User: Password:
Subscribe / Log in / New account


Evaluating the LZO integer-overflow bug

By Nathan Willis
July 9, 2014

In June, a security researcher disclosed an integer-overflow bug in the Lempel–Ziv–Oberhumer (LZO) compression algorithm—a bug that has persisted in the wild for roughly two decades, and is reproduced in multiple LZO implementations as well as in the related LZ4 algorithm. LZ4's author then accused the researcher of irresponsible disclosure and of over-hyping the issue for the sake of publicity. The two have subsequently argued back and forth about the proper assessment of the bug's severity, but wherever history eventually comes down on that particular question, the case holds lessons on a number of fronts for software developers.

Don A. Bailey published a June 26 blog post explaining the bug, which he had discovered during a code audit. In essence, Markus Oberhumer's original LZO code included a simple integer overflow in the code block that handles uncompressed "Literal Runs" in a compressed LZO file. The overflowed variable is later used as a size parameter, which an attacker can use to overflow a pointer and potentially gain access to a protected area of system memory. Importantly, as Bailey sees it, the original LZO reference code has essentially been copied verbatim into a wide variety of later LZO implementations, including OpenVPN, MPlayer2, Libav, FFmpeg, Btrfs, squashfs, Android systems, and the Linux kernel. Furthermore, the LZ4 algorithm developed by Yann Collet also reuses Oberhumer's reference code (including the bug), and LZ4 is also used in a variety of places, including the ZFS filesystem.

Bailey's original post not only described the bug in detail, but it went on to offer an assessment of the severity of the bug for real-world attacks. The Libav and FFmpeg versions of LZO are susceptible to remote code execution, he said, as are LZ4 implementations (although in the LZ4 case, such exploits are only practical on 32-bit architectures). On the other hand, denial-of-service attacks—while arguably less serious—are plausible on all LZO and LZ4 implementations. All of the possible attacks rely on specially crafted data payloads.

Collet fired back with a blog post of his own, the same day, calling Bailey's post "totally irresponsible" and an attempt "to create a flashy headline" by claiming that the bug is far more serious that it actually is. In reality, Collet said, the conditions required to exploit the bug in LZ4 are so peculiar that there is "no real-world risk," and that none of the known LZ4 implementations can be targeted. On June 28, Collet retracted some of his criticisms of Bailey's disclosure methodology but continued to argue that no known program met the conditions required to exploit the bug.

What followed was an at times heated back-and-forth between the two, both about the severity of the bug and about how it was disclosed. Collet noted that the underlying issue had been reported by someone else more than a year earlier and was deemed low-priority, mostly because the hypothetical attack would require that LZ4 be called with blocks of extremely large size (8MB or larger) and because a 64-bit system would require an implausibly large amount of memory to overflow the buffer. Bailey contended that there are plenty of 32-bit systems in the wild today (including most ARM devices) and that disinterest in future-proofing 64-bit implementations was short-sighted.

On July 1, Bailey posted a follow-up showing that LZ4 could be exploited with 2.47 MB of data. Collet again accused Bailey of irresponsible disclosure for publishing this follow-up without notifying the LZ4 project privately ahead of time.

As a practical matter, an update for LZ4 that fixes all of the issues cited by Bailey is already available, r119. The LZO reference implementation has also been updated with a fix, in version 2.08. Fixes have also been published for the affected downstream projects.

Assessing the real-world severity of the bug is, to a large degree, a matter on which reasonable people may never fully agree. It certainly requires separating the issue from Collet and Bailey's argument over disclosure practices—an argument that is not technical in nature. Bailey has written two posts that describe real-world attacks against LZ4 in the wild; one hinges on the fact that, while "real" users might never use LZ4 with exceptionally large block sizes, higher-level libraries often pass data down to algorithms like LZ4 without doing sanity checks. The second shows Bailey exploiting Firefox 30.0's video-playback code.

Lost in all of the debate about how plausible an attack is against LZ4, though, is a separate point raised in Bailey's original blog post. Oberhumer's reference code for LZO is the original source of the integer overflow, and because that reference code is believed to be highly optimized for decompression speed (which is, after all, one of LZO's key selling points), many developers copied it—flaws and all—into their own projects. Algorithms, Bailey said, become treated like "blessed" code, with other developers assuming their correctness and not giving them the same level of scrutiny that they might to other third-party work.

The potential harm of a long-standing bug or even a back-door in reference code is therefore magnified. Where the subject matter is regarded as highly specialized, things become even trickier. One can see echoes of this concern in the recent "too few independent implementations" issue that was cited as an objection to including Daniel J. Bernstein's Curve25519 cryptographic function in the W3C WebCrypto API. The odds may not be particularly high that Bernstein's code contains an exploitable bug, but the fact that so many developers implicitly trust its correctness is a cause for caution.

And cryptography is far from the only subject matter where widespread code reuse is commonplace. It is frequently found where low-level and highly-optimized functions are required. For example, virtually all—if not literally all—free-software raw photo software is built on top of Dave Coffin's dcraw decoder, which is released as ANSI C code typically copied into downstream projects.

However difficult it may be to craft a real-world exploit for LZO or LZ4, a key lesson is that the bug was replicated to a variety of downstream projects in part because the original reference code was not subjected to sufficient scrutiny sooner. A code audit did eventually uncover the flaw, but had that audit taken place years earlier, there would likely be far less outcry over the issue today.

Comments (8 posted)

Brief items

Security quotes of the week

Imagine getting a call from your doctor if you let your gym membership lapse, make a habit of buying candy bars at the checkout counter, or begin shopping at plus-size clothing stores. For patients of Carolinas HealthCare System, which operates the largest group of medical centers in North and South Carolina, such a day could be sooner than they think. Carolinas HealthCare, which runs more than 900 care centers, including hospitals, nursing homes, doctors’ offices, and surgical centers, has begun plugging consumer data on 2 million people into algorithms designed to identify high-risk patients so that doctors can intervene before they get sick. The company purchases the data from brokers who cull public records, store loyalty program transactions, and credit card purchases.
Shannon Pettypiece and Jordan Robertson in Bloomberg Businessweek

You may say that Ozymandias is dead – or rather fictional but, even in the fiction, dead – so couldn't apply to have his virtual trunkless legs buried in the unsearchable sand (I will retain control of this metaphor). The internet can still be accurate about the deceased, you might think. I don't. They're the very people you can say anything about, true or false, because they cannot be libelled. Only the living have legal recourse to ensure accuracy, but why would anyone bother to get things corrected if they can effectively just delete anything written about them that they're not keen on?

People's right to suppress unpleasant lies which are publicly told is being extended to unpleasant truths – until they die when it's suddenly open season on slander. The internet will become constructed entirely of two different sorts of untruth: contemporaneous unalloyed praise and posthumous defamatory hearsay.

David Mitchell in The Guardian

Comments (13 posted)

Schneier: NSA Targets Privacy Conscious for Surveillance

Bruce Schneier has a good summary of recently reported information about the US National Security Agency (NSA) targeting of users searching for or reading information about Tor and The Amnesic Incognito Live System (Tails), which certainly could include readers of this site. "Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users -- and people who just visit the websites of -- Tor, Tails, and other sites. This isn't just metadata; this is "full take" content that's stored forever. [...] It's hard to tell how extensive this is. It's possible that anyone who clicked on this link -- with the embedded URL above -- is currently being monitored by the NSA. It's possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don't know what else the NSA harvests about people who it selects in this manner. Whatever the case, this is very disturbing." Also see reports in Linux Journal (which was specifically noted in the XKeyscore rules) and Boing Boing.

Comments (11 posted)

OpenSSL speeds up development to avoid being “slow-moving and insular” (Ars Technica)

Ars Technica reports on the OpenSSL project's new roadmap that describes a number of problems with the project and its code along with plans to address them. "The project has numerous problems, the roadmap says. These include a backlog of bug reports, incomplete and incorrect documentation, code complexity that causes maintenance problems, inconsistent coding style, a lack of code review, and having no clear release plan, platform strategy, or security strategy. The plan is to fix all these problems. For example, bug reports should receive 'an initial response within four working days.' That goal can be met now, the roadmap says, but others will take longer. Defining a clear coding standard for the project is expected to take about three months. 'Review[ing] and revis[ing] the public API with a view to reducing complexity' will take about a year."

Comments (48 posted)

The CHERI capability model: Revisiting RISC in an age of risk (Light Blue Touchpaper)

Over at the Light Blue Touchpaper blog, there is a summary of a paper [PDF] presented in late June at the 2014 International Symposium on Computer Architecture about Capability Hardware Enhanced RISC Instructions (CHERI). "CHERI is an instruction-set extension, prototyped via an FPGA-based soft processor core named BERI, that integrates a capability-system model with a conventional memory-management unit (MMU)-based pipeline. Unlike conventional OS-facing MMU-based protection, the CHERI protection and security models are aimed at compilers and applications. CHERI provides efficient, robust, compiler-driven, hardware-supported, and fine-grained memory protection and software compartmentalisation (sandboxing) within, rather than between, addresses spaces. We run a version of FreeBSD that has been adapted to support the hardware capability model (CheriBSD) compiled with a CHERI-aware Clang/LLVM that supports C pointer integrity, bounds checking, and capability-based protection and delegation. CheriBSD also supports a higher-level hardware-software security model permitting sandboxing of application components within an address space based on capabilities and a Call/Return mechanism supporting mutual distrust."

Comments (31 posted)

Garrett: Self-signing custom Android ROMs

Matthew Garrett explains how to get an Android device to refuse to boot an operating system that has not been signed by the device's owner. "It's annoying and involves a bunch of manual processes and you'll need to re-sign every update yourself. But it is possible to configure Nexus devices in such a way that you retain the same level of security you had when you were using the Google keys without losing the freedom to run whatever you want."

Comments (2 posted)

New vulnerabilities

apt-cacher-ng: cross-site scripting

Package(s):apt-cacher-ng CVE #(s):CVE-2014-4510
Created:July 4, 2014 Updated:July 9, 2014
Description: From the Red Hat bugzilla entry:

As noted in this report to oss-security, a flaw exists in the apt-cacher-ng server, and an inside attacker (on the LAN with knowledge of the server's address), could trick a user into visiting, or redirect them to, a manipulated URL that would cause the cross-site scripting attack.

Fedora FEDORA-2014-7751 apt-cacher-ng 2014-07-04

Comments (none posted)

cacti: cross-site scripting

Package(s):cacti CVE #(s):CVE-2014-4002
Created:July 8, 2014 Updated:July 9, 2014
Description: From the CVE entry:

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.

Gentoo 201509-03 cacti 2015-09-24
openSUSE openSUSE-SU-2015:0479-1 cacti 2015-03-11
Mageia MGASA-2014-0302 cacti 2014-07-26
Fedora FEDORA-2014-7836 cacti 2014-07-08
Fedora FEDORA-2014-7849 cacti 2014-07-08

Comments (none posted)

cumin: two vulnerabilities

Package(s):cumin CVE #(s):CVE-2012-2682 CVE-2014-0174
Created:July 9, 2014 Updated:July 9, 2014
Description: From the Red Hat advisory:

It was found that if Cumin were asked to display a link name containing non-ASCII characters, the request would terminate with an error. If data containing non-ASCII characters were added to the database (such as via Cumin or Wallaby), requests to load said data would terminate and the requested page would not be displayed until an administrator cleans the database. (CVE-2012-2682)

It was found that Cumin did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie. (CVE-2014-0174)

Red Hat RHSA-2014:0859-01 cumin 2014-07-09
Red Hat RHSA-2014:0858-01 cumin 2014-07-09

Comments (none posted)

dbus: two denial of service flaws

Package(s):dbus CVE #(s):CVE-2014-3532 CVE-2014-3533
Created:July 3, 2014 Updated:December 22, 2014
Description: From the Debian advisory:

CVE-2014-3532: Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system by sending them a message containing a file descriptor, leading to a denial of service.

CVE-2014-3533: Alban Crequy at Collabora Ltd. and Alejandro Martinez Suarez discovered that a malicious process could force services to be disconnected from the D-Bus system by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process, leading to a denial of service.

Mandriva MDVSA-2015:176 dbus 2015-03-30
Fedora FEDORA-2014-17595 mingw-dbus 2015-01-02
Fedora FEDORA-2014-17570 mingw-dbus 2015-01-02
Fedora FEDORA-2014-16227 dbus 2014-12-19
Gentoo 201412-12 dbus 2014-12-13
openSUSE openSUSE-SU-2014:1239-1 dbus-1 2014-09-28
openSUSE openSUSE-SU-2014:1228-1 dbus-1 2014-09-28
Mandriva MDVSA-2014:148 dbus 2014-07-31
Mageia MGASA-2014-0294 dbus 2014-07-26
openSUSE openSUSE-SU-2014:0921-1 dbus-1 2014-07-21
openSUSE openSUSE-SU-2014:0926-1 dbus-1 2014-07-21
Ubuntu USN-2275-1 dbus 2014-07-08
Fedora FEDORA-2014-8059 dbus 2014-07-08
Debian DSA-2971-1 dbus 2014-07-02

Comments (none posted)

ffmpeg: multiple vulnerabilities

Package(s):ffmpeg CVE #(s):CVE-2014-2097 CVE-2014-2098 CVE-2014-2099 CVE-2014-2263 CVE-2014-4610
Created:July 7, 2014 Updated:July 9, 2014
Description: From the Mageia advisory:

The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.0.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data (CVE-2014-2097).

libavcodec/wmalosslessdec.c in FFmpeg before 2.0.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data (CVE-2014-2098).

The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.0.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data (CVE-2014-2099).

The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg before 2.0.4 allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write (CVE-2014-2263).

An integer overflow in LZO decompression in FFmpeg before 2.0.5 allows remote attackers to have an unspecified impact by embedding compressed data in a video file (CVE-2014-4610).

Mandriva MDVSA-2015:173 ffmpeg 2015-03-30
Mandriva MDVSA-2014:129 ffmpeg 2014-07-09
Mageia MGASA-2014-0281 ffmpeg 2014-07-04
Mageia MGASA-2014-0280 ffmpeg 2014-07-04
Gentoo 201603-06 ffmpeg 2016-03-12

Comments (none posted)

file: denial of service

Package(s):file CVE #(s):CVE-2014-3538
Created:July 7, 2014 Updated:September 11, 2014
Description: From the CVE entry:

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.

Oracle ELSA-2015-2155 file 2015-11-23
Red Hat RHSA-2015:2155-07 file 2015-11-19
Oracle ELSA-2015-1135 php 2015-06-23
Mandriva MDVSA-2015:080 php 2015-03-28
Red Hat RHSA-2014:1766-01 php55-php 2014-10-30
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
Oracle ELSA-2014-1327 php 2014-09-30
CentOS CESA-2014:1327 php 2014-09-30
Red Hat RHSA-2014:1327-01 php 2014-09-30
Debian DSA-3021-2 file 2014-09-10
Debian DSA-3021-1 file 2014-09-09
Slackware SSA:2014-247-01 php 2014-09-04
Mandriva MDVSA-2014:172 php 2014-09-03
Debian DSA-3008-2 php5 2014-08-21
Mageia MGASA-2014-0324 php 2014-08-08
Mandriva MDVSA-2014:149 php 2014-08-06
Mageia MGASA-2014-0307 file 2014-08-05
Mandriva MDVSA-2014:146 file 2014-07-31
Ubuntu USN-2278-1 file 2014-07-15
Fedora FEDORA-2014-7992 file 2014-07-05
Scientific Linux SLSA-2015:2155-7 file 2015-12-21
Red Hat RHSA-2016:0760-01 file 2016-05-10
Oracle ELSA-2016-0760 file 2016-05-13
Scientific Linux SLSA-2016:0760-1 file 2016-06-08

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2014-4699
Created:July 7, 2014 Updated:August 11, 2014
Description: From the Debian advisory:

Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

Oracle ELSA-2015-0290 kernel 2015-03-12
openSUSE openSUSE-SU-2014:1246-1 kernel 2014-09-28
SUSE SUSE-SU-2014:1138-1 kernel 2014-09-16
Oracle ELSA-2014-1167 kernel 2014-09-09
Oracle ELSA-2014-1392 kernel 2014-10-21
openSUSE openSUSE-SU-2014:0985-1 kernel 2014-08-11
openSUSE openSUSE-SU-2014:0957-1 kernel 2014-08-01
Oracle ELSA-2014-0981 kernel 2014-07-29
Mandriva MDVSA-2014:155 kernel 2014-08-07
Red Hat RHSA-2014:0949-01 kernel 2014-07-28
Oracle ELSA-2014-3049 kernel 2014-07-24
CentOS CESA-2014:0923 kernel 2014-07-25
CentOS CESA-2014:0924 kernel 2014-07-25
Scientific Linux SLSA-2014:0924-1 kernel 2014-07-24
Oracle ELSA-2014-0923 kernel 2014-07-23
Oracle ELSA-2014-0924 kernel 2014-07-23
Red Hat RHSA-2014:0923-01 kernel 2014-07-23
Red Hat RHSA-2014:0924-01 kernel 2014-07-23
Red Hat RHSA-2014:0925-01 kernel 2014-07-23
Red Hat RHSA-2014:0913-01 kernel-rt 2014-07-22
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
Ubuntu USN-2272-1 linux-lts-trusty 2014-07-05
Ubuntu USN-2271-1 linux-lts-saucy 2014-07-05
Ubuntu USN-2270-1 linux-lts-raring 2014-07-05
Ubuntu USN-2269-1 linux-lts-quantal 2014-07-05
Ubuntu USN-2274-1 kernel 2014-07-05
Ubuntu USN-2268-1 kernel 2014-07-05
Ubuntu USN-2266-1 kernel 2014-07-05
Ubuntu USN-2267-1 EC2 kernel 2014-07-05
Debian DSA-2972-1 kernel 2014-07-06

Comments (none posted)

lzo: denial of service/possible code execution

Package(s):lzo CVE #(s):CVE-2014-4607
Created:July 3, 2014 Updated:January 2, 2017
Description: From the Red Hat bugzilla entry:

An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption. It should be noted that if the target is 64bit liblzo2, the overflow is still possible, but impractical. An overflow would require so much input data that an attack would be infeasible even in modern computers.

openSUSE openSUSE-SU-2015:0932-1 LibVNCServer 2015-05-24
Mandriva MDVSA-2015:163 grub2 2015-03-29
Gentoo 201503-13 busybox 2015-03-29
Mandriva MDVSA-2015:146 libvncserver 2015-03-29
Mandriva MDVSA-2015:150 liblzo 2015-03-29
Fedora FEDORA-2015-1007 dump 2015-02-25
Fedora FEDORA-2015-1023 dump 2015-02-25
Fedora FEDORA-2014-16452 grub2 2014-12-17
Fedora FEDORA-2014-16403 grub2 2014-12-12
Fedora FEDORA-2014-16378 grub2 2014-12-12
Fedora FEDORA-2014-10366 icecream 2014-11-19
Fedora FEDORA-2014-10468 icecream 2014-11-19
Mageia MGASA-2014-0432 kde4 2014-10-29
Mandriva MDVSA-2014:181 dump 2014-09-24
Mageia MGASA-2014-0378 dump 2014-09-15
Mandriva MDVSA-2014:173 busybox 2014-09-03
Mandriva MDVSA-2014:168 libvncserver 2014-09-02
Mageia MGASA-2014-0362 distcc 2014-09-01
Mageia MGASA-2014-0363 blender 2014-09-01
Fedora FEDORA-2014-9632 distcc 2014-08-30
Fedora FEDORA-2014-9591 distcc 2014-08-30
Mageia MGASA-2014-0361 x11vnc 2014-08-28
Mageia MGASA-2014-0356 libvncserver 2014-08-27
Mageia MGASA-2014-0360 kdenetwork4 2014-08-27
Mageia MGASA-2014-0359 italc 2014-08-27
Mageia MGASA-2014-0357 icecream 2014-08-27
Mageia MGASA-2014-0355 harbour 2014-08-27
Mageia MGASA-2014-0358 grub2 2014-08-27
Mageia MGASA-2014-0352 mednafen 2014-08-25
Mageia MGASA-2014-0351 busybox 2014-08-25
Fedora FEDORA-2014-9151 krfb 2014-08-16
Fedora FEDORA-2014-9183 krfb 2014-08-16
Fedora FEDORA-2014-7939 lzo 2014-10-12
Debian DSA-2995-1 lzo2 2014-08-03
SUSE SUSE-SU-2014:0955-1 lzo 2014-07-31
Ubuntu USN-2300-1 lzo2 2014-07-24
Oracle ELSA-2014-0861 lzo 2014-07-23
openSUSE openSUSE-SU-2014:0922-1 lzo 2014-07-21
SUSE SUSE-SU-2014:0904-1 lzo 2014-07-16
Scientific Linux SLSA-2014:0861-2 lzo 2014-07-09
Mandriva MDVSA-2014:134 liblzo 2014-07-10
CentOS CESA-2014:0861 lzo 2014-07-09
Red Hat RHSA-2014:0861-01 lzo 2014-07-09
Mageia MGASA-2014-0290 liblzo 2014-07-09
Oracle ELSA-2014-0861 lzo 2014-07-09
CentOS CESA-2014:0861 lzo 2014-07-09
Fedora FEDORA-2014-7926 lzo 2014-07-03
Gentoo 201701-14 lzo 2017-01-02

Comments (none posted)

mediawiki: prevent external resources in SVG files

Package(s):mediawiki CVE #(s):
Created:July 7, 2014 Updated:July 11, 2014
Description: From the MediaWiki announcement:

Prevent external resources in SVG files.

Fedora FEDORA-2014-7779 mediawiki 2014-07-05
Fedora FEDORA-2014-7805 mediawiki 2014-07-05

Comments (1 posted)

openstack-ceilometer: information leak

Package(s):openstack-ceilometer CVE #(s):CVE-2014-4615
Created:July 8, 2014 Updated:August 13, 2014
Description: From the Fedora advisory:

Fix tokens leaking to message queue

Ubuntu USN-2311-2 ceilometer 2014-08-21
Ubuntu USN-2321-1 neutron 2014-08-21
Red Hat RHSA-2014:1050-01 openstack-ceilometer 2014-08-13
Ubuntu USN-2311-1 python-pycadf 2014-08-11
Fedora FEDORA-2014-7780 python-pycadf 2014-07-08
Fedora FEDORA-2014-7799 openstack-ceilometer 2014-07-08

Comments (none posted)

owncloud: undisclosed vulnerability

Package(s):owncloud CVE #(s):
Created:July 9, 2014 Updated:July 30, 2014
Description: From the owncloud changelog:

Release "6.0.4" Fixed a security issue (Will be disclosed two weeks after this release)

Mandriva MDVSA-2014:140 owncloud 2014-07-29
Mageia MGASA-2014-0301 owncloud 2014-07-26
Fedora FEDORA-2014-7964 owncloud 2014-07-09

Comments (none posted)

php: information disclosure

Package(s):php5 CVE #(s):CVE-2014-4721
Created:July 9, 2014 Updated:July 31, 2014
Description: From the CVE entry:

The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.

Mandriva MDVSA-2015:080 php 2015-03-28
Red Hat RHSA-2014:1766-01 php55-php 2014-10-30
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
openSUSE openSUSE-SU-2014:1236-1 php5 2014-09-28
Scientific Linux SLSA-2014:1012-1 php53 and php 2014-08-06
CentOS CESA-2014:1013 php 2014-08-06
openSUSE openSUSE-SU-2014:0945-1 php5 2014-07-30
CentOS CESA-2014:1012 php53 2014-08-06
Oracle ELSA-2014-1013 php 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
CentOS CESA-2014:1012 php53 2014-08-06
Red Hat RHSA-2014:1012-01 php53 2014-08-06
Ubuntu USN-2276-1 php5 2014-07-09
Mandriva MDVSA-2014:130 php 2014-07-09
Mageia MGASA-2014-0284 php 2014-07-09
Mageia MGASA-2014-0283 php 2014-07-09
Debian DSA-2974-1 php5 2014-07-08
Red Hat RHSA-2014:1013-01 php 2014-08-06
SUSE SUSE-SU-2016:1638-1 php53 2016-06-21

Comments (none posted)

phpmyadmin: cross-site scripting

Package(s):phpmyadmin CVE #(s):CVE-2014-4348
Created:July 9, 2014 Updated:July 30, 2014
Description: From the CVE entry:

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables.

Fedora FEDORA-2014-8577 phpMyAdmin 2014-07-30
Fedora FEDORA-2014-8581 phpMyAdmin 2014-07-30
Mandriva MDVSA-2014:126 phpmyadmin 2014-07-08

Comments (none posted)

python: script execution

Package(s):python CVE #(s):CVE-2014-4650
Created:July 9, 2014 Updated:November 24, 2014
Description: From the Mageia advisory:

The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root.

Oracle ELSA-2015-2101 python 2015-11-23
Red Hat RHSA-2015:2101-01 python 2015-11-19
Scientific Linux SLSA-2015:1330-1 python 2015-08-03
Red Hat RHSA-2015:1330-01 python 2015-07-22
Ubuntu USN-2653-1 python2.7, python3.2, python3.4 2015-06-25
Red Hat RHSA-2015:1064-01 python27 2015-06-04
Mandriva MDVSA-2015:076 python3 2015-03-27
Mandriva MDVSA-2015:075 python 2015-03-27
Fedora FEDORA-2014-16393 python3 2014-12-12
Fedora FEDORA-2014-14266 python 2014-11-22
Fedora FEDORA-2014-14257 python3 2014-11-13
Fedora FEDORA-2014-14245 python3 2014-11-09
Fedora FEDORA-2014-14227 python 2014-11-09
openSUSE openSUSE-SU-2014:1734-1 python 2014-12-31
openSUSE openSUSE-SU-2014:1070-1 python3 2014-08-28
openSUSE openSUSE-SU-2014:1042-1 python3 2014-08-20
openSUSE openSUSE-SU-2014:1041-1 python 2014-08-20
openSUSE openSUSE-SU-2014:1046-1 python 2014-08-20
Mageia MGASA-2014-0285 python 2014-07-09
Scientific Linux SLSA-2015:2101-1 python 2015-12-21

Comments (none posted)

python-django-evolution: incompatible versions

Package(s):python-django-evolution CVE #(s):
Created:July 9, 2014 Updated:July 9, 2014
Description: From the Red Hat bugzilla:

Review Board 1.7.x is only compatible with django_evolution 0.6.x, but I accidentally pushed django_evolution 0.7.1 to stable in Fedora 19 and 20.

Fedora FEDORA-2014-7333 ReviewBoard 2014-07-09
Fedora FEDORA-2014-7348 ReviewBoard 2014-07-09
Fedora FEDORA-2014-7333 python-django-evolution 2014-07-09
Fedora FEDORA-2014-7348 python-django-evolution 2014-07-09

Comments (none posted)

vlc: code execution

Package(s):vlc CVE #(s):CVE-2013-1868 CVE-2013-1954 CVE-2013-4388
Created:July 8, 2014 Updated:July 28, 2014
Description: From the CVE entries:

Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser. (CVE-2013-1868)

The ASF Demuxer (modules/demux/asf/asf.c) in VideoLAN VLC media player 2.0.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted ASF movie that triggers an out-of-bounds read. (CVE-2013-1954)

Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio.c) in VideoLAN VLC Media Player before 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. (CVE-2013-4388)

Gentoo 201411-01 vlc 2014-11-05
Mageia MGASA-2014-0296 live555, vlc, mplayer 2014-07-26
Debian DSA-2973-1 vlc 2014-07-07

Comments (none posted)

xen: information leak

Package(s):xen CVE #(s):CVE-2014-4021
Created:July 4, 2014 Updated:July 9, 2014
Description: From the Red Hat bugzilla entry:

While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. A malicious guest might be able to read data relating to other guests or the hypervisor itself.

openSUSE openSUSE-SU-2014:1281-1 xen 2014-10-09
openSUSE openSUSE-SU-2014:1279-1 xen 2014-10-09
Debian DSA-3006-1 xen 2014-08-18
Oracle ELSA-2014-0926 kernel 2014-07-25
Oracle ELSA-2014-0926 kernel 2014-07-25
CentOS CESA-2014:0926 kernel 2014-07-25
Scientific Linux SLSA-2014:0926-1 kernel 2014-07-24
Red Hat RHSA-2014:0926-01 kernel 2014-07-23
Gentoo 201407-03 xen 2014-07-16
Fedora FEDORA-2014-7734 xen 2014-07-04
Fedora FEDORA-2014-7722 xen 2014-07-04

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds