User: Password:
Subscribe / Log in / New account


The status of Wayland security

By Jake Edge
March 12, 2014

Unlike its predecessor, X, Wayland was created with an eye toward security. In part, that is due to the threat landscape present at the time each was created—the twenty-first century is a much more dangerous time. While Wayland is designed to provide confidentiality and integrity, there are times when applications will need or want to circumvent those protections. How to safely allow that is the topic of some recent postings to the wayland-devel mailing list.

The discussion started back at the end of December in a thread on authorizing clients to use restricted interfaces for accessibility and other tools, though it had been touched on in the context of screen-grabbing applications even earlier. In mid-February, Martin Peres summarized the discussion thus far both on the mailing list and on his blog. He also referred back to a talk that he and Timothée Ravier gave at the 2012 X.Org Developer Conference. The current state of Wayland input security is good, Peres said, and there is work in progress for its output security, but it is the mechanisms to allow applications to violate those security constraints (under user control) that are still being worked out.

Unlike X, the Wayland input stack doesn't allow applications to snoop on the input of other programs (preserving confidentiality), to generate input events that appear to come from the user (preserving input integrity), or to capture all the input events to the exclusion of the user's application (preserving availability). Wayland clients are still susceptible to LD_PRELOAD-style attacks, but that is not something the Wayland protocol itself can preclude. It is no different than the situation with X clients today, though, so existing solutions can presumably be reused.

On the output side, Wayland does a lot better than X, in general, but there is still some work to do. The use of "graphics execution manager" (GEM) buffers between the client and server is known to be problematic because buffers are identified by 32-bit handles; any program that can guess a buffer's handle can access the buffer itself. Work has been done in Wayland to use DMA-buf sharing, which does not suffer from the same confidentiality and integrity problems because it relies on file descriptor passing, rather than a globally visible handle. In Mesa 10.0, released in November 2013, the Wayland client EGL code does have support for secure DMA-buf sharing.

But there is still the question of what to do about programs that need to circumvent some of those protections. For example, virtual keyboards need to be able to generate input events, screen readers and screen shot programs need to get access to the output buffers, screen lockers need to capture all input, and so on. As Peres put it, if users don't have the ability to allow these actions "people may refuse to use Wayland because it 'takes freedom away from them'".

There are two different ways to achieve the goal of letting users (broadly defined to include distributions as well) break the security barriers: either static capability-like assignment to binaries, or determining the user's intent at runtime. Peres thinks that both should be implemented for Wayland. In addition, he sees a need for users to be able to determine whether any programs are currently running with elevated Wayland permissions (via static assignment) and to revoke those permissions if so.

Clients requiring extra privileges can be launched by the compositor so that it can provide a known, secure environment for those programs. A file descriptor of a socket that will allow the client to connect back to the compositor can be passed to the client using the WAYLAND_SOCKET environment variable. The actual descriptor is inherited by the client across the fork() and exec() calls, but its integer value is passed via the environment. Since the compositor has opened the socket to itself, and controls which client is executed, it can apply any privileges that have been assigned to the client to any operations made over that socket.

Handling the security policy for programs is a difficult problem. Different types of users and distributions will want to be able to implement their own policies. As we have seen with the Linux kernel, finding consensus on security policies is somewhere between really difficult and impossible. Peres expects to see the equivalent of the modular approach taken by Linux Security Modules (LSMs) for Wayland (perhaps Wayland Security Modules or WSMs). That way, different kinds of Wayland consumers will be able to choose a policy framework, much like distributions today choose SELinux, Smack, AppArmor, or to create their own.

Peres has plans to start working on WSMs (or whatever the name ends up being) soon. He has outlined some of the considerations that would need to go into a cross-compositor security framework as part of the discussion. It is a wide-open topic, in many ways, and one that is in its earliest planning stages; those interested in those kinds of problems (and their solutions) should probably get involved.

As can be seen, Wayland starts from a much stronger security position than X, but that doesn't mean that all of the work is done. Beyond the inevitable bugs, there are still some fundamental issues to consider—and work on.

Comments (7 posted)

Brief items

Security quotes of the week

Bank names are so tricksy — they all have similar words in them… and so it’s common to see phishing feeds with slightly the wrong brand identified as being impersonated.

However, this story is about how something the way around has happened, in that AnonGhost, a hacker group, believe that they’ve defaced “Yorkshire Bank, one of the largest United Kingdom bank” and there’s some boasting about this to be found at

However, it rather looks to me as if they’ve hacked an imitation bank instead! A rather less glorious exploit from the point of view of potential admirers.

Richard Clayton

Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation.
Brad Miller, Ling Huang, A. D. Joseph, and J. D. Tygar [PDF]

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

Ryan Gallagher and Glenn Greenwald (Thanks to Michael Kerrisk.)

Much of the fight against censorship has been led by the activists of the Internet freedom movement. We can join this open source community, whether we are policy makers, corporations or individuals. Money, coding skills or government grants can all make a difference.

Given the energies and opportunities out there, it’s possible to end repressive Internet censorship within a decade. If we want the next generation of users to be free, we don’t see any other option.

Eric E. Schmidt and Jared Cohen

Comments (4 posted)

FSF: Replicant developers find and close Samsung Galaxy back-door

The Free Software Foundation has put out a release claiming that developers working on the Replicant fork of Android have found a backdoor on Samsung Galaxy handsets. "While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write and delete files on the phone's storage. On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

Comments (50 posted)

New vulnerabilities

apache2: update SSLCipherSuite to avoid CRIME attack

Package(s):apache2 CVE #(s):
Created:March 10, 2014 Updated:March 12, 2014
Description: From the openSUSE advisory:

This low-profile update introduces a backport of the SSLCompression directive (added to /etc/apache2/ssl-global.conf) that helps mitigating the CRIME attack if set to off (default). Also added to /etc/apache2/ssl-global.conf: "SSLHonorCipherOrder on". /etc/apache2/vhosts.d/vhost-ssl.template now contains a new SSLCipherSuite string. Even though GCM mode of AES is not supported in openssl-1.0.0l, the string works well and may be useful elsewhere, too.

openSUSE openSUSE-SU-2014:0353-1 SSLCipherSuite 2014-03-10

Comments (none posted)

cups-filters: multiple vulnerabilities

Package(s):cups-filters CVE #(s):CVE-2013-6474 CVE-2013-6475 CVE-2013-6476
Created:March 12, 2014 Updated:March 13, 2014
Description: From the Debian advisory:

Florian Weimer of the Red Hat Product Security Team discovered multiple vulnerabilities in the pdftoopvp CUPS filter, which could result in the execution of arbitrary code if a malformed PDF file is processed.

Mandriva MDVSA-2015:100 cups-filters 2015-03-29
Gentoo 201406-16 cups-filters 2014-06-16
Mageia MGASA-2014-0170 cups-filters 2014-04-15
Debian DSA-2876-1 cups 2014-03-12
Ubuntu USN-2143-1 cups-filters 2014-03-12
Ubuntu USN-2144-1 cups 2014-03-12
Debian DSA-2875-1 cups-filters 2014-03-12

Comments (none posted)

cups-filters: code execution

Package(s):cups-filters CVE #(s):CVE-2013-6473
Created:March 12, 2014 Updated:March 12, 2014
Description: From the Ubuntu advisory:

Florian Weimer discovered that cups-filters incorrectly handled memory in the urftopdf filter. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user. This issue only affected Ubuntu 13.10.

Mandriva MDVSA-2015:100 cups-filters 2015-03-29
Gentoo 201406-16 cups-filters 2014-06-16
Mageia MGASA-2014-0170 cups-filters 2014-04-15
Ubuntu USN-2143-1 cups-filters 2014-03-12

Comments (none posted)

fail2ban: denial of service

Package(s):fail2ban CVE #(s):CVE-2013-7176 CVE-2013-7177
Created:March 10, 2014 Updated:July 18, 2014
Description: From the CVE entries:

config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression. (CVE-2013-7176)

config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression. (CVE-2013-7177)

Debian DSA-2979-1 fail2ban 2014-07-17
Gentoo 201406-03 fail2ban 2014-06-01
Mageia MGASA-2014-0176 fail2ban 2014-04-16
openSUSE openSUSE-SU-2014:0493-1 fail2ban 2014-04-08
openSUSE openSUSE-SU-2014:0348-1 fail2ban 2014-03-08

Comments (none posted)

file: code execution

Package(s):file CVE #(s):CVE-2014-2270
Created:March 7, 2014 Updated:April 9, 2014

From the Magiea advisory:

A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270).

Mandriva MDVSA-2015:080 php 2015-03-28
Gentoo 201503-08 file 2015-03-16
Debian-LTS DLA-145-1 php5 2015-01-31
Scientific Linux SLSA-2014:1606-2 file 2014-11-03
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
Red Hat RHSA-2014:1606-02 file 2014-10-14
Gentoo 201408-11 php 2014-08-29
Oracle ELSA-2014-1606 file 2014-10-16
CentOS CESA-2014:1012 php53 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
Scientific Linux SLSA-2014:1012-1 php53 and php 2014-08-06
CentOS CESA-2014:1012 php53 2014-08-06
Red Hat RHSA-2014:1012-01 php53 2014-08-06
Debian DSA-2943-1 php5 2014-06-01
openSUSE openSUSE-SU-2014:0495-1 file 2014-04-08
Ubuntu USN-2163-1 php5 2014-04-07
Ubuntu USN-2162-1 file 2014-04-07
Mageia MGASA-2014-0163 php 2014-04-04
Mageia MGASA-2014-0162 php 2014-04-04
Fedora FEDORA-2014-3589 file 2014-03-27
openSUSE openSUSE-SU-2014:0435-1 file 2014-03-25
Debian DSA-2873-2 file 2014-03-24
Mandriva MDVSA-2014:059 php 2014-03-14
openSUSE openSUSE-SU-2014:0364-1 file 2014-03-13
openSUSE openSUSE-SU-2014:0367-1 file 2014-03-13
Mandriva MDVSA-2014:051 file 2014-03-13
Fedora FEDORA-2014-3606 file 2014-03-12
Debian DSA-2873-1 file 2014-03-11
Fedora FEDORA-2014-3534 php 2014-03-09
Mageia MGASA-2014-0123 file 2014-03-07

Comments (none posted)

imapsync: information leak

Package(s):imapsync CVE #(s):CVE-2013-4279
Created:March 10, 2014 Updated:December 1, 2015
Description: From the Red Hat bugzilla:

By default imapsync runs a "release check" when executed, this causes imapsync to connect to and send information about the version of imapsync, the operating system and perl.

This feature is not well documented. It is enabled by default. The only hint it exists is the "--noreleasecheck" which is not documented anywhere other then running the program with the help option.

Fedora FEDORA-2015-1932919218 imapsync 2015-11-30
Fedora FEDORA-2015-6691fc09b2 imapsync 2015-11-30
Fedora FEDORA-2015-5d1f935811 imapsync 2015-11-30
Fedora FEDORA-2014-3860 imapsync 2014-03-24
Mandriva MDVSA-2014:060 imapsync 2014-03-14
Mageia MGASA-2014-0127 imapsync 2014-03-12
Fedora FEDORA-2014-3491 imapsync 2014-03-10

Comments (none posted)

kernel: three vulnerabilities

Package(s):kernel CVE #(s):CVE-2014-0100 CVE-2014-0101 CVE-2014-0049
Created:March 6, 2014 Updated:April 25, 2014

From the Red Hat bugzilla entries [1, 2, 3]:

CVE-2014-0100: A very subtle race condition between inet_frag_evictor, inet_frag_intern and the IPv4/6 frag_queue and expire functions (basically the users of inet_frag_kill/inet_frag_put) was found.

What happens is that after a fragment has been added to the hash chain but before it's been added to the lru_list (inet_frag_lru_add), it may get deleted (either by an expired timer if the system load is high or the timer sufficiently low, or by the fraq_queue function for different reasons) before it's added to the lru_list, then after it gets added it's a matter of time for the evictor to get to a piece of memory which has been freed leading to a number of different bugs depending on what's left there.

CVE-2014-0101: A flaw was found in the way Linux kernel processed authenticated COOKIE_ECHO chunks.

A remote attacker could use this flaw to crash the system by sending a maliciously prepared SCTP handshake in order to trigger a NULL pointer dereference on the server.

CVE-2014-0049: The problem occurs when the guest performs a pusha with the stack address pointing to an mmio address (or an invalid guest physical address) to start with, but then extending into an ordinary guest physical address. When doing repeated emulated pushes emulator_read_write sets mmio_needed to 1 on the first one. On a later push when the stack points to regular memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.

As a result, KVM exits to userspace, and then returns to complete_emulated_mmio. In complete_emulated_mmio vcpu->mmio_cur_fragment is incremented. The termination condition of vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved. The code bounces back and fourth to userspace incrementing mmio_cur_fragment past it's buffer. If the guest does nothing else it eventually leads to a a crash on a memcpy from invalid memory address.

However if a guest code can cause the vm to be destoryed in another vcpu with excellent timing, then kvm_clear_async_pf_completion_queue can be used by the guest to control the data that's pointed to by the call to cancel_work_item, which can be used to gain execution.

Oracle ELSA-2014-1392 kernel 2014-10-21
openSUSE openSUSE-SU-2014:0985-1 kernel 2014-08-11
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0807-1 Linux Kernel 2014-06-18
openSUSE openSUSE-SU-2014:0766-1 Evergreen 2014-06-06
Red Hat RHSA-2014:0557-01 kernel-rt 2014-05-27
Ubuntu USN-2227-1 linux-ti-omap4 2014-05-27
Ubuntu USN-2225-1 linux-lts-saucy 2014-05-27
Ubuntu USN-2224-1 linux-lts-raring 2014-05-27
Ubuntu USN-2223-1 linux-lts-quantal 2014-05-27
Ubuntu USN-2228-1 kernel 2014-05-27
Ubuntu USN-2221-1 kernel 2014-05-26
Mageia MGASA-2014-0238 kernel-vserver 2014-05-24
Mageia MGASA-2014-0234 kernel-tmb 2014-05-23
Mageia MGASA-2014-0236 kernel-tmb 2014-05-24
Mageia MGASA-2014-0237 kernel-rt 2014-05-24
Mageia MGASA-2014-0235 kernel-linus 2014-05-24
SUSE SUSE-SU-2014:0696-1 Linux kernel 2014-05-22
Mageia MGASA-2014-0229 kernel-vserver 2014-05-19
Mageia MGASA-2014-0228 kernel 2014-05-19
Red Hat RHSA-2014:0520-01 kernel 2014-05-20
openSUSE openSUSE-SU-2014:0678-1 kernel 2014-05-19
openSUSE openSUSE-SU-2014:0677-1 kernel 2014-05-19
Mageia MGASA-2014-0208 kernel-rt 2014-05-08
Mageia MGASA-2014-0207 kernel-linus 2014-05-08
Mageia MGASA-2014-0206 kernel 2014-05-08
Oracle ELSA-2014-0475 kernel 2014-05-07
Ubuntu USN-2181-1 linux-ti-omap4 2014-04-26
Ubuntu USN-2180-1 linux-ti-omap4 2014-04-26
Ubuntu USN-2177-1 linux-lts-saucy 2014-04-26
Ubuntu USN-2176-1 linux-lts-raring 2014-04-26
Ubuntu USN-2175-1 linux-lts-quantal 2014-04-26
Ubuntu USN-2179-1 kernel 2014-04-26
Ubuntu USN-2178-1 kernel 2014-04-26
Ubuntu USN-2173-1 kernel 2014-04-26
Ubuntu USN-2174-1 EC2 kernel 2014-04-26
Red Hat RHSA-2014:0432-01 kernel 2014-04-24
Debian DSA-2906-1 linux-2.6 2014-04-24
Red Hat RHSA-2014:0419-01 kernel 2014-04-22
CentOS CESA-2014:X009 kernel 2014-06-16
Mandriva MDVSA-2014:124 kernel 2014-06-13
Scientific Linux SLSA-2014:0328-1 kernel 2014-03-25
Oracle ELSA-2014-0328 kernel 2014-03-25
CentOS CESA-2014:0328 kernel 2014-03-25
Red Hat RHSA-2014:0328-01 kernel 2014-03-25
Fedora FEDORA-2014-3448 kernel 2014-03-09
Fedora FEDORA-2014-3442 kernel 2014-03-06

Comments (none posted)

kernel: two information leaks

Package(s):EC2 kernel CVE #(s):CVE-2014-1444 CVE-2014-1445
Created:March 6, 2014 Updated:March 12, 2014
Description: From the Ubuntu advisory:

An information leak was discovered in the Linux kernel's SIOCWANDEV ioctl call. A local user with the CAP_NET_ADMIN capability could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1444)

An information leak was discovered in the wanxl ioctl function the Linux kernel. A local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1445)

SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
openSUSE openSUSE-SU-2014:0766-1 Evergreen 2014-06-06
SUSE SUSE-SU-2014:0696-1 Linux kernel 2014-05-22
openSUSE openSUSE-SU-2014:0677-1 kernel 2014-05-19
Debian DSA-2906-1 linux-2.6 2014-04-24
SUSE SUSE-SU-2014:0536-1 Linux kernel 2014-04-16
Ubuntu USN-2128-1 kernel 2014-03-05
Ubuntu USN-2129-1 EC2 kernel 2014-03-05

Comments (none posted)

libpng16: denial of service

Package(s):libpng16 CVE #(s):CVE-2014-0333
Created:March 12, 2014 Updated:March 17, 2014
Description: From the CVE entry:

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.

Mandriva MDVSA-2015:090 libpng 2015-03-28
Gentoo 201408-06 libpng 2014-08-14
Fedora FEDORA-2014-6631 libpng 2014-05-28
Fedora FEDORA-2014-4564 mingw-libpng 2014-04-02
Mageia MGASA-2014-0131 libpng 2014-03-15
openSUSE openSUSE-SU-2014:0358-1 libpng16 2014-03-12

Comments (none posted)

libssh: private key leak

Package(s):libssh CVE #(s):CVE-2014-0017
Created:March 6, 2014 Updated:August 12, 2014
Description: From the Mageia advisory:

When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique. The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key (CVE-2014-0017).

Slackware SSA:2015-111-04 libssh 2015-04-21
Mandriva MDVSA-2015:086 libssh 2015-03-28
Gentoo 201408-03 libssh 2014-08-10
openSUSE openSUSE-SU-2014:0366-1 libssh 2014-03-13
openSUSE openSUSE-SU-2014:0370-1 libssh 2014-03-13
Debian DSA-2879-1 libssh 2014-03-13
Mandriva MDVSA-2014:053 libssh 2014-03-13
Ubuntu USN-2145-1 libssh 2014-03-12
Fedora FEDORA-2014-3473 libssh 2014-03-07
Mageia MGASA-2014-0119 libssh 2014-03-06

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2014-2242 CVE-2014-2243 CVE-2014-2244
Created:March 10, 2014 Updated:March 12, 2014
Description: From the CVE entries:

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. (CVE-2014-2242).

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. (CVE-2014-2243).

Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. (CVE-2014-2244).

Gentoo 201502-04 mediawiki 2015-02-07
Mandriva MDVSA-2014:057 mediawiki 2014-03-13
Fedora FEDORA-2014-3344 mediawiki 2014-03-11
Fedora FEDORA-2014-3338 mediawiki 2014-03-11
Mageia MGASA-2014-0124 mediawiki 2014-03-07

Comments (none posted)

mutt: code execution

Package(s):mutt CVE #(s):CVE-2014-0467
Created:March 12, 2014 Updated:June 5, 2014
Description: From the Debian advisory:

Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the mutt mailreader. Malformed RFC2047 header lines could result in denial of service or potentially the execution of arbitrary code.

Gentoo 201406-05 mutt 2014-06-04
Fedora FEDORA-2014-6395 mutt 2014-05-25
Fedora FEDORA-2014-6408 mutt 2014-05-18
Fedora FEDORA-2014-5880 mutt 2014-05-06
SUSE SUSE-SU-2014:0471-1 mutt 2014-04-02
Mageia MGASA-2014-0141 mutt 2014-03-31
openSUSE openSUSE-SU-2014:0436-1 mutt 2014-03-25
openSUSE openSUSE-SU-2014:0434-1 mutt 2014-03-25
Scientific Linux SLSA-2014:0304-1 mutt 2014-03-17
Oracle ELSA-2014-0304 mutt 2014-03-17
CentOS CESA-2014:0304 mutt 2014-03-17
Red Hat RHSA-2014:0304-01 mutt 2014-03-17
Ubuntu USN-2147-1 mutt 2014-03-13
Slackware SSA:2014-071-01 mutt 2014-03-12
Debian DSA-2874-1 mutt 2014-03-12

Comments (none posted)

net-snmp: multiple vulnerabilities

Package(s):net-snmp CVE #(s):CVE-2014-2284 CVE-2014-2285
Created:March 7, 2014 Updated:March 25, 2014

From the Mageia advisory:

Remotely exploitable denial of service vulnerability in Net-SNMP, in the Linux implementation of the ICMP-MIB, making the SNMP agent vulnerable if it is making use of the ICMP-MIB table objects (CVE-2014-2284).

Remotely exploitable denial of service vulnerability in Net-SNMP, in snmptrapd, due to how it handles trap requests with an empty community string when the perl handler is enabled (CVE-2014-2285).

Mandriva MDVSA-2015:092 net-snmp 2015-03-28
Gentoo 201409-02 net-snmp 2014-09-01
Ubuntu USN-2166-1 net-snmp 2014-04-14
Scientific Linux SLSA-2014:0322-1 net-snmp 2014-03-24
Scientific Linux SLSA-2014:0321-1 net-snmp 2014-03-24
Oracle ELSA-2014-0322 net-snmp 2014-03-24
Oracle ELSA-2014-0321 net-snmp 2014-03-24
CentOS CESA-2014:0322 net-snmp 2014-03-24
CentOS CESA-2014:0321 net-snmp 2014-03-24
Red Hat RHSA-2014:0322-01 net-snmp 2014-03-24
Red Hat RHSA-2014:0321-01 net-snmp 2014-03-24
openSUSE openSUSE-SU-2014:0399-1 net-snmp 2014-03-19
openSUSE openSUSE-SU-2014:0398-1 net-snmp 2014-03-19
Mandriva MDVSA-2014:052 net-snmp 2014-03-13
Fedora FEDORA-2014-3423 net-snmp 2014-03-13
Fedora FEDORA-2014-3427 net-snmp 2014-03-13
Mageia MGASA-2014-0122 net-snmp 2014-03-07

Comments (none posted)

owncloud: multiple unspecified vulnerabilities

Package(s):owncloud CVE #(s):
Created:March 12, 2014 Updated:May 9, 2014
Description: From the Mageia advisory:

Owncloud versions 5.0.15 and 6.0.2 fix several unspecified security vulnerabilities, as well as many other bugs.

Mageia MGASA-2014-0209 owncloud 2014-05-08
Mandriva MDVSA-2014:055 owncloud 2014-03-13
Mageia MGASA-2014-0120 owncloud 2014-03-06

Comments (none posted)

percona-toolkit, xtrabackup: code execution

Package(s):percona-toolkit,xtrabackup CVE #(s):CVE-2014-2029
Created:March 6, 2014 Updated:March 14, 2014
Description: From the openSUSE advisory:

CVE-2014-2029: Can be used by owner of a Percona Server (or an attacker who can control this destination for the client) to collect arbitrary MySQL configuration parameters and execute commands (with -v). Now the version check needs to be requested via command line or global/tool specific/user configuration. (--version-check)

openSUSE openSUSE-SU-2014:0363-1 xtrabackup 2014-03-13
openSUSE openSUSE-SU-2014:0361-1 percona-toolkit 2014-03-13
openSUSE openSUSE-SU-2014:0333-1 percona-toolkit,xtrabackup 2014-03-06

Comments (none posted)

php-sabre-dav: unspecified vulnerability

Package(s):php-sabre-dav CVE #(s):
Created:March 12, 2014 Updated:March 12, 2014
Description: From the Fedora advisory:

XEE issue: Previous SabreDAV versions had a security issue, if running on the following PHP versions: PHP 5.3, older than 5.3.23, PHP 5.4, older than 5.4.13, PHP 5.5 is not affected by this.

Fedora FEDORA-2014-3405 php-sabre-dav 2014-03-12
Fedora FEDORA-2014-3401 php-sabre-dav 2014-03-12

Comments (none posted)

rubygem-actionpack: cross-site scripting

Package(s):rubygem-actionpack CVE #(s):CVE-2013-6416
Created:March 7, 2014 Updated:March 12, 2014

From the CVE entry:

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.

Fedora FEDORA-2013-23636 rubygem-actionpack 2014-03-07

Comments (none posted)

rubygem-actionpack: multiple vulnerabilities

Package(s):rubygem-actionpack CVE #(s):CVE-2014-0080 CVE-2014-0081 CVE-2014-0082
Created:March 11, 2014 Updated:April 25, 2014
Description: From the CVE entries:

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. (CVE-2014-0080)

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. (CVE-2014-0081)

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. (CVE-2014-0082)

Debian DSA-2929-1 ruby-actionpack-3.2 2014-05-16
Mageia MGASA-2014-0191 ruby-rails 2014-04-24
CentOS CESA-2014:0306 ruby193-rubygem-actionpack 2014-03-17
Red Hat RHSA-2014:0306-01 ruby193-rubygem-actionpack 2014-03-17
Fedora FEDORA-2014-3169 rubygem-activerecord 2014-03-11
Fedora FEDORA-2014-3232 rubygem-actionpack 2014-03-11
Fedora FEDORA-2014-3169 rubygem-actionpack 2014-03-11

Comments (none posted)

rubygems: gems not getting security updates

Package(s):rubygems CVE #(s):
Created:March 6, 2014 Updated:March 12, 2014
Description: From the openSUSE advisory:

fix rubygem patches are not applied to the gem but only to the tree. Packages embedding rubygems via their .gem files were not receiving security updates.

openSUSE openSUSE-SU-2014:0332-1 rubygems 2014-03-06

Comments (none posted)

sudo: privilege escalation

Package(s):sudo CVE #(s):CVE-2014-0106
Created:March 6, 2014 Updated:June 27, 2014
Description: From the sudo advisory:

Due to a logic bug in the validate_env_vars() function, if the env_reset option is disabled, environment variables specified on the command line are permitted when they should not be (and vice versa). This can be used by a malicious user to run arbitrary programs by manipulating the environment of a command the user is legitimately allowed to run. For example, on many systems the LD_PRELOAD environment variable is used to load a dynamic shared object before any shared libraries are loaded. By either replacing a library function called by the program, or by including an _init() function in the shared object, the user can execute arbitrary commands with elevated privileges.

Debian-LTS DLA-160-1 sudo 2015-02-27
Gentoo 201406-30 sudo 2014-06-27
openSUSE openSUSE-SU-2014:0737-1 sudo 2014-05-31
SUSE SUSE-SU-2014:0475-1 sudo 2014-04-03
Ubuntu USN-2146-1 sudo 2014-03-13
Scientific Linux SLSA-2014:0266-1 sudo 2014-03-10
Oracle ELSA-2014-0266 sudo 2014-03-10
CentOS CESA-2014:0266 sudo 2014-03-10
Red Hat RHSA-2014:0266-01 sudo 2014-03-10
Slackware SSA:2014-064-01 sudo 2014-03-05

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat6, tomcat7 CVE #(s):CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 CVE-2014-0050
Created:March 6, 2014 Updated:September 26, 2014
Description: From the Ubuntu advisory:

It was discovered that Tomcat incorrectly handled certain inconsistent HTTP headers. A remote attacker could possibly use this flaw to conduct request smuggling attacks. (CVE-2013-4286)

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. (CVE-2013-4322)

It was discovered that Tomcat incorrectly applied the disableURLRewriting setting when handling a session id in a URL. A remote attacker could possibly use this flaw to conduct session fixation attacks. This issue only applied to Ubuntu 12.04 LTS. (CVE-2014-0033)

It was discovered that Tomcat incorrectly handled malformed Content-Type headers and multipart requests. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 12.10 and Ubuntu 13.10. (CVE-2014-0050)

Mandriva MDVSA-2015:084 tomcat 2015-03-28
Mandriva MDVSA-2015:052 tomcat 2015-03-03
Gentoo 201412-29 tomcat 2014-12-14
Fedora FEDORA-2014-11048 tomcat 2014-09-26
Oracle ELSA-2014-0686 tomcat 2014-07-23
Scientific Linux SLSA-2014:0865-1 tomcat6 2014-07-09
Oracle ELSA-2014-0865 tomcat6 2014-07-09
CentOS CESA-2014:0865 tomcat6 2014-07-09
Red Hat RHSA-2014:0865-01 tomcat6 2014-07-09
Red Hat RHSA-2014:0686-01 tomcat 2014-06-10
Scientific Linux SLSA-2014:0429-1 tomcat6 2014-04-23
Oracle ELSA-2014-0429 tomcat6 2014-04-23
CentOS CESA-2014:0429 tomcat6 2014-04-23
Red Hat RHSA-2014:0429-01 tomcat6 2014-04-23
Debian DSA-2897-1 tomcat7 2014-04-08
Mageia MGASA-2014-0148 tomcat 2014-04-03
Mageia MGASA-2014-0149 tomcat 2014-04-03
Ubuntu USN-2130-1 tomcat6, tomcat7 2014-03-06
Debian DSA-3530-1 tomcat6 2016-03-25

Comments (none posted)

udisks: privilege escalation

Package(s):udisks CVE #(s):CVE-2014-0004
Created:March 10, 2014 Updated:March 29, 2015
Description: From the Debian advisory:

Florian Weimer discovered a buffer overflow in udisks's mount path parsing code which may result in privilege escalation.

Mandriva MDVSA-2015:088 udisks2 2015-03-28
Gentoo 201405-01 udisks 2014-05-02
Fedora FEDORA-2014-3839 udisks 2014-04-09
Fedora FEDORA-2014-3818 udisks 2014-03-31
Fedora FEDORA-2014-3714 udisks2 2014-03-19
openSUSE openSUSE-SU-2014:0388-1 udisks2 2014-03-18
openSUSE openSUSE-SU-2014:0390-1 udisks 2014-03-18
openSUSE openSUSE-SU-2014:0389-1 udisks 2014-03-18
Mandriva MDVSA-2014:064 udisks 2014-03-17
Mageia MGASA-2014-0129 udisks 2014-03-15
Scientific Linux SLSA-2014:0293-1 udisks 2014-03-13
Oracle ELSA-2014-0293 udisks 2014-03-13
CentOS CESA-2014:0293 udisks 2014-03-13
Red Hat RHSA-2014:0293-01 udisks 2014-03-13
Slackware SSA:2014-070-01 udisks 2014-03-11
Ubuntu USN-2142-1 udisks, udisks2 2014-03-10
Debian DSA-2872-1 udisks 2014-03-10

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2014-2281 CVE-2014-2283 CVE-2014-2299
Created:March 10, 2014 Updated:March 17, 2014
Description: From the Debian advisory:

Moshe Kaplan discovered that the NFS dissector could be crashed, resulting in denial of service. (CVE-2014-2281)

It was discovered that the RLC dissector could be crashed, resulting in denial of service. (CVE-2014-2283)

Wesley Neelen discovered a buffer overflow in the MPEG file parser, which could lead to the execution of arbitrary code. (CVE-2014-2299)

Gentoo 201406-33 wireshark 2014-06-29
Scientific Linux SLSA-2014:0341-1 wireshark 2014-03-31
Scientific Linux SLSA-2014:0342-1 wireshark 2014-03-31
Oracle ELSA-2014-0341 wireshark 2014-03-31
Oracle ELSA-2014-0342 wireshark 2014-03-31
CentOS CESA-2014:0341 wireshark 2014-03-31
CentOS CESA-2014:0342 wireshark 2014-03-31
Red Hat RHSA-2014:0341-01 wireshark 2014-03-31
Red Hat RHSA-2014:0342-01 wireshark 2014-03-31
Fedora FEDORA-2014-3696 wireshark 2014-03-18
Fedora FEDORA-2014-3676 wireshark 2014-03-18
openSUSE openSUSE-SU-2014:0383-1 wireshark 2014-03-17
openSUSE openSUSE-SU-2014:0382-1 wireshark 2014-03-17
Mandriva MDVSA-2014:050 wireshark 2014-03-10
Mageia MGASA-2014-0126 wireshark 2014-03-08
Mageia MGASA-2014-0125 wireshark 2014-03-08
Debian DSA-2871-1 wireshark 2014-03-10

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2014-2282
Created:March 10, 2014 Updated:March 12, 2014
Description: From the Mageia advisory:

The M3UA dissector could crash.

Gentoo 201406-33 wireshark 2014-06-29
Fedora FEDORA-2014-3696 wireshark 2014-03-18
Fedora FEDORA-2014-3676 wireshark 2014-03-18
openSUSE openSUSE-SU-2014:0382-1 wireshark 2014-03-17
Mageia MGASA-2014-0126 wireshark 2014-03-08

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds