Security
Plug-and-play sanitization of USB thumb drives
Malware is a nasty problem for all computer users, and there are countermeasures available (such as scanning email attachments) to help neutralize malware threats in many common tasks. But there are certain vocations that regularly require people to do risky things like accept a USB flash drive from a veritable stranger. Reporters exchanging information with alleged NSA whistleblowers in dark alleyways is the most dramatic example, but hardly the only one—consider, for example, how many flash drives of unknown provenance are exchanged or handed out at software conferences over the course of the year.
The safe approach to reading the contents of an untrusted flash drive is to only open it on a read-only, live-CD system (not connected to the Internet) and to scan and sanitize the files it contains before opening any of them. But doing this correctly can be arduous while on the road and tricky for those who are not technically inclined. This is where the CIRCLean project comes in: CIRCLean is a minimalist Debian system that turns the Raspberry Pi into an automated USB drive sanitization box.
CIRCLean is a project hosted by the Computer Incident Response Center Luxembourg (CIRCL), which is Luxembourg's national Computer Emergency Response Team (CERT). The goal is to provide a simple method for users to extract the important contents from an untrusted USB flash drive, filtering out any viruses, spyware, and other potentially hazardous hidden payloads—while not endangering the main system, such as the user's laptop.
CIRCLean accomplishes this by turning a Raspberry Pi into single-purpose, black-box tool. The user plugs the untrusted "source" USB drive into one USB port on the Pi, plugs their own "target" USB drive into another port, and only then plugs the Pi into a power source. The Pi boots up (mounting the root filesystem read-only), processes the contents of the source drive, saves sanitized versions of the files onto the target drive, then shuts down. At present, the main threats targeted by the tool are malicious macros embedded in office documents (which are naturally more of a concern for Windows and Mac users) and PDFs with hidden executables (which, at least in theory, can contain JavaScript or even arbitrary executable PostScript code).
No monitor or input devices are required: CIRCLean can provide either of two possible feedback mechanisms to let the user know that the sanitization is complete. The first is through an LED attached to the GPIO headers on the Pi: when the LED is blinking, the process is still working; when the LED switches off, the sanitization is complete and the machine has shut down. Alternatively, the system can play MIDI music over the Pi's audio-out port; again, when the music stops, the process is complete.
The system is built on top of Raspbian (the Raspberry Pi distribution based on Debian), and even includes a subtle security measure intended to evade detection. At boot time, if the OS detects that the only USB devices attached are two mass-storage devices, it launches the CIRCLean sanitization process. If any other combination of USB devices is attached, it boots into the standard Raspbian desktop.
How it works
The genesis of the idea evidently came from security consultant Maya Bonkowski, who spoke to the Raspberry Pi blog in August. Bonkowski said that the Pi was chosen as the hardware platform because of its portability and price. Traveling with a second laptop might be the obvious solution for some journalists or activists that need to sanitize strange USB sticks, she said, but a second laptop can attract suspicion (as well as being bulky). Notably, the Pi also comes without built-in wireless connectivity, which makes it easier to use without worrying about the network.
Bonkowski wrote the first version of the code in 2012 (calling it KittenGroomer), after which Raphaël Vinot took over as lead developer and moved the project to CIRCL. Vinot's code is available on GitHub (still under the name KittenGroomer) and is still the main development branch. CIRCL's official stable branch has been rebranded as CIRCLean. The last update was in October 2014, which added support for NTFS drives and included a handful of security fixes (two Bash vulnerabilities were fixed and the user account that processes the files was removed from sudoers).
The software in the repository is a suite of shell scripts designed to be run on a Raspbian system. The scripts create the necessary user account, install the package dependencies, and sets up the required startup scripts. CIRCL also provides pre-built SD card images for those not interested in installing the software manually.
The goal of the sanitation step is to identify risky file formats and strip out any potentially hazardous content like macros or embedded executables. Currently, the code focuses on four specific file types: "office" documents (meaning word processor, spreadsheet, and presentation files), PDFs, auto-run files, and archive files. Auto-run files are risky for the obvious reason: they execute unknown code. The other three file types can encapsulate hidden executable content even while presenting other, seemingly innocuous (or even valuable) content to the user.
CIRCLean uses Poppler to convert PDFs to HTML documents and LibreOffice to convert office files to PDFs, which are then converted to HTML by Poppler. Archive files are uncompressed with 7-Zip, then their contents are processed file-by-file, and the results placed into a new archive file on the target drive. Auto-run files on the source drive are simply ignored; all other document types are copied without conversion. Executables, although not converted, are renamed, with DANGEROUS both prepended and appended to the original file name.
That is a relatively short list of file types to sanitize, but it accounts for the largest threats (particularly in the Windows world). There are also ways for image and multimedia files to contain malware, of course. Bonkowski said on the Raspberry Pi blog that there were already other tools that can convert such media files to safe formats before opening them—but it is nonetheless a curious omission. There are also issues open on GitHub to deal with other file types, such as Java, which in early versions of CIRCLean was not correctly treated as an executable file type (although one might well ask whether it is ever a good idea to run Java code supplied by a stranger).
As a practical matter, it may be more of a problem that CIRCLean's file-conversion step could lose important information if, for example, the LibreOffice conversion is imperfect. With undocumented proprietary file formats—particularly with recent revisions—even LibreOffice occasionally fails to understand some obscure structures.
The known issues include the fact that images are not extracted from PDF files—only text—and that only the first page of a multi-page spreadsheet is properly converted to HTML. On this latter point, however, the project notes that this should be enough to determine whether or not the contents of the file is interesting enough to follow-up on and, if so, that can be done later when additional precautions can be taken.
A similar case could be made for not sanitizing other less-common formats—Photoshop macros, for example. But the biggest omission at this point seems to be the handling of HTML files and email, which can contain active content as well as links to remote content that could be used to track the user. And HTML is widespread enough as a document format to be plausible content on a USB stick (perhaps converted by Microsoft Word).
The correct approach for the user would be to only open HTML documents in an offline browser with JavaScript deactivated; perhaps that is well-known enough these days that a special tool is not required. After all, the Edward Snowden and Wikileaks stories of the past few years have the raised the profile of a number of valuable security tools like Tor and TAILS.
There are still areas where CIRCLean can be improved. For example, there is an issue open to deal with BadUSB-style attacks, in which a thumb drive mimics another device type (such as a keyboard) with malicious intent. Vinot has indicated one possible solution already: blacklisting all non–mass-storage USB kernel modules. Without USB HID support in the kernel, a malicious drive cannot mimic a keyboard. In an email, Vinot described a few other ideas, such as converting PDFs to the more restrictive PDF/A format before converting them to HTML.
CIRCLean serves a purpose distinct from both of those projects; its ideas may influence them in interesting ways, but the niche it fills is important, too: that of a file-sanitization appliance that works quickly and simply. One report cited on the CIRCLean site notes that up to 66% of USB keys in the wild may contain malware—so it is hard to be too careful.
Brief items
Security quotes of the week
"If you can't upgrade your old [insecure and unreliable] home router, you should not sell it on ebay. If it can't be upgraded, you should run over it with your car."
Chromium to start marking HTTP as insecure
The Chromium development team has posted a plan to start actively marking web pages served with HTTP as not being secure. "We know that people do not generally perceive the absence of a warning sign... Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."
New vulnerabilities
antiword: denial of service
| Package(s): | antiword | CVE #(s): | CVE-2014-8123 | ||||||||||||||||
| Created: | December 12, 2014 | Updated: | February 9, 2015 | ||||||||||||||||
| Description: | From the CVE entry: Buffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 allows remote attackers to cause a denial of service (crash) via a crafted document. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
bitdefender-console, beanstalkd: multiple vulnerabilities
| Package(s): | bitdefender-console, beanstalkd | CVE #(s): | CVE-2006-3005 CVE-2008-6661 CVE-2010-2060 | ||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entries: CVE-2006-3005 - The JPEG library in media-libs/jpeg before 6b-r7 on Gentoo Linux is built without the -maxmem feature, which could allow context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted JPEG file that exceeds the intended memory limits. CVE-2008-6661 - Multiple integer overflows in the scanning engine in Bitdefender for Linux 7.60825 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed (1) NeoLite and (2) ASProtect packed PE file. CVE-2010-2060 - The put command functionality in beanstalkd 1.4.5 and earlier allows remote attackers to execute arbitrary Beanstalk commands via the body in a job that is too big, which is not properly handled by the dispatch_cmd function in prot.c. | ||||||
| Alerts: |
| ||||||
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2014-0574 CVE-2014-7900 CVE-2014-7901 CVE-2014-7902 CVE-2014-7903 CVE-2014-7905 | ||||||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||||||
| Description: | From the CVE entries: CVE-2014-0574 - Double free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors. CVE-2014-7900 - Use-after-free vulnerability in the CPDF_Parser::IsLinearizedFile function in fpdfapi/fpdf_parser/fpdf_parser_parser.cpp in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document. CVE-2014-7901 - Integer overflow in the opj_t2_read_packet_data function in fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c in OpenJPEG in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long segment in a JPEG image. CVE-2014-7902 - Use-after-free vulnerability in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document. CVE-2014-7903 - Buffer overflow in OpenJPEG before r2911 in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JPEG image. CVE-2014-7905 - Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a crafted web site. | ||||||||||
| Alerts: |
| ||||||||||
couchdb: cross-site scripting
| Package(s): | couchdb | CVE #(s): | CVE-2010-5312 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | June 30, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
cpio: denial of service
| Package(s): | cpio | CVE #(s): | CVE-2014-9112 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2014 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
docker-io: multiple vulnerabilities
| Package(s): | docker-io | CVE #(s): | CVE-2014-9357 CVE-2014-9358 CVE-2014-9356 | ||||||||||||||||||||
| Created: | December 15, 2014 | Updated: | January 26, 2015 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entries:
CVE-2014-9356: A problem was reported by Docker Inc. whereby a malicious image could overwrite arbitrary portions of the host filesystem by including absolute symlinks. From the upstream report: "Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through volume mounts. This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation." CVE-2014-9357: Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report: "It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a root user on the Docker host by providing a malicious ‘xz’ binary. We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade." CVE-2014-9358: Docker Inc. has reported that it is possible to spoof images on the central registry. From the report: "It has been discovered that Docker does not sufficiently validate Image IDs as provided either via 'docker load' or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks." | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
egroupware, lft, suhosin: multiple vulnerabilities
| Package(s): | egroupware, lft, suhosin | CVE #(s): | CVE-2010-3313 CVE-2010-3314 CVE-2011-0765 CVE-2012-0808 | ||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entries: CVE-2010-3313 - phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters. CVE-2010-3314 - Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter. CVE-2011-0765 - Unspecified vulnerability in lft in pWhois Layer Four Traceroute (LFT) 3.x before 3.3 allows local users to gain privileges via a crafted command line. CVE-2012-0808 - as31 2.3.1-4 does not seed the random number generator and generates predictable temporary file names, which makes it easier for local users to create or truncate files via a symlink attack. | ||||||
| Alerts: |
| ||||||
firebird: denial of service
| Package(s): | firebird | CVE #(s): | CVE-2014-9323 | ||||||||||||||||||||||||||||||||||||
| Created: | December 11, 2014 | Updated: | March 30, 2015 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Firebird advisory:
Sending malformed packet to the server (op = op_response with any non-empty status vector data) instead expected op_connect makes server try to write data at NULL address cause NULL pointer to status vector is passed to xdr_status_vector() function. This attack does not require login to server. Note: the CVE was added at a later time. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
firefox: information leak
| Package(s): | Mozilla Firefox | CVE #(s): | CVE-2014-1595 | ||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entry: Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information. | ||||||
| Alerts: |
| ||||||
gnustep-base: denial of service
| Package(s): | gnustep-base | CVE #(s): | CVE-2014-2980 | ||||
| Created: | December 15, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entry:
Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run in daemon mode, does not properly handle the file descriptor for the logger, which allows remote attackers to cause a denial of service (abort) via an invalid request. | ||||||
| Alerts: |
| ||||||
kde-plasma-networkmanagement: man-in-the-middle attack
| Package(s): | kde-plasma-networkmanagement kde-plasma-nm | CVE #(s): | |||||||||||||||||
| Created: | December 15, 2014 | Updated: | December 31, 2014 | ||||||||||||||||
| Description: | From the KDE advisory [1]:
KDE's network manager plasmoid does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2012-6657 CVE-2014-9322 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2014 | Updated: | January 6, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the Linux kernel's networking implementation did not correctly handle the setting of the keepalive socket option on raw sockets. A local user able to create a raw socket could use this flaw to crash the system. (CVE-2012-6657) A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-9322) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | EC2 kernel | CVE #(s): | CVE-2014-8134 CVE-2014-8709 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | July 30, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: CVE-2014-8134 - An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests. A user in the guest OS could exploit this leak to obtain information that could potentially be used to aid in attacking the kernel. CVE-2014-8709 - Jouni Malinen reported a flaw in the handling of fragmentation in the mac8Linux subsystem of the kernel. A remote attacker could exploit this flaw to obtain potential sensitive cleartext information by reading packets. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libjpeg-turbo: denial of service
| Package(s): | libjpeg-turbo | CVE #(s): | CVE-2014-9092 | ||||||||||||||||||||||||||||||||
| Created: | December 15, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Passing special crafted jpeg file smashes stack. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
mailx: command execution
| Package(s): | mailx | CVE #(s): | CVE-2004-2771 CVE-2014-7844 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2014 | Updated: | March 3, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. (CVE-2004-2771, CVE-2014-7844) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mantis: multiple vulnerabilities
| Package(s): | mantis | CVE #(s): | CVE-2014-7146 CVE-2014-8598 CVE-2014-8554 | ||||||||||||||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||||||||||||||
| Description: | From the CVE entries: The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. (CVE-2014-7146) The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. (CVE-2014-8598) SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. (CVE-2014-8554) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mcollective: unauthorized connections
| Package(s): | mcollective | CVE #(s): | CVE-2014-3251 | ||||
| Created: | December 15, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entry:
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition. | ||||||
| Alerts: |
| ||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | |||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | December 29, 2014 | ||||||||||||||||||||
| Description: | From the Mediawiki release notes: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
openjpeg: multiple vulnerabilities
| Package(s): | openjpeg | CVE #(s): | CVE-2013-4289 CVE-2013-4290 | ||||
| Created: | December 15, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entries:
Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 allow remote attackers to have unspeicified impact and vectors, which trigger a heap-based buffer overflow. (CVE-2013-4289) Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote attackers to have unspecified impact via unknown vectors to (1) lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3) lib/openjp3d/event.c. (CVE-2013-4290) | ||||||
| Alerts: |
| ||||||
pcre: information leak
| Package(s): | pcre | CVE #(s): | CVE-2014-8964 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | May 12, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bug report: Heap buffer overflow issue was reported in PCRE when processing a specially crafted regular expressions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pdns-recursor: denial of service
| Package(s): | pdns-recursor | CVE #(s): | CVE-2014-8601 | ||||||||||||||||
| Created: | December 11, 2014 | Updated: | December 22, 2014 | ||||||||||||||||
| Description: | From the Debian advisory:
Florian Maury from ANSSI discovered a flaw in pdns-recursor, a recursive DNS server: a remote attacker controlling maliciously-constructed zones or a rogue server could affect the performance of pdns-recursor, thus leading to resource exhaustion and a potential denial-of-service. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php-horde-kronolith: multiple vulnerabilities
| Package(s): | php-horde-kronolith | CVE #(s): | |||||||||
| Created: | December 15, 2014 | Updated: | December 17, 2014 | ||||||||
| Description: | From the Fedora advisory:
kronolith 4.2.4
| ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2014-9219 | ||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pwgen: two vulnerabilities
| Package(s): | pwgen | CVE #(s): | CVE-2013-4440 CVE-2013-4442 | ||||||||||||||||||||
| Created: | December 15, 2014 | Updated: | January 9, 2015 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2013-4440: Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns. CVE-2013-4442: Pwgen was found to silently falling back to use standard pseudo generated numbers on the systems that heavily use entropy. Systems, such as those with a lot of daemons providing encryption services, the entropy was found to be exhausted, which forces pwgen to fall back to use standard pseudo generated numbers. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
qemu: code execution
| Package(s): | qemu | CVE #(s): | CVE-2014-7840 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | December 24, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bug report: During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
racer-bin, lastfmplayer, webkit-gtk, oprofile, gitolite: multiple vulnerabilities
| Package(s): | racer-bin, lastfmplayer, webkit-gtk, oprofile, gitolite | CVE #(s): | CVE-2007-4370 CVE-2010-0778 CVE-2010-3255 CVE-2010-3362 CVE-2011-1572 CVE-2011-2473 | ||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||
| Description: | From the CVE entries: CVE-2007-4370 - Multiple buffer overflows in the (1) client and (2) server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port 26000. CVE-2010-0778 - Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2010-3255 - Google Chrome before 6.0.472.53 and webkitgtk before 1.2.6 do not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2010-3362 - lastfm 1.5.4 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. CVE-2011-1572 - Directory traversal vulnerability in the Admin Defined Commands (ADC) feature in gitolite before 1.5.9.1 allows remote attackers to execute arbitrary commands via .. (dot dot) sequences in admin-defined commands. CVE-2011-2473 - The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760. | ||||||
| Alerts: |
| ||||||
smack: information disclosure
| Package(s): | smack | CVE #(s): | CVE-2014-0363 | ||||||||||||
| Created: | December 15, 2014 | Updated: | January 12, 2015 | ||||||||||||
| Description: | From the CVE entry:
The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. | ||||||||||||||
| Alerts: |
| ||||||||||||||
thermostat1-thermostat: privilege escalation
| Package(s): | thermostat1-thermostat | CVE #(s): | CVE-2014-8120 | ||||||||||||
| Created: | December 17, 2014 | Updated: | January 8, 2015 | ||||||||||||
| Description: | From the Red Hat advisory:
It was discovered that, in certain configurations, the Thermostat agent disclosed JMX management URLs of all local Java virtual machines to any local user. A local, unprivileged user could use this flaw to escalate their privileges on the system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
unbound: denial of service
| Package(s): | unbound | CVE #(s): | CVE-2014-8602 | ||||||||||||||||||||||||||||||||
| Created: | December 11, 2014 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to [resource] exhaustion and huge network usage. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2014-8866 CVE-2014-8867 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2014 | Updated: | December 17, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries: The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. (CVE-2014-8866) The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. (CVE-2014-8867) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>