Security

It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability. By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.)

CVE-2014-8737: Directory traversal vulnerability allowing random files deletion/creation was reported in binutils.

CVE-2014-8502: A heap overflow was reported when running objdump on a specially crafted PE executable.

CVE-2014-8504: Stack overflow issue was reported in SREC parser in binutils.

CVE-2014-8501: It was reported that running strings, nm or objdump on a constructed PE file leads to out-of bounds write to an uninitialized memory area.

CVE-2014-8738: It was reported that objdump will try to overwrite part of memory when processing a crafted "ar" archive file.

From the Fedora advisory:

CVE-2014-8503: stack overflow in objdump when parsing specially crafted ihex file.

CVE-2014-6407: The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations. This was caused by symlink and hardlink traversals present in Docker's image extraction. This vulnerability could be leveraged to perform remote code execution and privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been added to pkg/archive and image extraction is now performed in a chroot. No remediation is available for older versions of Docker and users are advised to upgrade.

CVE-2014-6408: Docker versions 1.3.0 through 1.3.1 allowed security options to be applied to images, allowing images to modify the default run profile of containers executing these images. This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out.

Docker 1.3.2 remedies this vulnerability. Security options applied to images are no longer consumed by the Docker engine and will be ignored. Users are advised to upgrade.

From the Mageia advisory:

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data.

From the Mozilla advisory:

Mozilla developer Bobby Holley discovered two issues involving security wrappers.

The first of these issues occurs when XrayWrappers filter object properties. When validation of the object initially occurs, one set of object properties will appear to be available. Later, when the XrayWrappers are removed, a more expansive set of properties is available. These are then stored without further validation, making these properties available and bypassing security protections that would normally protect them from access. (CVE-2014-8632)

The second issue occurs when chrome objects are protected by Chrome Object Wrappers (COW) and are passed as native interfaces. If this is done with some methods, normally protected objects may be accessible to native methods exposed to web content. (CVE-2014-8631)

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string.

Hive files are the undocumented binary files that Windows uses to store the Windows Registry on disk. Hivex is a library that can read and write to these files.

'hivexsh' is a shell you can use to interactively navigate a hive binary file.

'hivexregedit' lets you export and merge to the textual regedit format.

'hivexml' can be used to convert a hive file to a more useful XML format.

In order to get access to the hive files themselves, you can copy them from a Windows machine. They are usually found in %systemroot%\system32\config. For virtual machines we recommend using libguestfs or guestfish to copy out these files. libguestfs also provides a useful high-level tool called 'virt-win-reg' (based on hivex technology) which can be used to query specific registry keys in an existing Windows VM.

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

It was found that when the UID and GID were changed in the <changeowner> section of the /etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to escalate their privileges if the <changeowner> configuration was used.

The fix was added in version 2.4.0.

From the Debian advisory:

Josh Duart of the Google Security Team discovered heap-based buffer overflow flaws in JasPer, a library for manipulating JPEG-2000 files, which could lead to denial of service (application crash) or the execution of arbitrary code.

Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. (CVE-2014-8884)

The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. (CVE-2014-9090)

libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a large number of domain migrate parameters in certain RPC calls in (1) daemon/remote.c and (2) remote/remote_driver.c. (CVE-2013-4292)

The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via unspecified vectors. (CVE-2013-4297)

virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to overwrite arbitrary files and possibly gain privileges via unspecified environment variables or command-line arguments. (CVE-2013-4400)

Unspecified vulnerability (CVE-2013-4399)

From the Ubuntu advisory:

USN-2431-1 fixed vulnerabilities in mod_wsgi. The security update exposed an issue in the MAAS package, causing a regression. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details: It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode.

From the Mageia bug report:

In MediaWiki before 1.23.7, a missing CSRF check could allow reflected XSS on wikis that allow raw HTML (CVE-2014-9276).

MediaWiki's mangling, in MediaWiki before 1.23.7, could allow an article editor to inject code into API consumers that blindly unserialize PHP representations of the page from the API (CVE-2014-9277).

Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack. (CVE-2014-5256)

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-6668)

OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails, which allows remote attackers to cause a denial of service (performance degradation) via an invalid packet. (CVE-2014-2852)

OpenAFS 1.6.8 does not properly clear the fields in the host structure, which allows remote attackers to cause a denial of service (uninitialized memory access and crash) via unspecified vectors related to TMAY requests. (CVE-2014-4044)

From the Mageia advisory:

In phpMyAdmin before 4.1.14.8, with very long passwords it was possible to initiate a denial of service attack on phpMyAdmin.

The HTML_AJAX pear module before version 0.5.7 is vulnerable to a bug that can allow for remote code execution through unspecified vectors.

From the Debian advisory:

Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu, a fast processor emulator. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process.

It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435)

It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118)

From the Ubuntu advisory:

It was discovered that tcpdump incorrectly handled printing PPP packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

From the Red Hat bug report:

Sebastian Krahmer reported a command injection flaw in blkid. This could possibly result in command execution with root privileges (for example, when running blkid on a malicious USB drive).

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues.

The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution.

From the Mageia advisory:

An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.