Security
An overhyped GHOST
While the GHOST glibc vulnerability is serious, it also seems to be fairly hard to exploit—and has been seriously overhyped. Part of the hype may stem from Qualys, which found the bug, engaging a public relations (PR) firm to publicize the bug and Qualys's role in finding it. But someone at the PR company botched the coordinated release, so the information leaked out hours before the planned release time. That is troubling on (at least) two levels: that PR is even a part of security disclosure and that PR firms sometimes get advance notice of zero-day flaws.
The actual GHOST vulnerability is a bog-standard buffer overflow in the GNU C library (glibc) implementation of gethostbyname() and gethostbyname2() (and others in that family). As described by Qualys in a detailed advisory, the length of a buffer is miscalculated in the __nss_hostname_digits_dots() function so it is short by the length of one pointer (four or eight bytes, depending on the architecture). That means the buffer involved can be overflowed by four or eight bytes. The buffer resides on the heap, so an overflow writes into the data structure maintained by malloc() for the free chunk of memory that is contiguous to the buffer.
Messing up the malloc() data structure doesn't directly lead to an exploit, of course, but Qualys was able to exploit the Exim mail server to run arbitrary code. It is instructive to note that Qualys was able to cause the buffer overflow in a few other programs (e.g. procmail, clockdiff), but was unable to do so for a wide variety of other network-facing tools (e.g. Apache httpd, MySQL, Postfix, Samba) as noted in a followup to the advisory.
It is not just server code that is affected, however. As Stephane Chazelas pointed out on the oss-security mailing list, some web browsers and email clients call the gethostbyname() family. But, as Qualys explained, there is a pretty long list of qualifications that have to be met before a string passed to those functions can overflow the buffer. It must consist of only digits ("0"-"9") and dots ("."), must be long enough, and, probably the most strict requirement, must pass muster with inet_aton(). Several uses of gethostbyname() were eliminated from consideration by Qualys because the function was only called if inet_aton() failed.
The bug was fixed in glibc in May 2013, but it was not recognized as a security problem at the time. The bug report mentions an incorrect error return in the title; the description does have some information about buffer sizes, but there is no crash reported, which might have caused more scrutiny for security implications. In any case, the fix made it into the glibc 2.18 release in August 2013. Since then, most of the rapidly updating distributions (e.g. Fedora, openSUSE, Ubuntu, Debian testing) have picked up the newer glibc version. Because the fix was not identified as a security update, though, enterprise and other more stable distributions (e.g. RHEL, Ubuntu 12.04 LTS, Debian 7.0 "wheezy") have not been updated—until now.
Interestingly, the bug was also found and fixed in ChromeOS in April 2014. Even though it was recognized as a buffer overflow with potential security impacts, no alarm was raised at that time. The fact that the bug had already been fixed and released in glibc may have contributed to that.
Eventually, Qualys spotted the flaw, alerted the linux-distros security mailing list, and started coordinating a date and time to release the information in conjunction with fixes from the distributions. Somewhere in there, a logo was designed and a PR firm (AL'X Communication) was engaged to publicize the bug. A few hours before the designated release time, a French version of the press release was posted to a French system-administration mailing list. Once that was noticed, Qualys went ahead and put out its advisory.
Finding out about a problem by way of a PR leak seems sub-optimal, as Michał Zalewski noted:
That said, the advisory makes up for it...
Qualys's advisory is excellent, as Zalewski said. Whether that makes up for turning over information on a zero-day flaw in a widely used package to a PR firm will be determined by the eye of the beholder. Alexander Peslyak (aka Solar Designer) was also concerned about the PR agency's involvement:
We use PGP on the linux-distros list (the issue was first brought to there on January 18), but I doubt that communication between Qualys and their PR agency, nor within the PR agency, was similarly encrypted. Perhaps they were using some Word "documents" and stuff. And even if it were encrypted, notifying a PR agency early goes beyond need-to-know from everyone else's security perspective.
Peslyak went on to suggest that security firms take a different strategy when trying to publicize their role in finding bugs.
In the wake of Heartbleed and other vulnerabilities (which seem to come with logos and web sites these days), it seems hard to believe that security firms will heed Peslyak's advice. For good or ill, the days of vulnerability disclosure by press release (and soon, presumably, press conferences) is upon us. That is most certainly going to lead to bugs that are hyped beyond their actual impact, as was done here.
As Brad Spengler pointed out in an LWN comment, even the Exim exploit requires a non-default configuration, so the number of affected systems is probably fairly small. Absent finding other server or client programs that are vulnerable (and there are probably a few), there may not be that many hosts out there that are truly vulnerable. In addition, the gethostbyname*() functions are obsolete at this point, so up-to-date programs are using getaddrinfo() which doesn't suffer from this problem.
With all that said, GHOST is still a vulnerability worth patching. There may be other subtleties that haven't yet surfaced. But it does seem that both Qualys and some parts of the technical media have overblown this vulnerability greatly. As with everything in security, there is a tradeoff here. Had GHOST been a more severe and widespread issue, raising the "panic" flag might have been sensible (as with Heartbleed). Panicking over this GHOST, though, seems something of a stretch.
Brief items
Security quotes of the week
We want to see this problem fixed so that people don’t have to trade usability for security. We’re rolling out a multi-stage Campaign for Secure and Usable Crypto, and we kicked it off with a Secure Messaging Scorecard. The Secure Messaging Scorecard is only looking at a few criteria for security, and the next phases of the project will home in on more challenging security and usability objectives.
Highly critical “Ghost” allowing code execution affects most Linux systems (Ars Technica)
Ars Technica has a report on GHOST, which is a critical vulnerability found in the GNU C library (glibc). "The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections." While the proof-of-concept used Exim, a wide variety of client and server programs call gethostbyname*(), often at the behest of a remote system (or attacker). Distributions have started putting out updates; users and administrators should plan on updating as soon as possible.
New vulnerabilities
busybox: arbitrary module loading
| Package(s): | busybox | CVE #(s): | CVE-2014-9645 | ||||||||||||||||
| Created: | January 28, 2015 | Updated: | June 18, 2015 | ||||||||||||||||
| Description: | From the Mageia advisory:
The modprobe command in busybox before 1.23.0 uses the basename of the module argument as the module to load, allowing arbitrary modules, even when some kernel subsystems try to prevent this. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | chromium-browser-stable | CVE #(s): | CVE-2014-7924 CVE-2014-7925 CVE-2014-7927 CVE-2014-7928 CVE-2014-7929 CVE-2014-7930 CVE-2014-7931 CVE-2014-7932 CVE-2014-7934 CVE-2014-7935 CVE-2014-7936 CVE-2014-7938 CVE-2014-7939 CVE-2014-7941 CVE-2014-7942 CVE-2014-7943 CVE-2014-7946 CVE-2014-7948 CVE-2015-1205 | ||||||||||||||||||||
| Created: | January 26, 2015 | Updated: | January 28, 2015 | ||||||||||||||||||||
| Description: | From the Mageia advisory:
Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc (CVE-2014-7924). Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained (CVE-2014-7925). The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code (CVE-2014-7927). hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy (CVE-2014-7928). Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data (CVE-2014-7930). factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers (CVE-2014-7931). Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents (CVE-2014-7929). Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements (CVE-2014-7932). Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures (CVE-2014-7934). Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab (CVE-2014-7935). Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble (CVE-2014-7936). The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors (CVE-2014-7938). Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header (CVE-2014-7939). The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data (CVE-2014-7941). The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-7942). Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2014-7943). The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation (CVE-2014-7946). The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate (CVE-2014-7948). Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2015-1205). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
chromium-browser: multiple denial of service flaws
| Package(s): | chromium-browser | CVE #(s): | CVE-2014-7944 CVE-2014-7945 CVE-2014-7947 | ||||||||||||
| Created: | January 28, 2015 | Updated: | January 28, 2015 | ||||||||||||
| Description: | From the CVE entries:
The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. (CVE-2014-7944) OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. (CVE-2014-7945) OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. (CVE-2014-7947) | ||||||||||||||
| Alerts: |
| ||||||||||||||
dbus-1: privilege escalation
| Package(s): | dbus-1 | CVE #(s): | CVE-2014-8148 | ||||
| Created: | January 23, 2015 | Updated: | January 28, 2015 | ||||
| Description: | From the openSUSE advisory: Do not allow calls to UpdateActivationEnvironment from uids other than the uid of the dbus-daemon. If a system service installs unsafe security policy rules that allow arbitrary method calls (such as CVE-2014-8148) then this prevents memory consumption and possible privilege escalation via UpdateActivationEnvironment. | ||||||
| Alerts: |
| ||||||
glibc: code execution
| Package(s): | glibc eglibc | CVE #(s): | CVE-2015-0235 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 27, 2015 | Updated: | March 4, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions. The original glibc bug was reported by Peter Klotz. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
grep: heap buffer overrun
| Package(s): | grep | CVE #(s): | CVE-2015-1345 | ||||||||||||||||||||||||||||||||||||||||
| Created: | January 26, 2015 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported that invoking grep with a carefully crafted combination of input and regexp can cause a segfault and/or reading from uninitialized memory. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
jasper: multiple vulnerabilities
| Package(s): | jasper | CVE #(s): | CVE-2014-8157 CVE-2014-8158 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2015 | Updated: | February 9, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8157) An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8158) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java: three unspecified vulnerabilities
| Package(s): | java-1.7.0-oracle | CVE #(s): | CVE-2015-0403 CVE-2015-0406 CVE-2015-0413 | ||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2015 | Updated: | January 28, 2015 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries: Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2015-0403) Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. (CVE-2015-0406) Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. (CVE-2015-0413) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
MySQL: multiple unspecified vulnerabilities
| Package(s): | mysql-5.5 | CVE #(s): | CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0411 CVE-2015-0432 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2015 | Updated: | July 10, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries: CVE-2014-6568: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. CVE-2015-0374: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. CVE-2015-0381: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. CVE-2015-0382: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. CVE-2015-0411: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. CVE-2015-0432: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
oxide-qt: multiple vulnerabilities
| Package(s): | oxide-qt | CVE #(s): | CVE-2014-7923 CVE-2014-7926 CVE-2014-7933 CVE-2014-7937 CVE-2014-7940 CVE-2015-1346 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 27, 2015 | Updated: | April 28, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. (CVE-2014-7923) The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. (CVE-2014-7926) Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. (CVE-2014-7933) Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. (CVE-2014-7937) The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. (CVE-2014-7940) Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, as used in Google Chrome before 40.0.2214.91, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2015-1346) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2014-9425 CVE-2014-9427 CVE-2015-0231 CVE-2015-0232 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 28, 2015 | Updated: | February 6, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425). sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427). Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231). Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
polarssl: code execution
| Package(s): | polarssl | CVE #(s): | CVE-2015-1182 | ||||||||||||||||||||||||||||
| Created: | January 26, 2015 | Updated: | February 10, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
A vulnerability was discovered in PolarSSL, a lightweight crypto and SSL/TLS library. A remote attacker could exploit this flaw using specially crafted certificates to mount a denial of service against an application linked against the library (application crash), or potentially, to execute arbitrary code. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
privoxy: multiple vulnerabilities
| Package(s): | privoxy | CVE #(s): | CVE-2015-1380 CVE-2015-1381 CVE-2015-1382 | ||||||||||||||||||||||||
| Created: | January 28, 2015 | Updated: | February 9, 2015 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). (CVE-2015-1380) Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties. (CVE-2015-1381) Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. (CVE-2015-1382) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
python-pillow: denial of service
| Package(s): | python-pillow | CVE #(s): | CVE-2014-9601 | ||||||||||||||||||||||||
| Created: | January 22, 2015 | Updated: | January 28, 2015 | ||||||||||||||||||||||||
| Description: | From the CVE entry:
Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
roundcubemail: cross-site request forgery
| Package(s): | roundcubemail | CVE #(s): | CVE-2014-9587 | ||||||||
| Created: | January 23, 2015 | Updated: | January 28, 2015 | ||||||||
| Description: | From the CVE entry: Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. | ||||||||||
| Alerts: |
| ||||||||||
vala: heap buffer overflow
| Package(s): | shotwell, vala | CVE #(s): | CVE-2014-8154 | ||||
| Created: | January 26, 2015 | Updated: | January 28, 2015 | ||||
| Description: | From the Red Hat bug report:
Sergey "Shnatsel" Davidoff reported a heap-based buffer overflow in Vala Gstreamer bindings in the Gst.MapInfo() function. Further details are available in the following Red Hat bug: | ||||||
| Alerts: |
| ||||||
websvn: information disclosure
| Package(s): | websvn | CVE #(s): | CVE-2013-6892 | ||||||||||||||||
| Created: | January 26, 2015 | Updated: | February 9, 2015 | ||||||||||||||||
| Description: | From the Debian advisory:
James Clawson discovered that websvn, a web viewer for Subversion repositories, would follow symlinks in a repository when presenting a file for download. An attacker with repository write access could thereby access any file on disk readable by the user the webserver runs as. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2015-0559 CVE-2015-0560 CVE-2015-0561 | ||||
| Created: | January 23, 2015 | Updated: | February 2, 2015 | ||||
| Description: | From the CVE entries: Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. (CVE-2015-0559) The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. (CVE-2015-0560) asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. (CVE-2015-0561) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>