|
|
Log in / Subscribe / Register

Security

Apt vulnerability sparks Debian security discussion

By Jake Edge
June 18, 2014

Downloading packages from a distribution's repositories is generally considered to be a safe operation—packages are (or at least should be) signed and those signatures are verified before installation. Debian's Apt package manager has used cryptographic signatures to verify the authenticity of packages for more than ten years. So it was a rather large surprise to see a late May report that Apt doesn't require valid signatures for source packages.

Jakub Wilk found the bug when testing repositories with packages that didn't have any signatures. By using a proxy that returned 404 "not found" errors for any requests targeting Release.gpg or InRelease files (which hold the signatures), he found that installing or downloading binary packages failed (as expected). But he also found that downloading or unpacking a source package worked, as did building a binary package from the downloaded source package. That is clearly a flaw that a man in the middle (MITM) could exploit to put compromised source files onto Debian systems.

It is a difficult vulnerability to exploit, perhaps, and would require user assistance (i.e. building the package) to activate a malicious payload, but it certainly runs afoul of reasonable expectations. One can also imagine targeted attacks using the vulnerability that could be far more destructive. Worse yet, though, is that the normal methods for rebuilding the Debian archive (e.g. for a new architecture) would not detect this kind of tampering, as Thorsten Glaser pointed out. Those methods assume that apt-get source pkg always verifies the signature.

The problem in Apt was fixed quickly. The function that handles source packages simply needed to call the IsTrusted() method to verify the signature. In addition, a test case was added to catch this if the bug ever reappears. The bug was then closed by Michael Vogt on June 10, only to be reopened by Christoph Anton Mitterer two days later.

Although there was mention of contacting the security team in the bug, that evidently never happened. So one of the reasons that Mitterer reopened the issue was to ensure that a CVE got assigned and that a Debian Security Advisory (DSA) was issued. As he put it: "So IMHO this bug definitely deserves a CVE and a DSA,... so that people are informed that [their] systems might have been compromised (i.e. if an attacker tricked them into using forged sources)". A CVE was duly assigned (CVE-2014-0478) and DSA-2958-1 was issued.

But there are a number of larger issues here. Mitterer outlines some of them in his lengthy bug-reopening message. He is concerned that various pieces of Debian infrastructure are insufficiently secure against (mostly) MITM attacks. For example, Apt will work with unsigned repositories, which is seen as a feature by some. As David Kalnischkies said: "The 'problem; is that apt supports unsigned repositories as too many people would bitch too much if it would require a signature – it used to work before apt 0.6, it has to work forever, man – FOR EVER!" Glaser's description of the potential MITM problems with sbuild and cowbuilder also factor in. Beyond those, Mitterer wondered about the security verification in packages that download code from elsewhere (e.g. Tor browser or Flash plugin) and other Debian tools that grab code to be built or to create new systems (e.g. debootstrap).

But there is more to improving the security of Debian (or any project, for that matter) than just compiling lists of problem areas. As security team member Thijs Kinkhorst pointed out in a post to the debian-devel mailing list—where parts of the discussion moved—finding some piece of the problem to work on may be a better approach:

You raise a lot of broad concerns under the header "holes in secure apt" which I'm afraid does not [do] much to get us closer to a more secure Debian. Not many people will object that making Debian even more secure is a bad idea; it just needs concrete action, not a large list of potential areas to work on.

I suggest that you focus on one of those aspects of your email and take some concrete action to get it addressed.

Kalnischkies had a similar comment:

What is really sad is that many people keep talking about how much more secure everything should be but don't do the smallest bit of work to make it happen or even do a basic level of research themselves.

So instead of answering all your questions, I will instead leave them unanswered and say: Go on and check for yourself! You shouldn't trust a random guy like me anyway and if that leads to even one person contributing to apt (or the security team or anything else really) in this area, we have a phenomenal massive increase in manpower … (for apt in the 50% ballpark!)

But there certainly is value in collecting up problem areas and trying to figure what the "proper" solution should be, Mitterer argued. Because many of the solutions would require fairly major changes to how things are done and what types of behavior are allowed—policy decisions, essentially—they are not things that Mitterer (or any single developer) can directly address without involving others.

It's clear that there are some holes in Debian's packaging infrastructure. Beyond the bug that Wilk just found, he also encountered a bug that was reported over a year ago regarding the hash checking done for source packages. It turns out that Apt only checks the MD5 hash, even if there are SHA1 or SHA256 hashes available for the package. That seems rather sloppy, even though it may be hard or impossible to exploit—as Kalnischkies put it: "If you happen to have a same-size preimage attack on MD5 I would be interested to hear about it."

Mitterer is trying to raise the profile of these problems—with many lengthy replies throughout the bug and mailing list threads—but there is little evidence that much progress has been made. Some of the problems may be less dangerous or harder to exploit than Mitterer makes them out to be, but they add up to something that should be a bit worrisome. The inertia of a long-running project may be working against some kind of concerted effort to address the problems, as "we've always done it that way" can sometimes be a powerful, if potentially problematic, argument. It will be interesting to see what, if any, attention these problems get over time—it may require someone to drive the process with more than just ideas and words.

Comments (9 posted)

Brief items

Security quotes of the week

The NSA, GCHQ et al actually don't have the ability to conduct the mass surveillance that we now believe they do. Edward Snowden was in fact groomed, without his knowledge, to become a whistleblower, and the leaked documents were elaborately falsified by the NSA and GCHQ.

The encryption and security systems that 'private' companies are launching in the wake of [these] 'revelations', however, are in fact being covertly funded by the NSA/GCHQ — the aim being to encourage criminals and terrorists to use these systems, which the security agencies have built massive backdoors into.

Doubleplusunlol wins Bruce Schneier's seventh movie-plot threat contest

The antidote for this ransomware was incredibly easy to create because the ransomware came with both the decryption method and the decryption password. Therefore producing an antidote was more of a copy-and-paste job than anything.

It's also worth noting that while this antidote doesn't detect the decryption password automatically, it could be possible to do so. However, future versions of the ransomware will probably not reveal the decryption password so easily and will likely receive it from the C&C [Command and Control] server.

Since the Simplelocker ransomware is a proof-of-concept, the antidote provided here is simply a solution to this proof-of-concept. Future versions of advanced smartphone ransomware will likely prove significantly harder to reverse engineer.

Simon Bell—his analysis of the ransomware is also worth reading

We need to remember that security is a transitive verb: we secure something against something or someone. As you say, DRM is "securing" a device against the user.
pjc50 on Hacker News (Thanks to Paul Wise.)

Comments (none posted)

Android Root Access Vulnerability Affecting Most Devices (Threatpost)

Threatpost reports that most Android devices are vulnerable to a privilege escalation flaw in the kernel. "Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by George Hotz (Geohot). Successful exploitation of the Linux bug within the Android operating system would give the attacker administrative access to a victim’s phone. Specifically, such access could potentially allow that same attacker to run further malicious code, retrieve files and device data, bypass third-party or enterprise security applications including containers like Samsung’s secure Knox sub-operating system, and establish backdoors for future access on victim devices."

Comments (10 posted)

New vulnerabilities

apt: invalid source package authentication

Package(s):apt CVE #(s):CVE-2014-0478
Created:June 13, 2014 Updated:June 18, 2014
Description: From the Debian advisory:

Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source packages downloaded via "apt-get source". This only affects use cases where source packages are downloaded via this command; it does not affect regular Debian package installation and upgrading.

Alerts:
Ubuntu USN-2246-1 apt 2014-06-17
Debian DSA-2958-1 apt 2014-06-12

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium-browser CVE #(s):CVE-2014-3154 CVE-2014-3155 CVE-2014-3156 CVE-2014-3157
Created:June 16, 2014 Updated:October 10, 2014
Description: From the CVE entries:

Use-after-free vulnerability in the ChildThread::Shutdown function in content/child/child_thread.cc in the filesystem API in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to a Blink shutdown. (CVE-2014-3154)

net/spdy/spdy_write_queue.cc in the SPDY implementation in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service (out-of-bounds read) by leveraging incorrect queue maintenance. (CVE-2014-3155)

Buffer overflow in the clipboard implementation in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger unexpected bitmap data, related to content/renderer/renderer_clipboard_client.cc and content/renderer/webclipboard_impl.cc. (CVE-2014-3156)

Heap-based buffer overflow in the FFmpegVideoDecoder::GetVideoBuffer function in media/filters/ffmpeg_video_decoder.cc in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging VideoFrame data structures that are too small for proper interaction with an underlying FFmpeg library. (CVE-2014-3157)

Alerts:
Mageia MGASA-2014-0413 chromium-browser-stable 2014-10-09
Gentoo 201408-16 chromium 2014-08-30
openSUSE openSUSE-SU-2014:0982-1 chromium 2014-08-11
Ubuntu USN-2298-1 oxide-qt 2014-07-23
Debian DSA-2959-1 chromium-browser 2014-06-14

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2014-3940
Created:June 12, 2014 Updated:July 30, 2015
Description: From the CVE entry:

The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c.

Alerts:
Scientific Linux SLSA-2015:1272-1 kernel 2015-08-03
Oracle ELSA-2015-1272 kernel 2015-07-29
Red Hat RHSA-2015:1272-01 kernel 2015-07-22
Scientific Linux SLSA-2015:0290-1 kernel 2015-03-25
Red Hat RHSA-2015:0290-01 kernel 2015-03-05
Oracle ELSA-2015-0290 kernel 2015-03-12
Red Hat RHSA-2014:0913-01 kernel-rt 2014-07-22
Ubuntu USN-2288-1 linux-lts-trusty 2014-07-16
Ubuntu USN-2290-1 kernel 2014-07-16
Fedora FEDORA-2014-7320 kernel 2014-06-16
Fedora FEDORA-2014-7128 kernel 2014-06-11

Comments (none posted)

kernel: information leak

Package(s):kernel CVE #(s):CVE-2014-1739
Created:June 17, 2014 Updated:June 18, 2014
Description: From the oss-sec mailing list:

We found an infoleak vulnerability in the ioctl media_enum_entities() that allows to disclose 200 bytes the kernel process' stack. The vulnerability is exploitable on versions up to linux-3.15-rc3 by local users with read access to `/dev/media0`. Linux distributions ship with `chmod 600 /dev/media0` preventing unprivileged local users from exploiting the vulnerability. However, some Android devices are known to be shipped with both read and/or write permissions for all: chmod 666 /dev/media0.

Alerts:
Mageia MGASA-2015-0077 kernel-rt 2015-02-19
Oracle ELSA-2015-0290 kernel 2015-03-12
openSUSE openSUSE-SU-2014:1677-1 kernel 2014-12-21
Oracle ELSA-2014-3104 kernel 2014-12-11
Oracle ELSA-2014-3104 kernel 2014-12-11
Scientific Linux SLSA-2014:1971-1 kernel 2014-12-10
Oracle ELSA-2014-1971 kernel 2014-12-09
CentOS CESA-2014:1971 kernel 2014-12-10
Red Hat RHSA-2014:1971-01 kernel 2014-12-09
Oracle ELSA-2014-3096 kernel 2014-12-04
Oracle ELSA-2014-3096 kernel 2014-12-04
SUSE SUSE-SU-2014:1316-1 Linux kernel 2014-10-22
SUSE SUSE-SU-2014:1319-1 Linux kernel 2014-10-23
openSUSE openSUSE-SU-2014:1246-1 kernel 2014-09-28
Mageia MGASA-2014-0332 kernel-vserver 2014-08-18
Mageia MGASA-2014-0337 kernel-tmb 2014-08-18
Mageia MGASA-2014-0331 kernel-tmb 2014-08-18
Mageia MGASA-2014-0336 kernel-linus 2014-08-18
Mageia MGASA-2014-0330 kernel-linus 2014-08-18
Ubuntu USN-2288-1 linux-lts-trusty 2014-07-16
Ubuntu USN-2286-1 linux-lts-raring 2014-07-16
Ubuntu USN-2285-1 linux-lts-quantal 2014-07-16
Ubuntu USN-2290-1 kernel 2014-07-16
Ubuntu USN-2259-1 kernel 2014-06-27
Ubuntu USN-2263-1 linux-ti-omap4 2014-06-27
Ubuntu USN-2261-1 linux-lts-saucy 2014-06-27
Ubuntu USN-2264-1 kernel 2014-06-27
Mageia MGASA-2014-0273 kernel 2014-06-22
Mageia MGASA-2014-0265 kernel 2014-06-18
CentOS CESA-2014:X009 kernel 2014-06-16

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2012-6647
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entry:

The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.

Alerts:
Oracle ELSA-2014-1392 kernel 2014-10-21
CentOS CESA-2014:0981 kernel 2014-07-31
Scientific Linux SLSA-2014:0981-1 kernel 2014-07-29
Oracle ELSA-2014-0981 kernel 2014-07-29
Red Hat RHSA-2014:0981-01 kernel 2014-07-29
SUSE SUSE-SU-2014:0807-1 Linux Kernel 2014-06-18

Comments (none posted)

libfep: privilege escalation

Package(s):libfep CVE #(s):CVE-2014-3980
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entry:

libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in the abstract namespace, which allows local users to gain privileges via unspecified vectors.

Alerts:
Fedora FEDORA-2014-7214 libfep 2014-06-17
Fedora FEDORA-2014-7126 libfep 2014-06-17

Comments (none posted)

lucene-solr: multiple vulnerabilities

Package(s):lucene-solr CVE #(s):CVE-2013-6397 CVE-2013-6407 CVE-2013-6408
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entries:

Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries. (CVE-2013-6397)

The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. (CVE-2013-6407)

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407. (CVE-2013-6408)

Alerts:
Debian DSA-2963-1 lucene-solr 2014-06-17

Comments (none posted)

lynis: privilege escalation

Package(s):lynis CVE #(s):CVE-2014-3982 CVE-2014-3986
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entries:

include/tests_webservers in Lynis before 1.5.5 on AIX allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.##### file. (CVE-2014-3982)

include/tests_webservers in Lynis before 1.5.5 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.*.unsorted file with an easily determined name. (CVE-2014-3986)

Alerts:
Fedora FEDORA-2014-7400 lynis 2014-06-17

Comments (none posted)

nova: privilege escalation

Package(s):nova CVE #(s):CVE-2013-1068 CVE-2014-0167
Created:June 18, 2014 Updated:July 14, 2014
Description: From the CVE entry:

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests. (CVE-2014-0167)

From the Ubuntu advisory:

Darragh O'Reilly discovered that OpenStack Nova did not properly set up its sudo configuration. If a different flaw was found in OpenStack Nova, this vulnerability could be used to escalate privileges. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-1068)

Alerts:
Red Hat RHSA-2014:1084-01 openstack-nova 2014-08-21
Fedora FEDORA-2014-7954 openstack-nova 2014-07-12
Ubuntu USN-2248-1 cinder 2014-06-18
Ubuntu USN-2247-1 nova 2014-06-17

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2012-6461 CVE-2012-6462 CVE-2012-6463 CVE-2012-6464 CVE-2012-6465 CVE-2012-6466 CVE-2012-6467 CVE-2012-6468 CVE-2012-6469 CVE-2012-6470 CVE-2012-6471 CVE-2012-6472 CVE-2013-1618 CVE-2013-1637 CVE-2013-1638 CVE-2013-1639
Created:June 16, 2014 Updated:June 18, 2014
Description: From the Gentoo advisory:

A remote attacker could entice a user to open a specially crafted web page using Opera, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to obtain sensitive information, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions.

Alerts:
Gentoo 201406-14 opera 2014-06-14

Comments (none posted)

php5, gd: denial of service

Package(s):php5, gd CVE #(s):CVE-2014-2497
Created:June 12, 2014 Updated:March 29, 2015
Description: From the CVE entry:

The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.

Alerts:
Gentoo 201607-04 gd 2016-07-16
Ubuntu USN-2987-1 libgd2 2016-05-31
Oracle ELSA-2015-1135 php 2015-06-23
Debian-LTS DLA-189-1 libgd2 2015-04-08
Debian DSA-3215-1 libgd2 2015-04-06
Mandriva MDVSA-2015:153 libgd 2015-03-29
Fedora FEDORA-2015-0503 gd 2015-01-20
Fedora FEDORA-2015-0432 gd 2015-01-19
Red Hat RHSA-2014:1766-01 php55-php 2014-10-30
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
Oracle ELSA-2014-1326 php 2014-09-30
Oracle ELSA-2014-1327 php 2014-09-30
CentOS CESA-2014:1326 php 2014-09-30
CentOS CESA-2014:1326 php 2014-09-30
CentOS CESA-2014:1327 php 2014-09-30
Red Hat RHSA-2014:1326-01 php 2014-09-30
Red Hat RHSA-2014:1327-01 php 2014-09-30
Slackware SSA:2014-247-01 php 2014-09-04
Mandriva MDVSA-2014:172 php 2014-09-03
Fedora FEDORA-2014-9679 php 2014-09-02
Gentoo 201408-11 php 2014-08-29
Scientific Linux SLSA-2014:1326-1 php53 and php 2014-10-13
Fedora FEDORA-2014-8458 gd 2014-08-15
Mandriva MDVSA-2014:133 gd 2014-07-10
Mageia MGASA-2014-0283 php 2014-07-09
Mageia MGASA-2014-0288 gd 2014-07-09
SUSE SUSE-SU-2014:0873-2 PHP5 2014-07-07
SUSE SUSE-SU-2014:0873-1 PHP5 2014-07-05
SUSE SUSE-SU-2014:0869-1 php53 2014-07-04
SUSE SUSE-SU-2014:0868-1 PHP5 2014-07-04
openSUSE openSUSE-SU-2014:0786-1 php5 2014-06-12
openSUSE openSUSE-SU-2014:0784-1 php5 2014-06-12

Comments (none posted)

php5: code execution

Package(s):php5 CVE #(s):CVE-2014-4049
Created:June 17, 2014 Updated:July 31, 2014
Description: From the Debian advisory:

It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.

Alerts:
SUSE SUSE-SU-2016:1638-1 php53 2016-06-21
Oracle ELSA-2015-1135 php 2015-06-23
Mandriva MDVSA-2015:080 php 2015-03-28
Red Hat RHSA-2014:1766-01 php55-php 2014-10-30
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
Oracle ELSA-2014-1326 php 2014-09-30
Oracle ELSA-2014-1327 php 2014-09-30
Mandriva MDVSA-2014:172 php 2014-09-03
Gentoo 201408-11 php 2014-08-29
Debian DSA-3008-2 php5 2014-08-21
Scientific Linux SLSA-2014:1012-1 php53 and php 2014-08-06
CentOS CESA-2014:1013 php 2014-08-06
openSUSE openSUSE-SU-2014:0942-1 php5 2014-07-30
CentOS CESA-2014:1012 php53 2014-08-06
Oracle ELSA-2014-1013 php 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
CentOS CESA-2014:1012 php53 2014-08-06
Red Hat RHSA-2014:1012-01 php53 2014-08-06
Slackware SSA:2014-192-01 php 2014-07-11
Mandriva MDVSA-2014:130 php 2014-07-09
Mageia MGASA-2014-0284 php 2014-07-09
Mageia MGASA-2014-0283 php 2014-07-09
SUSE SUSE-SU-2014:0873-2 PHP5 2014-07-07
Fedora FEDORA-2014-7782 php 2014-07-08
SUSE SUSE-SU-2014:0873-1 PHP5 2014-07-05
SUSE SUSE-SU-2014:0869-1 php53 2014-07-04
SUSE SUSE-SU-2014:0868-1 PHP5 2014-07-04
Red Hat RHSA-2014:1013-01 php 2014-08-06
Fedora FEDORA-2014-7765 php 2014-06-30
Ubuntu USN-2254-2 php5 2014-06-25
openSUSE openSUSE-SU-2014:0841-1 php5 2014-06-25
Ubuntu USN-2254-1 php5 2014-06-23
Debian DSA-2961-1 php5 2014-06-16

Comments (none posted)

php-horde-Horde-Ldap: check for empty passwords

Package(s):php-horde-Horde-Ldap CVE #(s):
Created:June 18, 2014 Updated:June 18, 2014
Description: From the Red Hat bugzilla:

It was reported that php-horde-Horde-Ldap could be used to connect to an LDAP server with an empty password. In this case, the flaw is in the LDAP server, so this issue is just considered hardening.

Alerts:
Fedora FEDORA-2014-7228 php-horde-Horde-Ldap 2014-06-17

Comments (none posted)

python-djblets: cross-site scripting

Package(s):python-djblets CVE #(s):CVE-2014-3994
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.

Alerts:
Mageia MGASA-2014-0462 python-djblets 2014-11-21
Fedora FEDORA-2014-7224 python-djblets 2014-06-17
Fedora FEDORA-2014-7223 python-djblets 2014-06-17

Comments (none posted)

typo3-cms-4_5: multiple vulnerabilities

Package(s):typo3-cms-4_5 CVE #(s):CVE-2014-3941 CVE-2014-3942 CVE-2014-3943
Created:June 18, 2014 Updated:June 18, 2014
Description: From the CVE entries:

TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing." (CVE-2014-3941)

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. (CVE-2014-3942)

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. (CVE-2014-3943)

Alerts:
openSUSE openSUSE-SU-2016:2114-1 typo3-cms-4_7 2016-08-19
openSUSE openSUSE-SU-2016:2025-1 typo3 2016-08-10
openSUSE openSUSE-SU-2014:0813-1 typo3-cms-4_5 2014-06-18

Comments (none posted)

xen: denial of service

Package(s):xen CVE #(s):CVE-2014-3967 CVE-2014-3968
Created:June 17, 2014 Updated:June 26, 2014
Description: From the xen advisory:

The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. (CVE-2014-3967)

Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. (CVE-2014-3968)

The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. Since host and guest page tables are fully separated for HVM guests, the guest would not be able to leverage the vulnerability for other kinds of attacks (privilege escalation or information leak).

The spamming of the hypervisor log could similarly lead to a denial of service.

In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host.

In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service.

Alerts:
Gentoo 201504-04 xen 2015-04-11
openSUSE openSUSE-SU-2014:1281-1 xen 2014-10-09
openSUSE openSUSE-SU-2014:1279-1 xen 2014-10-09
Fedora FEDORA-2014-7408 xen 2014-06-26
Fedora FEDORA-2014-7423 xen 2014-06-26
CentOS CESA-2014:X008 xen 2014-06-16

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds