Security

From the Ubuntu advisory:

An AppArmor policy miscompilation flaw was discovered in apparmor_parser. Under certain circumstances, a malicious application could use this flaw to perform operations that are not allowed by AppArmor policy. The flaw may also prevent applications from accessing resources that are allowed by AppArmor policy.

From the Mandriva advisory:

Remote crash when handling out of call message in certain dialplan configurations (CVE-2014-6610).

From the Mandriva advisory:

Mixed IP address families in access control lists may permit unwanted traffic.

High call load may result in hung channels in ConfBridge.

Permission escalation through ConfBridge actions/dialplan functions.

Google Chrome before 38.0.2125.101 allows remote attackers to spoof the address bar by placing a blob: substring at the beginning of the URL, followed by the original URI scheme and a long username string. (CVE-2014-7899)

Use-after-free vulnerability in the Pepper plugins in Google Chrome before 39.0.2171.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Flash content that triggers an attempted PepperMediaDeviceManager access outside of the object's lifetime. (CVE-2014-7906)

Certain javascript files causes ClamAV to segfault when scanned with the -a (list archived files) (CVE-2013-6497).

A heap buffer overflow was reported in ClamAV when scanning a specially crafted y0da Crypter obfuscated PE file.

From the Debian advisory:

CVE-2014-9015 - Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

CVE-2014-9016 - Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

An FTP command injection flaw was found in Erlang's FTP module. Several functions in the FTP module do not properly sanitize the input before passing it into a control socket. A local attacker can use this flaw to execute arbitrary FTP commands on a system that uses this module.

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

From the Magiea advisory:

A heap-based buffer overflow in the encode_slice function in libavcodec/proresenc_kostya.c in FFmpeg before 2.0.6 can cause a crash, allowing a malicious image file to cause a denial of service (CVE-2014-5271).

libavcodec/iff.c in FFmpeg before 2.0.6 allows an attacker to have an unspecified impact via a crafted iff image, which triggers an out-of-bounds array access, related to the rgb8 and rgbn formats (CVE-2014-5272).

libavcodec/mjpegdec.c in FFmpeg before 2.0.6 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data (CVE-2014-8541).

libavcodec/utils.c in FFmpeg before 2.0.6 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data (CVE-2014-8542).

libavcodec/mmvideo.c in FFmpeg before 2.0.6 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data (CVE-2014-8543).

libavcodec/tiff.c in FFmpeg before 2.0.6 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data (CVE-2014-8544).

libavcodec/pngdec.c in FFmpeg before 2.0.6 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data (CVE-2014-8545).

Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.0.6 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data (CVE-2014-8546).

libavcodec/gifdec.c in FFmpeg before 2.0.6 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data (CVE-2014-8547).

Off-by-one error in libavcodec/smc.c in FFmpeg before 2.0.6 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data (CVE-2014-8548).

From the CVE entries:

Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. (CVE-2014-8962)

Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. (CVE-2014-9028)

The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

Icecast did not properly handle the launching of "scripts" on connect or disconnect of sources. This could result in sensitive information from these scripts leaking to (external) clients. (CVE-2014-9018)

ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the JPEG decoder.

CVE-2014-3065 IBM JDK: privilege escalation via shared class cache

From the Mageia advisory:

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname (CVE-2014-8600).

From the Red Hat bug reports:

CVE-2014-7843 - It was found that a read of n*PAGE_SIZE+1 from /dev/zero will cause the kernel to panic due to an unhandled exception since it's not handling the single byte case with a fixup (anything larger than a single byte will properly fault.) A local, unprivileged user could use this flaw to crash the system.

CVE-2014-7842 - It was found that reporting emulation failures to user space can lead to either local or L2->L1 DoS. In the case of local DoS attacker needs access to MMIO area or be able to generate port access. Please note that on certain systems HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way.

CVE-2014-7841 - An SCTP server doing ASCONF will panic on malformed INIT ping-of-death in the form of:

     ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>

A remote attacker could use this flaw to crash the system by sending a maliciously prepared SCTP packet in order to trigger a NULL pointer dereference on the server.

From the CVE entries:

CVE-2014-7826 - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.

CVE-2014-7825 - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.

From the Mageia advisory:

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could lead to a denial of service (CVE-2014-9087).

Crash while importing malformed .rtf file. According to valgrind there are several invalid writes, including near malloc'd block. Seems to be potentially exploitable.

It was reported that lsyncd is vulnerable to command injection. If a filename has "`" (backticks), what between backticks will be executed with lsyncd process privileges.

From the CVE entry:

Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML.

It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode.

In Moodle before 2.6.5, an XSS issue through $searchcourse in mod/feedback/mapcourse.php, due to the last search string in the Feedback module not being escaped in the search input field (CVE-2014-7830).

In Moodle before 2.6.5, the word list for temporary password generation was short, therefore the pool of possible passwords was not big enough (CVE-2014-7845).

In Moodle before 2.6.5, capability checks in the LTI module only checked access to the course and not to the activity (CVE-2014-7832).

In Moodle before 2.6.5, group-level entries in Database activity module became visible to users in other groups after being edited by a teacher (CVE-2014-7833).

In Moodle before 2.6.5, unprivileged users could access the list of available tags in the system (CVE-2014-7846).

In Moodle before 2.6.5, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties (CVE-2014-7847).

In Moodle before 2.6.5, when using the web service function for Forum discussions, group permissions were not checked (CVE-2014-7834).

In Moodle before 2.6.5, by directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install (CVE-2014-7848).

In Moodle before 2.6.5, if web service with file upload function was available, user could upload XSS file to his profile picture area (CVE-2014-7835).

In Moodle before 2.6.5, two files in the LTI module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7836).

In Moodle before 2.6.5, by tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course (CVE-2014-7837).

In Moodle before 2.6.5, set tracking script in the Forum module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7838).

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593)

A flaw was found in the Alarm API, which could allow applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass the same-origin policy. (CVE-2014-1594)

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas Werner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, Eric Rescorla, and Xidorn Quan discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1588)

Cody Crews discovered a way to trigger chrome-level XBL bindings from web content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2014-1589)

Muneaki Nishimura discovered that CSP violation reports did not remove path information in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2014-1591)

A flaw was discovered in mutt, a text-based mailreader. A specially crafted mail header could cause mutt to crash, leading to a denial of service condition.

openssl-1.0.1i-2.1.4 that comes with OpenSUSE 13.2 is configured with 'no-ec2m' . This exposes a bug in openssl that let the client advertise a non-prime field curve, that it however doesn't actually support.

OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.

Dragana Damjanovic discovered that an authenticated client could crash an OpenVPN server by sending a control packet containing less than four bytes as payload.

A buffer overflow was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacked could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-7904)

Multiple use-after-frees were discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacked could potentially exploit these to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-7907)

An integer overflow was discovered in media. If a user were tricked in to opening a specially crafted website, an attacked could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-7908)

An uninitialized memory read was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash. (CVE-2014-7909)

Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7910)

Multiple vulnerabilities has been discovered and corrected in phpmyadmin:

* Multiple XSS vulnerabilities (CVE-2014-8958).

* Local file inclusion vulnerability (CVE-2014-8959).

* XSS vulnerability in error reporting functionality (CVE-2014-8960).

* Leakage of line count of an arbitrary file (CVE-2014-8961).

This upgrade provides the latest phpmyadmin version (4.2.12) to address these vulnerabilities.

Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception.

From the Mageia advisory:

The logrotate configuration of the privoxy package did not function properly, causing its log files not to be rotated. The log file(s) could potentially fill up the disk.

From the Mageia advisory:

Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows remote attackers to inject arbitrary web script or HTML via a user display name (CVE-2014-3995).

From the Mageia advisory:

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters, due to an incomplete fix for CVE-2014-1932 (CVE-2014-3007).

From the Mageia advisory:

Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8090).

- Arbitrary file existence disclosure (CVE-2014-7829).

- Arbitrary file existence disclosure (CVE-2014-7818).

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.

Bug #1165160 - CVE-2014-8767 tcpdump: denial of service in verbose mode using malformed OLSR payload

Bug #1165161 - CVE-2014-8768 tcpdump: denial of service in verbose mode using malformed Geonet payload

Bug #1165162 - CVE-2014-8769 tcpdump: unreliable output using malformed AOVD payload

A security flaw was found in the teeworlds server prior to 0.6.3 where an incorrect offset check could enable an attacker to read the memory or trigger a segmentation fault.

From the Mageia advisory:

SigComp UDVM buffer overflow (CVE-2014-8710).

AMQP crash (CVE-2014-8711).

NCP crashes (CVE-2014-8712, CVE-2014-8713).

TN5250 infinite loops (CVE-2014-8714).

XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031).

XSS in media playlists (CVE-2014-9032).

CSRF in the password reset process (CVE-2014-9033).

Denial of service for giant passwords. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034).

XSS in Press This (CVE-2014-9035).

XSS in HTML filtering of CSS in posts (CVE-2014-9036).

Hash comparison vulnerability in old-style MD5-stored passwords (CVE-2014-9037).

SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space (CVE-2014-9038).

Previously an email address change would not invalidate a previous password reset email (CVE-2014-9039).

The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). (CVE-2014-8594)

arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. (CVE-2014-8595)

The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. (CVE-2014-9030)