Security

Details are somewhat hazy, but the Red Hat bugzilla entry notes a fix for SQL injection and shell escaping problems (code execution?) problems.

Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine.

Marcus Moeller and Ken Fallon discovered that the CIFS incorrectly built certain paths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service.

The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (CVE-2013-2206)

A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows local users to cause a denial of service (invalid free operation and system crash) or possibly gain privileges via a sendmsg system call with the IP_RETOPTS option, as demonstrated by hemlock.c. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-3552. (CVE-2013-2224)

From the Ubuntu advisory:

Paul Collins discovered that libimobiledevice incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files and access device keys. In the default Ubuntu installation, this issue should be mitigated by the Yama link restrictions.

From the Red Hat bugzilla entries [1, 2]:

CVE-2013-4231: Pedro Ribeiro discovered a buffer overflow flaw in rgb2ycbcr, a tool to convert RGB color, greyscale, or bi-level TIFF images to YCbCr images, and multiple buffer overflow flaws in gif2tiff, a tool to convert GIF images to TIFF. A remote attacker could provide a specially-crafted TIFF or GIF file that, when processed by rgb2ycbcr and gif2tiff respectively, would cause the tool to crash or, potentially, execute arbitrary code with the privileges of the user running the tool.

CVE-2013-4232: Pedro Ribeiro discovered a use-after-free flaw in the t2p_readwrite_pdf_image() function in tiff2pdf, a tool for converting a TIFF image to a PDF document. A remote attacker could provide a specially-crafted TIFF file that, when processed by tiff2pdf, would cause tiff2pdf to crash or, potentially, execute arbitrary code with the privileges of the user running tiff2pdf.

The impact is unclear from the Red Hat bugzilla entry, but evidently libtomcrypt has an incorrect test for prime numbers (used to generate keys). It is not thought to have widespread impact.

Affected versions

All 2.0.X, 2.1.X, 2.2.X, and 2.3.X versions of the HttpFoundation component are affected by this issue.

Description

As the $_SERVER['HOST'] content is an input coming from the user, it can be manipulated and cannot be trusted. In the recent months, a lot of different attacks have been discovered relying on inconsistencies between the handling of the Host header by various software (web servers, reverse proxies, web frameworks, ...). Basically, everytime the framework is generating an absolute URL (when sending an email to reset a password for instance), the host might have been manipulated by an attacker. And depending on the configuration of your web server, the Symfony Request::getHost() method might be vulnerable to some of these attacks.

Affected versions

All 2.0.X, 2.1.X, 2.2.X, and 2.3.X versions of the Validator component are affected by this issue.

Description

When using the Validator component, if Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache is enabled (or any other cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface), some information is lost during serialization (the collectionCascaded and the collectionCascadedDeeply fields).

As a consequence, arrays or traversable objects stored in fields using the @Valid constraint are not traversed by the validator as soon as the validator configuration is loaded from the cache.

From the Ubuntu advisory:

It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. (CVE-2013-4761)

It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker. (CVE-2013-4956)

An attacker could entice a user to open connection to specially crafted SSH server, possibly resulting in execution of arbitrary code with the privileges of the process or obtain sensitive information.

From the Mageia advisory:

Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names. (CVE-2013-4328).

From the Red Hat Bugzilla entries [1, 2]:

CVE-2013-4158: The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist:

    $mode =~ s/[<>&%]/./g;

    my $xssBadRx = qr/[<>%&'";]/;

CVE-2013-4168: Another XSS was reported in smokeping, regarding the "start" and "end" time fields. These fields are not properly filtered. This has been fixed in upstream git.

From the Red Hat bugzilla entry:

Multiple vulnerabilities were reported in ZNC which can be exploited by malicious authenticated users to cause a denial of service. These flaws are due to errors when handling the "editnetwork", "editchan", "addchan", and "delchan" page requests; they can be exploited to cause a NULL pointer dereference. These flaws only affect version 1.0.