
Mageia MGASA-2012-0319 drupal 2012-11-01
Fedora FEDORA-2012-8360 drupal7 2012-06-02
Fedora FEDORA-2012-8362 drupal7 2012-06-02
Fedora FEDORA-2012-8398 drupal7 2012-06-03

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2011-3101 CVE-2012-1937 CVE-2012-1938 CVE-2012-1939 CVE-2012-1940 CVE-2012-1941 CVE-2012-1944 CVE-2012-1945 CVE-2012-1946 CVE-2012-1947
Created:June 6, 2012 Updated:January 8, 2013
Description: From the Red Hat advisory:

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Mageia MGASA-2012-0176 iceape 2012-07-21
Mageia MGASA-2012-0136 firefox 2012-06-29
Mageia MGASA-2012-0135 firefox 2012-06-28
Ubuntu USN-1463-6 thunderbird 2012-06-26
Ubuntu USN-1463-5 unity-2d 2012-06-26
Mandriva MDVSA-2012:088-1 mozilla 2012-06-23
Debian DSA-2499-1 icedove 2012-06-24
Ubuntu USN-1463-4 thunderbird 2012-06-22
Slackware SSA:2012-166-04 seamonkey 2012-06-14
Slackware SSA:2012-166-03 mozilla-thunderbird 2012-06-14
Slackware SSA:2012-166-02 mozilla-firefox 2012-06-14
Scientific Linux SL-fire-20120606 firefox 2012-06-06
CentOS CESA-2012:0710 firefox 2012-06-06
Debian DSA-2489-1 iceape 2012-06-07
Oracle ELSA-2012-0710 firefox 2012-06-06
Scientific Linux SL-thun-20120607 thunderbird 2012-06-07
CentOS CESA-2012:0710 firefox 2012-06-06
Oracle ELSA-2012-0715 thunderbird 2012-06-07
Red Hat RHSA-2012:0715-01 thunderbird 2012-06-06
Mandriva MDVSA-2012:088 mozilla 2012-06-09
Debian DSA-2488-1 iceweasel 2012-06-07
CentOS CESA-2012:0715 thunderbird 2012-06-07
Red Hat RHSA-2012:0710-01 firefox 2012-06-05
Ubuntu USN-1463-3 firefox 2012-06-20
openSUSE openSUSE-SU-2012:0760-1 mozilla 2012-06-19
SUSE SUSE-SU-2012:0746-1 Mozilla Firefox 2012-06-15
Ubuntu USN-1463-1 firefox 2012-06-06

Comments (none posted)

globus-gridftp-server: privilege escalation

Package(s):globus-gridftp-server CVE #(s):
Created:June 4, 2012 Updated:June 6, 2012
Description: GridFTP acts as the wrong user when user doesn't exist. See this globus advisory for details.
Alerts:
Fedora FEDORA-2012-8488 globus-gridftp-server-control 2012-06-03
Fedora FEDORA-2012-8461 globus-gridftp-server-control 2012-06-03
Fedora FEDORA-2012-8445 globus-gridftp-server-control 2012-06-03
Fedora FEDORA-2012-8488 globus-gridftp-server 2012-06-03
Fedora FEDORA-2012-8461 globus-gridftp-server 2012-06-03
Fedora FEDORA-2012-8445 globus-gridftp-server 2012-06-03

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2012-2127 CVE-2012-2319
Created:June 4, 2012 Updated:October 3, 2012
Description: From the SUSE advisory:

CVE-2012-2127: Various leaks in namespace handling over fork where fixed, which could be exploited by e.g. vsftpd access by remote users.

CVE-2012-2319: A memory corruption when mounting a hfsplus filesystem was fixed that could be used by local attackers able to mount filesystem to crash the system.

Alerts:
SUSE SUSE-SU-2015:0812-1 kernel 2015-04-30
Ubuntu USN-1607-1 linux 2012-10-11
Red Hat RHSA-2012:1347-01 kernel 2012-10-09
Ubuntu USN-1594-1 linux-lts-backport-oneiric 2012-10-03
Oracle ELSA-2012-1323 kernel 2012-10-04
Oracle ELSA-2012-1323 kernel 2012-10-03
Scientific Linux SL-kern-20121003 kernel 2012-10-03
CentOS CESA-2012:1323 kernel 2012-10-03
Red Hat RHSA-2012:1323-01 kernel 2012-10-02
Ubuntu USN-1530-1 linux-ti-omap4 2012-08-10
Ubuntu USN-1493-1 linux 2012-06-29
Ubuntu USN-1492-1 linux 2012-06-29
Ubuntu USN-1491-1 linux-ec2 2012-06-29
Ubuntu USN-1490-1 linux-lts-backport-natty 2012-06-29
Ubuntu USN-1488-1 linux 2012-06-29
Ubuntu USN-1471-1 linux-lts-backport-oneiric 2012-06-12
SUSE SUSE-SU-2012:0689-1 kernel 2012-06-02
SUSE SUSE-SU-2012:0736-1 Linux kernel 2012-06-14
Ubuntu USN-1473-1 linux 2012-06-13
Ubuntu USN-1476-1 linux-ti-omap4 2012-06-15
Ubuntu USN-1474-1 linux-ti-omap4 2012-06-13
Ubuntu USN-1472-1 linux 2012-06-12

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):CVE-2012-2353 CVE-2012-2354 CVE-2012-2355 CVE-2012-2356 CVE-2012-2357 CVE-2012-2358 CVE-2012-2359 CVE-2012-2360 CVE-2012-2361 CVE-2012-2362 CVE-2012-2363 CVE-2012-2364 CVE-2012-2365 CVE-2012-2366 CVE-2012-2367
Created:June 1, 2012 Updated:August 2, 2012
Description:

From the Fedora advisory:

Update Information:

CVE-2012-2353 MSA-12-0024: Hidden information access issue

CVE-2012-2354 MSA-12-0025: Personal communication access issue

CVE-2012-2355 MSA-12-0026: Quiz capability issue

CVE-2012-2356 MSA-12-0027: Question bank capability issues

CVE-2012-2357 MSA-12-0028: Insecure authentication issue

CVE-2012-2358 MSA-12-0029: Information editing access issue

CVE-2012-2359 MSA-12-0030: Capability manipulation issue

CVE-2012-2360 MSA-12-0031: Cross-site scripting vulnerability in Wiki

CVE-2012-2361 MSA-12-0032: Cross-site scripting vulnerability in Web services

CVE-2012-2362 MSA-12-0033: Cross-site scripting vulnerability in Blog

CVE-2012-2363 MSA-12-0034: Potential SQL injection issue

CVE-2012-2364 MSA-12-0035: Cross-site scripting vulnerability in "download all"

CVE-2012-2365 MSA-12-0036: Cross-site scripting vulnerability in category identifier

CVE-2012-2366 MSA-12-0037: Write access issue in Database activity module

CVE-2012-2367 MSA-12-0038: Calendar event write permission issue

Correct CAS unbundling.

Drop bundled language packs.

New upstreams, multiple vulnerabilities.

Alerts:
Fedora FEDORA-2012-8284 moodle 2012-06-01
Fedora FEDORA-2012-8365 moodle 2012-06-02
Fedora FEDORA-2012-8325 moodle 2012-06-02

Comments (none posted)

nut: application crash

Package(s):nut CVE #(s):CVE-2012-2944
Created:June 1, 2012 Updated:September 28, 2012
Description:

From the Ubuntu advisory:

Nut could be made to crash if it received specially crafted network traffic.

Alerts:
Gentoo 201209-19 nut 2012-09-27
openSUSE openSUSE-SU-2012:1069-1 nut 2012-08-30
Mageia MGASA-2012-0155 nut 2012-07-10
Debian DSA-2484-1 nut 2012-06-02
Fedora FEDORA-2012-8694 nut 2012-06-15
Fedora FEDORA-2012-8729 nut 2012-06-15
Fedora FEDORA-2012-8747 nut 2012-06-15
Mandriva MDVSA-2012:087 nut 2012-06-05
Ubuntu USN-1456-1 nut 2012-05-31

Comments (none posted)

openoffice.org: code execution

Package(s):openoffice.org CVE #(s):CVE-2012-2334
Created:June 5, 2012 Updated:June 14, 2012
Description: From the Red Hat advisory:

An integer overflow flaw, leading to a buffer overflow, was found in the way OpenOffice.org processed an invalid Escher graphics records length in Microsoft Office PowerPoint documents. An attacker could provide a specially-crafted Microsoft Office PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Alerts:
Gentoo 201408-19 openoffice-bin 2014-08-31
Mageia MGASA-2012-0253 libreoffice 2012-09-04
Ubuntu USN-1496-1 openoffice.org 2012-07-02
Ubuntu USN-1495-1 libreoffice, libreoffice-l10n 2012-07-02
Oracle ELSA-2012-0705 openoffice.org 2012-06-05
Mandriva MDVSA-2012:091 libreoffice 2012-06-15
Mandriva MDVSA-2012:090 openoffice.org 2012-06-14
Debian DSA-2487-1 openoffice.org 2012-06-07
Scientific Linux SL-open-20120605 openoffice.org 2012-06-05
CentOS CESA-2012:0705 openoffice.org 2012-06-05
Fedora FEDORA-2012-8114 libreoffice 2012-06-13
Mandriva MDVSA-2012:091 libreoffice 2012-06-14
CentOS CESA-2012:0705 openoffice.org 2012-06-05
Red Hat RHSA-2012:0705-01 openoffice.org 2012-06-05

Comments (none posted)

php: integer overflow

Package(s):php5 CVE #(s):CVE-2012-2386
Created:June 5, 2012 Updated:July 16, 2012
Description: From the openSUSE advisory:

Specially crafted tar archives could cause an integer overflow in the phar extension

Alerts:
Gentoo 201209-03 php 2012-09-23
Slackware SSA:2012-195-01 php 2012-07-14
CentOS CESA-2012:1046 php 2012-07-10
Scientific Linux SL-php-20120709 php 2012-07-09
Scientific Linux SL-php5-20120705 php53 2012-07-05
SUSE SUSE-SU-2012:0840-1 PHP5 2012-07-05
Fedora FEDORA-2012-9762 maniadrive 2012-07-02
Fedora FEDORA-2012-9762 php-eaccelerator 2012-07-02
Fedora FEDORA-2012-9762 php 2012-07-02
Oracle ELSA-2012-1046 php 2012-06-30
Fedora FEDORA-2012-9490 maniadrive 2012-06-30
Fedora FEDORA-2012-9490 php 2012-06-30
Oracle ELSA-2012-1047 php53 2012-06-28
CentOS CESA-2012:1047 php53 2012-06-27
Red Hat RHSA-2012:1047-01 php53 2012-06-27
Red Hat RHSA-2012:1046-01 php 2012-06-27
Ubuntu USN-1481-1 php5 2012-06-19
Mandriva MDVSA-2012:093 php 2012-06-15
openSUSE openSUSE-SU-2012:0695-1 php5 2012-06-05
Debian DSA-2492-1 php5 2012-06-10

Comments (none posted)

postgresql: multiple vulnerabilities

Package(s):postgresql-8.3, postgresql-8.4, postgresql-9.1 CVE #(s):CVE-2012-2143 CVE-2012-2655
Created:June 5, 2012 Updated:September 28, 2012
Description: From the Ubuntu advisory:

It was discovered that PostgreSQL incorrectly handled certain bytes passed to the crypt() function when using DES encryption. An attacker could use this flaw to incorrectly handle authentication. (CVE-2012-2143)

It was discovered that PostgreSQL incorrectly handled SECURITY DEFINER and SET attributes on procedural call handlers. An attacker could use this flaw to cause PostgreSQL to crash, leading to a denial of service. (CVE-2012-2655)

Alerts:
openSUSE openSUSE-SU-2012:1299-1 postgresql 2012-10-06
openSUSE openSUSE-SU-2012:1288-1 postgresql, postgresql-libs 2012-10-04
Gentoo 201209-24 postgresql-server 2012-09-28
openSUSE openSUSE-SU-2012:1251-1 postgresql 2012-09-26
Gentoo 201209-03 php 2012-09-23
Oracle ELSA-2012-1263 postgresql, postgresql84 2012-09-14
CentOS CESA-2012:1046 php 2012-07-10
CentOS CESA-2012:1037 postgresql, postgresql84 2012-07-10
Scientific Linux SL-php-20120709 php 2012-07-09
Scientific Linux SL-post-20120709 postgresql 2012-07-09
Scientific Linux SL-post-20120705 postgresql, postgresql84 2012-07-05
Scientific Linux SL-php5-20120705 php53 2012-07-05
SUSE SUSE-SU-2012:0840-1 PHP5 2012-07-05
openSUSE openSUSE-SU-2012:0826-1 php5 2012-07-04
Fedora FEDORA-2012-9762 maniadrive 2012-07-02
Fedora FEDORA-2012-9762 php-eaccelerator 2012-07-02
Fedora FEDORA-2012-9762 php 2012-07-02
Oracle ELSA-2012-1046 php 2012-06-30
Oracle ELSA-2012-1037 postgresql, postgresql84 2012-06-30
Fedora FEDORA-2012-9490 maniadrive 2012-06-30
Fedora FEDORA-2012-9490 php 2012-06-30
Oracle ELSA-2012-1047 php53 2012-06-28
CentOS CESA-2012:1047 php53 2012-06-27
Red Hat RHSA-2012:1047-01 php53 2012-06-27
Red Hat RHSA-2012:1046-01 php 2012-06-27
Oracle ELSA-2012-1037 postgresql, postgresql84 2012-06-26
Oracle ELSA-2012-1036 postgresql 2012-06-26
CentOS CESA-2012:1037 postgresql, postgresql84 2012-06-25
CentOS CESA-2012:1036 postgresql 2012-06-25
Red Hat RHSA-2012:1037-01 postgresql, postgresql84 2012-06-25
Red Hat RHSA-2012:1036-01 postgresql 2012-06-25
Debian DSA-2491-1 postgresql-8.4 2012-06-09
Fedora FEDORA-2012-8893 postgresql 2012-06-15
Fedora FEDORA-2012-8915 postgresql 2012-06-15
Mandriva MDVSA-2012:092 postgresql 2012-06-15
Ubuntu USN-1461-1 postgresql-8.3, postgresql-8.4, postgresql-9.1 2012-06-05
Ubuntu USN-1481-1 php5 2012-06-19
Mandriva MDVSA-2012:093 php 2012-06-15
Fedora FEDORA-2012-8924 postgresql 2012-06-15

Comments (none posted)

python-crypto: insecure key generation

Package(s):python-crypto CVE #(s):CVE-2012-2417
Created:June 4, 2012 Updated:April 10, 2013
Description: From the Red Hat bugzilla:

A security flaw was found in the implementation of ElGamal algorithm of python-crypto, a cryptography library for Python language, in the way how random number 'g' was generated.

Alerts:
Mandriva MDVSA-2013:120 python-pycrypto 2013-04-10
Mageia MGASA-2012-0194 python-pycrypto 2012-08-02
Mandriva MDVSA-2012:117 python-pycrypto 2012-07-27
openSUSE openSUSE-SU-2012:0830-1 python-crypto 2012-07-04
Ubuntu USN-1484-1 python-crypto 2012-06-28
Gentoo 201206-23 pycrypto 2012-06-24
Debian DSA-2502-1 python-crypto 2012-06-24
Fedora FEDORA-2012-8392 python-crypto 2012-06-03
Fedora FEDORA-2012-8490 python-crypto 2012-06-03
Fedora FEDORA-2012-8470 python-crypto 2012-06-03

Comments (none posted)

rubygem-rack-cache: information leak

Package(s):rubygem-rack-cache CVE #(s):
Created:June 6, 2012 Updated:June 6, 2012
Description: From the Red Hat bugzilla:

The Rack::Cache rubygem has a flaw where it will cache sensitive headers (such as Set-Cookie response headers), which could leak potentially sensitive information.

Alerts:
Fedora FEDORA-2012-8439 rubygem-rack-cache 2012-06-05

Comments (none posted)

socat: buffer overflow

Package(s):socat CVE #(s):CVE-2012-0219
Created:June 1, 2012 Updated:May 29, 2013
Description:

From the Fedora advisory:

Fix for CVE-2012-0219 heap-based buffer overflow

Alerts:
Mandriva MDVSA-2013:169 socat 2013-05-29
Mandriva MDVSA-2013:127 socat 2013-04-10
Gentoo 201208-01 socat 2012-08-14
Mageia MGASA-2012-0138 socat 2012-07-09
openSUSE openSUSE-SU-2012:0809-1 socat 2012-07-02
Fedora FEDORA-2012-8328 socat 2012-06-07
Fedora FEDORA-2012-8274 socat 2012-06-01

Comments (none posted)

Page editor: Nathan Willis
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds