User: Password:
|
|
Subscribe / Log in / New account

Security

A longstanding GnuTLS certificate validation botch

By Jake Edge
March 5, 2014

Something rather reminiscent of Apple's "goto fail;" bug has been found, but this time it hits rather closer to home for the free software community since it lives in GnuTLS. Certificate validation for SSL/TLS has been under some scrutiny lately, evidently to good effect. But this bug is arguably much worse than Apple's, as it has allowed crafted certificates to evade validation checks for all versions of GnuTLS ever released since that project got started in late 2000.

Perhaps the biggest irony is that the fix changes a handful of "goto cleanup;" lines to "goto fail;". It also made other changes to the code (including adding a "fail" label), but the resemblance to the Apple bug is too obvious to ignore. While the two bugs are actually not that similar, other than both being in the certificate validation logic, the timing and look of the new bug does give one pause.

The problem boils down to incorrect return values from a function when there are errors in the certificate. The check_if_ca() function is supposed to return true (any non-zero value in C) or false (zero) depending on whether the issuer of the certificate is a certificate authority (CA). A true return should mean that the certificate passed muster and can be used further, but the bug meant that error returns were misinterpreted as certificate validations.

Prior to the fix, check_if_ca() would return error codes (which are negative numbers) when it encountered a problem, which would be interpreted as a true value by the caller. The fix was made in two places. First, ensuring that check_if_ca() returned zero (false) when there were errors, and second, also testing the return value in verify_crt() for != 1 rather than == 0.

It is hard to say how far back this bug goes, as the code has been restructured several times over the years, but the GnuTLS advisory warns that all versions are affected. There are a lot of applications that use GnuTLS for their SSL/TLS secure communication needs. This thread at Hacker News mentions a few, including Emacs, wget, NetworkManager, VLC, Git, and others. On my Fedora 20 system, attempting to remove GnuTLS results in Yum wanting to remove 309 dependent packages, including all of KDE, Gnucash, Calligra, LibreOffice, libvirt, QEMU, Wine, and more.

GnuTLS came about partly because the OpenSSL license is problematic for GPL-licensed programs. OpenSSL has a BSD-style license, but still includes the (in)famous "advertising clause". The license has been a source of problems before, so GPL programs often avoid it. One would hope that the OpenSSL developers are diligently auditing their code for problems similar to what we have seen from Apple and GnuTLS.

It was a code audit done by GnuTLS founder Nikos Mavrogiannopoulos (at the request of Red Hat, his employer) that discovered the bug. He may well have been the one to introduce it long ago, as he has done much of the work on the project—and the file in question (lib/x509/verify.c). He described it as "an important (and at the same time embarrassing) bug". It is clearly that, but it is certainly a good thing that it has at last been found and fixed.

Several commenters in various places have focused on the "goto" statement as somehow being a part of the problem for both Apple and GnuTLS. That concern seems misplaced. While, in both cases, a goto statement was located at the point where the bug was fixed, the real problem was twofold: botched error handling and incomplete testing. While Edsger Dijkstra's advice on goto and its harmful effects on the structure of programs is cogent, it isn't completely applicable here. Handling error conditions in C functions is commonly done using goto and, if it is done right, goto actually adds to the readability of the code. Neither Apple nor GnuTLS's flaw can really be laid at the feet of goto.

In something of a replay of the admonishments in last week's article on the Apple flaw: all security software needs to be better tested. We are telling our users that we are protecting their communications with the latest and greatest encryption, but we are far too often failing them with implementation errors. Testing with bad certificates would seem to be a must; some presumably was done for both code bases, but obviously some possibilities of badly formed or signed certificates were skipped. More (and better) testing is indicated.

[ Thanks to Paul Sladen for the heads-up about this bug. ]

Comments (117 posted)

Brief items

Security quotes of the week

I am still trying to get my head around the implications that the British government's equivalent of the NSA probably holds the world's largest collection of pornographic videos, that the stash is probably contaminated with seriously illegal material, and their own personnel can in principle be charged and convicted of a strict liability offence if they try to do their job. It does, however, suggest to me that the savvy Al Qaida conspirators [yes, I know this is a contradiction in terms] of the next decade will hold their covert meetings in the nude, on Yahoo! video chat, while furiously masturbating.
Charlie Stross

This is truly atrocious. Given that “encrypting” the backup configuration files is done presumably to protect end users, expecting this to thwart any attacker and touting it as a product feature is unforgivable.

OK, I don’t really care that much. I’m just disappointed that it took longer to write this blog post than it did to break their “crypto”.

Craig of /dev/ttyS0 is saddened by Linksys router "encryption" (XOR with 0xFF)

The plan was confirmed by Keurig's CEO who stated on a recent earnings call that the new maker indeed won't work with "unlicensed" pods as part of an effort to deliver "game-changing performance." "Keurig 2.0" is expected to launch this fall. French Press and pour-over manufacturers like Chemex have plenty of time to get their thank you notes to Keurig in the mail ahead of time as users are hopefully nudged toward the realization they could be drinking much better coffee anyway.
Karl Bode of Techdirt comments on coffee maker DRM

If the NSA collects -- I'm using the everyday definition of the word here -- all of the contents of everyone's e-mail, it doesn't count it as being collected in NSA terms until someone reads it. And if it collects -- I'm sorry, but that's really the correct word -- everyone's phone records or location information and stores it in an enormous database, that doesn't count as being collected -- NSA definition -- until someone looks at it. If the agency uses computers to search those emails for keywords, or correlates that location information for relationships between people, it doesn't count as collection, either. Only when those computers spit out a particular person has the data -- in NSA terms -- actually been collected.
Bruce Schneier

Comments (none posted)

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping (ars technica)

According to this ars technica article, the GnuTLS library has a certificate validation vulnerability that looks awfully similar to the recently patched Apple hole. "This time, instead of a single misplaced 'goto fail' command, the mistakes involve errors with several 'goto cleanup' calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks."

Comments (94 posted)

New vulnerabilities

activemq: multiple vulnerabilities

Package(s):activemq CVE #(s):CVE-2013-2035 CVE-2013-4330 CVE-2014-0003
Created:March 4, 2014 Updated:November 21, 2014
Description: From the Red Hat advisory:

The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035)

A flaw was found in Apache Camel's parsing of the FILE_NAME header. A remote attacker able to submit messages to a Camel route, which would write the provided message to a file, could provide expression language (EL) expressions in the FILE_NAME header, which would be evaluated on the server. This could lead to arbitrary remote code execution in the context of the Camel server process. (CVE-2013-4330)

It was found that the Apache Camel XSLT component allowed XSL stylesheets to call external Java methods. A remote attacker able to submit messages to a Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process. (CVE-2014-0003)

Alerts:
Mageia MGASA-2014-0461 hawtjni 2014-11-21
Red Hat RHSA-2014:0254-01 activemq 2014-03-05
Red Hat RHSA-2014:0245-01 activemq 2014-03-03

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2013-6652 CVE-2013-6663 CVE-2013-6664 CVE-2013-6665 CVE-2013-6666 CVE-2013-6667 CVE-2013-6668 CVE-2013-6802 CVE-2014-1681
Created:March 5, 2014 Updated:December 10, 2014
Description: From the Gentoo advisory:

Multiple vulnerabilities have been discovered in Chromium and V8. A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to bypass security restrictions or have other unspecified impact.

Alerts:
Mandriva MDVSA-2015:142 nodejs 2015-03-29
Red Hat RHSA-2014:1744-01 v8314-v8 2014-10-30
Fedora FEDORA-2014-10975 v8 2014-09-28
Fedora FEDORA-2014-11065 v8 2014-09-28
Fedora FEDORA-2014-10975 nodejs 2014-09-28
Fedora FEDORA-2014-11065 nodejs 2014-09-28
Debian DSA-2883-1 chromium-browser 2014-03-23
Mageia MGASA-2014-0121 chromium-browser-stable 2014-03-06
Gentoo 201403-01 chromium 2014-03-05

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2013-6653 CVE-2013-6654 CVE-2013-6655 CVE-2013-6656 CVE-2013-6657 CVE-2013-6658 CVE-2013-6659 CVE-2013-6660 CVE-2013-6661
Created:February 28, 2014 Updated:March 5, 2014
Description:

From Chromium blog:

CVE-2013-6653: Use-after-free related to web contents.

CVE-2013-6654: Bad cast in SVG.

CVE-2013-6655: Use-after-free in layout.

CVE-2013-6656: Information leak in XSS auditor.

CVE-2013-6657: Information leak in XSS auditor.

CVE-2013-6658: Use-after-free in layout.

CVE-2013-6659: Issue with certificates validation in TLS handshake.

CVE-2013-6660: Information leak in drag and drop.

CVE-2013-6661: Various fixes from internal audits, fuzzing and other initiatives. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers.

Alerts:
Debian DSA-2883-1 chromium-browser 2014-03-23
openSUSE openSUSE-SU-2014:0327-1 chromium 2014-03-05
Gentoo 201403-01 chromium 2014-03-05
Mageia MGASA-2014-0107 chromium-browser 2014-02-27

Comments (none posted)

drupal6-filefield: access bypass

Package(s):drupal6-filefield CVE #(s):
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Drupal advisory:

FileField module allows users to upload files with in conjunction with the Content Construction Kit (CCK) module in Drupal 6.

The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gain access to private files attached to revisions when they don't have access to the corresponding revision.

This vulnerability is mitigated by the fact that an attacker must have access to upload files through FileField module while creating content, and the site must be using a non-core workflow module that allows users to create unpublished revisions of content.

Alerts:
Fedora FEDORA-2014-2615 drupal6-filefield 2014-03-01
Fedora FEDORA-2014-2648 drupal6-filefield 2014-03-01

Comments (none posted)

drupal6-image_resize_filter: denial of service

Package(s):drupal6-image_resize_filter CVE #(s):
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Drupal advisory:

This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created.

The module doesn't limit the number of resized images per post or user, which could allow a user to post a large number of images that need to be resized within a single piece of content. This could cause the server to become overwhelmed by requests to resize images.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to post content that utilizes the image resize filter.

Alerts:
Fedora FEDORA-2014-2612 drupal6-image_resize_filter 2014-03-01
Fedora FEDORA-2014-2611 drupal6-image_resize_filter 2014-03-01

Comments (none posted)

drupal7-ctools: access bypass

Package(s):drupal7-ctools CVE #(s):
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Drupal advisory:

This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite (ctools) framework.

Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also didn't sufficiently check access before displaying content with the relationship plugin.

These vulnerabilities are mitigated by the fact that you must be using entities other than node or users for the autocomplete callback, or you must be using the relationship plugin and displaying the content (e.g. in panels).

Alerts:
Fedora FEDORA-2014-2578 drupal7-ctools 2014-03-01
Fedora FEDORA-2014-2562 drupal7-ctools 2014-03-01

Comments (none posted)

easy-rsa: weak keys

Package(s):easy-rsa CVE #(s):
Created:March 4, 2014 Updated:March 5, 2014
Description: From the Fedora advisory:

Update to 2.2.2, stronger defaults for key strength. Use SHA256 instead of SHA1.

Alerts:
Fedora FEDORA-2014-2869 easy-rsa 2014-03-04
Fedora FEDORA-2014-2804 easy-rsa 2014-03-04

Comments (none posted)

egroupware: remote code execution

Package(s):egroupware CVE #(s):CVE-2014-2027
Created:March 4, 2014 Updated:March 29, 2015
Description: From the Mageia advisory:

eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and possible remote code execution due to user input being passed to PHP's unserialize() method.

Alerts:
Mandriva MDVSA-2015:087 egroupware 2015-03-28
Mageia MGASA-2014-0116 egroupware 2014-03-03

Comments (none posted)

gnutls: certificate verification issue

Package(s):gnutls CVE #(s):CVE-2014-0092
Created:March 4, 2014 Updated:March 13, 2014
Description: The GnuTLS library has error-handling issues that can result in the false validation of fraudulent certificates; see this article for details.
Alerts:
Mandriva MDVSA-2015:072 gnutls 2015-03-27
Fedora FEDORA-2014-14760 gnutls 2014-11-13
Gentoo 201406-09 gnutls 2014-06-13
SUSE SUSE-SU-2014:0445-1 gnutls 2014-03-25
Red Hat RHSA-2014:0288-01 gnutls 2014-03-12
openSUSE openSUSE-SU-2014:0346-1 gnutls 2014-03-08
Mandriva MDVSA-2014:048 gnutls 2014-03-10
openSUSE openSUSE-SU-2014:0328-1 gnutls 2014-03-05
Fedora FEDORA-2014-3363 gnutls 2014-03-06
Fedora FEDORA-2014-3413 gnutls 2014-03-06
SUSE SUSE-SU-2014:0324-1 gnutls 2014-03-04
openSUSE openSUSE-SU-2014:0325-1 gnutls 2014-03-05
CentOS CESA-2014:0247 gnutls 2014-03-04
CentOS CESA-2014:0246 gnutls 2014-03-04
Ubuntu USN-2127-1 gnutls26 2014-03-04
SUSE SUSE-SU-2014:0323-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0322-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0321-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0320-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0319-1 gnutls 2014-03-04
Slackware SSA:2014-062-01 gnutls 2014-03-03
Scientific Linux SLSA-2014:0246-1 gnutls 2014-03-03
Scientific Linux SLSA-2014:0247-1 gnutls 2014-03-03
Oracle ELSA-2014-0247 gnutls 2014-03-03
Oracle ELSA-2014-0246 gnutls 2014-03-03
Mageia MGASA-2014-0117 gnutls 2014-03-03
Debian DSA-2869-1 gnutls26 2014-03-03
Red Hat RHSA-2014:0247-01 gnutls 2014-03-03
Red Hat RHSA-2014:0246-01 gnutls 2014-03-03

Comments (none posted)

gnutls: X.509 v1 certificate handling flaw

Package(s):gnutls CVE #(s):CVE-2009-5138
Created:March 4, 2014 Updated:March 5, 2014
Description: From the Red Hat advisory:

A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid.

Alerts:
SUSE SUSE-SU-2014:0445-1 gnutls 2014-03-25
CentOS CESA-2014:0247 gnutls 2014-03-04
SUSE SUSE-SU-2014:0323-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0322-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0321-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0320-1 gnutls 2014-03-04
SUSE SUSE-SU-2014:0319-1 gnutls 2014-03-04
Scientific Linux SLSA-2014:0247-1 gnutls 2014-03-03
Oracle ELSA-2014-0247 gnutls 2014-03-03
Red Hat RHSA-2014:0247-01 gnutls 2014-03-03

Comments (none posted)

kernel: information leak

Package(s):kernel CVE #(s):CVE-2014-2038
Created:February 27, 2014 Updated:March 5, 2014
Description: From the Mageia advisory:

Linux kernel build with the NFS file system(CONFIG_NFS_FS) along with the support for NFSv4 protocol(CONFIG_NFS_V4) is vulnerable to an information leakage flaw. It could occur while writing to a file wherein NFS server has offered write delegation to the client. Such delegation allows NFS client to perform the said operation locally without instant interaction with the server. A user/program could use this flaw to atleast leak kernel memory bytes. (CVE-2014-2038)

Alerts:
Ubuntu USN-2137-1 linux-lts-saucy 2014-03-07
Ubuntu USN-2140-1 kernel 2014-03-07
Mageia MGASA-2014-0103 kernel 2014-02-26

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2014-2039
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Red Hat bugzilla:

Linux kernel built for the s390 architecture(CONFIG_S390) is vulnerable to a crash due to low-address protection exception. It occurs when an application uses a linkage stack instruction.

An unprivileged user/application could use this flaw to crash the system resulting in DoS.

Alerts:
Scientific Linux SLSA-2014:0771-1 kernel 2014-06-19
Oracle ELSA-2014-0771 kernel 2014-06-19
CentOS CESA-2014:0771 kernel 2014-06-20
Red Hat RHSA-2014:0771-01 kernel 2014-06-19
openSUSE openSUSE-SU-2014:0766-1 Evergreen 2014-06-06
SUSE SUSE-SU-2014:0696-1 Linux kernel 2014-05-22
Debian DSA-2906-1 linux-2.6 2014-04-24
Mandriva MDVSA-2014:124 kernel 2014-06-13
Fedora FEDORA-2014-2887 kernel 2014-03-01
Fedora FEDORA-2014-3094 kernel 2014-02-28

Comments (none posted)

libvirt: unsafe usage of paths under /proc/$PID/root

Package(s):libvirt CVE #(s):CVE-2013-6456
Created:March 3, 2014 Updated:May 2, 2014
Description: From the Red Hat bugzilla:

Eric Blake from Red Hat notes:

The LXC driver will open paths under /proc/$PID/root for some operations it performs on running guests. For the virDomainShutdown and virDomainReboot APIs it will use this to access the /dev/initctl path in the container. For the virDomainDeviceAttach / virDomainDeviceDettach APIs it will use this to create device nodes in the container's /dev filesystem. If any of the path components under control of the container are symlinks the container can cause the libvirtd daemon to access the incorrect files.

A container can cause the administrator to shutdown or reboot the host OS if /dev/initctl in the container is made to be an absolute symlink back to itself or /run/initctl. A container can cause the host administrator to mknod in an arbitrary host directory when invoking the virDomainDeviceAttach API by replacing '/dev' with an absolute symlink. A container can cause the host administrator to delete host device when invoking the virDomainDeviceDettach API by replacing '/dev' with an absolute symlink.

Alerts:
Mandriva MDVSA-2015:115 libvirt 2015-03-29
Gentoo 201412-04 libvirt 2014-12-09
Mageia MGASA-2014-0243 libvirt 2014-05-29
Mandriva MDVSA-2014:097 libvirt 2014-05-16
Ubuntu USN-2209-1 libvirt 2014-05-07
openSUSE openSUSE-SU-2014:0593-1 libvirt 2014-05-02
Fedora FEDORA-2014-2864 libvirt 2014-02-28

Comments (none posted)

mariadb: multiple vulnerabilities

Package(s):mariadb CVE #(s):
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Mageia advisory:

MariaDB has been updated to the latest release in the 5.5 series, 5.5.36, which fixes several security vulnerabilities and other bugs. See the Release Notes for more details.

Alerts:
Mageia MGASA-2014-0108 mariadb 2014-02-28

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2013-6451 CVE-2013-6452 CVE-2013-6453 CVE-2013-6472
Created:March 3, 2014 Updated:March 5, 2014
Description: From the Mageia advisory:

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lead to XSS when an XSL was used to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some information about deleted pages in the log API, enhanced RecentChanges, and user watchlists (CVE-2013-6472).

Alerts:
Gentoo 201502-04 mediawiki 2015-02-07
Debian DSA-2891-3 mediawiki 2014-04-04
Debian DSA-2891-2 mediawiki 2014-03-31
Debian DSA-2891-1 mediawiki 2014-03-30
Mandriva MDVSA-2014:057 mediawiki 2014-03-13
Mageia MGASA-2014-0113 mediawiki 2014-03-02

Comments (none posted)

openstack-glance: information leak

Package(s):openstack-glance CVE #(s):CVE-2014-1948
Created:March 5, 2014 Updated:May 13, 2014
Description: From the CVE entry:

OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.

Alerts:
Fedora FEDORA-2014-5198 openstack-glance 2014-05-13
Red Hat RHSA-2014:0229-01 openstack-glance 2014-03-04

Comments (none posted)

openstack-nova: denial of service

Package(s):openstack-nova CVE #(s):CVE-2013-6437
Created:March 5, 2014 Updated:March 5, 2014
Description: From the Red Hat advisory:

A flaw was found in the way the libvirt driver handled short-lived disk back-up files on Compute nodes. An authenticated attacker could use this flaw to create a large number of such files, exhausting all available space on Compute node disks, and potentially causing a denial of service. Note that only Compute setups using the libvirt driver were affected.

Alerts:
Red Hat RHSA-2014:0231-01 openstack-nova 2014-03-04

Comments (none posted)

openstack-packstack: insecure network connections

Package(s):openstack-packstack CVE #(s):CVE-2014-0071
Created:March 5, 2014 Updated:March 5, 2014
Description: From the Red Hat advisory:

It was found that PackStack did not correctly install the rules defined in the default security groups when deployed on OpenStack Networking (neutron), allowing network connections to be made to systems that should not have been accessible.

Alerts:
Red Hat RHSA-2014:0233-01 openstack-packstack 2014-03-04

Comments (none posted)

openstack-swift: timing side-channel attack

Package(s):openstack-swift CVE #(s):CVE-2014-0006
Created:March 5, 2014 Updated:May 7, 2014
Description: From the CVE entry:

The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.

Alerts:
Ubuntu USN-2207-1 swift 2014-05-06
Red Hat RHSA-2014:0367-01 openstack-swift 2014-04-03
Red Hat RHSA-2014:0232-01 openstack-swift 2014-03-04

Comments (none posted)

otrs: JavaScript code execution

Package(s):otrs CVE #(s):CVE-2014-1695
Created:March 3, 2014 Updated:March 13, 2014
Description: From the Mageia advisory:

An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.

Alerts:
openSUSE openSUSE-SU-2014:0360-1 otrs 2014-03-13
Mandriva MDVSA-2014:054 otrs 2014-03-13
Mageia MGASA-2014-0114 otrs 2014-03-02

Comments (none posted)

php: multiple vulnerabilities

Package(s):php5 CVE #(s):CVE-2013-7327 CVE-2013-7328 CVE-2014-2020
Created:March 4, 2014 Updated:March 5, 2014
Description: From the CVE entries:

The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226. (CVE-2013-7327)

Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226. (CVE-2013-7328)

ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which might allow remote attackers to obtain sensitive information by using a (1) string or (2) array data type in place of a numeric data type, as demonstrated by an imagecrop function call with a string for the x dimension value, a different vulnerability than CVE-2013-7226. (CVE-2014-2020)

Alerts:
Gentoo 201408-11 php 2014-08-29
Mandriva MDVSA-2014:059 php 2014-03-14
Ubuntu USN-2126-1 php5 2014-03-03

Comments (none posted)

python-logilab-common: multiple unspecified temporary file vulnerabilities

Package(s):python-logilab-common CVE #(s):CVE-2014-1838 CVE-2014-1839
Created:February 28, 2014 Updated:March 19, 2014
Description:

From the openSUSE advisory:

The Python logilab-common module was updated to fix several temporary file problems, one in the PDF generator (CVE-2014-1838) and one in the shellutils helper (CVE-2014-1839).

Alerts:
Fedora FEDORA-2014-3300 python-logilab-common 2014-03-19
Fedora FEDORA-2014-3300 python-astroid 2014-03-19
Fedora FEDORA-2014-3300 pylint 2014-03-19
Mageia MGASA-2014-0118 python-logilab-common 2014-03-03
openSUSE openSUSE-SU-2014:0306-1 python-logilab-common 2014-02-28

Comments (none posted)

python-tahrir: insecure openid login

Package(s):python-tahrir CVE #(s):
Created:March 4, 2014 Updated:March 5, 2014
Description: From the Fedora advisory:

Fix openid login from untrusted provider.

Alerts:
Fedora FEDORA-2014-2239 python-tahrir 2014-03-04
Fedora FEDORA-2014-2264 python-tahrir 2014-03-04

Comments (none posted)

subversion: denial of service

Package(s):subversion CVE #(s):CVE-2014-0032
Created:February 28, 2014 Updated:August 15, 2014
Description:

From the Mageia advisory:

The mod_dav_svn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via an OPTIONS request.

Alerts:
Debian-LTS DLA-207-1 subversion 2015-04-24
Mandriva MDVSA-2015:085 subversion 2015-03-28
Ubuntu USN-2316-1 subversion 2014-08-14
Mandriva MDVSA-2014:049 subversion 2014-03-10
Scientific Linux SLSA-2014:0255-1 subversion 2014-03-05
Oracle ELSA-2014-0255 subversion 2014-03-05
Oracle ELSA-2014-0255 subversion 2014-03-05
openSUSE openSUSE-SU-2014:0334-1 subversion 2014-03-06
CentOS CESA-2014:0255 subversion 2014-03-06
CentOS CESA-2014:0255 subversion 2014-03-06
Red Hat RHSA-2014:0255-01 subversion 2014-03-05
Mageia MGASA-2014-0105 subversion 2014-02-27
Slackware SSA:2014-058-01 subversion 2014-02-27
openSUSE openSUSE-SU-2014:0307-1 subversion 2014-02-28
Mageia MGASA-2014-0104 subversion 2014-02-27
Gentoo 201610-05 subversion 2016-10-11

Comments (none posted)

xen: multiple vulnerabilities

Package(s):xen CVE #(s):CVE-2014-1950 CVE-2013-2212
Created:March 3, 2014 Updated:March 5, 2014
Description: From the CVE entries:

Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. (CVE-2014-1950)

The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (CVE-2013-2212)

Alerts:
Gentoo 201504-04 xen 2015-04-11
Debian DSA-3006-1 xen 2014-08-18
openSUSE openSUSE-SU-2014:0483-1 xen 2014-04-04
openSUSE openSUSE-SU-2014:0482-1 xen 2014-04-04
SUSE SUSE-SU-2014:0446-1 Xen 2014-03-25
SUSE SUSE-SU-2014:0373-1 Xen 2014-03-14
SUSE SUSE-SU-2014:0372-1 Xen 2014-03-14
Fedora FEDORA-2014-2862 xen 2014-03-02
Fedora FEDORA-2014-2802 xen 2014-03-02

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds