Security
Mandatory Firefox extension signing
Mozilla recently announced a plan to roll out a cryptographic signature framework for Firefox extensions in the coming months. The system is designed to clamp down on so-called "gray area" extensions that, while far from falling under the traditional definition of malware, make dubious and shady changes to the way a user's browser functions. The change will mark a significant shift for Mozilla, which, in the past, has taken a wide-open approach to extension development and installation. But the new system will be mandatory: after a transition period, Firefox will not run extensions that have not been signed by Mozilla, and all extension developers will need to submit their extensions for a test that checks for bad behavior. Naturally, not all extension developers are happy about how that will affect their workflow, but Mozilla insists it is the option that best balances protecting users and encouraging extension development.
The announcement was posted by Mozilla's Add-ons Developer Relations Lead, Jorge Villalobos. He listed several types of malicious behavior commonly found in the gray-area extensions: altering the user's homepage, changing the browser search behavior, injecting ads into pages, and injecting scripts into social media sites. The extensions in question typically make these changes in secret, often under the guise of doing something else. Many present themselves as toolbars of one form or another; others get side-loaded, surreptitiously, when the user runs an installer or updater for some unrelated piece of desktop software.
In the past, Mozilla attempted to curtail such extensions by publishing a set of public guidelines for acceptable add-on behavior, and blocking extensions that violate the rules. That strategy may have scaled as far as it can, though—the blocklist is quite long, and developers have taken to new strategies to evade it, such as randomly generating a different extension ID for every copy.
The plan
Preventing bad behavior in extensions is more difficult in Firefox than in other browsers like Chrome or Apple's Safari, Villalobos said, for two reasons: first, Mozilla intentionally allows its add-ons to alter more browser functionality than the competing browsers do, and second, because Mozilla does not act as the central distribution point for add-ons. Anyone can publish and distribute a Firefox extension from any site.
Finding a way to curb gray-area extensions without acting as the final gatekeeper for extension publication was the issue. As Villalobos explained, the plan that emerged after many months of discussion was to run all extensions through an automated test that checked for the blocked, gray-area behaviors, then to sign those extensions that pass using a key that only Mozilla holds. Firefox has long supported signed extensions, but the feature has rarely been used by developers. Mozilla will add a compile-time switch that makes Firefox to check for the Mozilla signature on every extension. Extensions that do not pass the signature check will be deactivated. Future Firefox releases will then be built with the signature-checking switch enabled.
That part of the plan is relatively straightforward; where things get more complicated is how the extension-signing process will be implemented. First, there will be new steps required for developers whose extensions are not hosted at Mozilla's official add-on site, addons.mozilla.org (AMO). Since AMO-hosted extensions are already required to pass a review step, the good-behavior test and signature will simply be rolled into that same process. But developers who provide extensions on their own site will have to create an AMO account and submit each build for the test-and-signature process.
The extension IDs used by each account will be logged, so that Mozilla can note suspicious behavior (like submitting a different user's extension ID, or submitting thousands of IDs). These third-party developers' AMO accounts and extensions will never be visible to the public, though, and they can continue to distribute their code at their own sites. Villalobos also mentioned that there will be yet a third process for use by developers who create extensions designed only to be used on an internal (e.g., enterprise) network—but the nature of that internal-extension-development process has yet to be announced.
The second issue is that not all well-behaved extensions will pass an automated test. But the precise nature of the automated test has not yet been made public. Villalobos said that any extension that fails can be submitted for a manual review, which Mozilla hopes will take at most a couple of days. Furthermore, he expressed Mozilla's willingness to work with known extension developers who have special needs on a case-by-case basis. The vast majority of extensions are expected to pass the automated test, since very few of them have any reason to use the functionality exploited by the problematic gray-area extensions.
Finally, although the plan hinges on not providing a run-time switch to disable signature checking (because any run-time preference or switch could be exploited by a malicious extension or installer), Mozilla will release the Developer Edition and Nightly builds of Firefox with signature-checking turned off, so that developers can test their code without waiting on signatures. Mozilla will also provide special "unbranded" Firefox builds with signature-checking disabled, via a separate download site. The unbranded builds are something of a last resort: extension developers can point users toward those builds if they cannot or will not get their extensions signed.
The signature-checking system will be rolled out in a transitional state for two full Firefox release cycles (i.e., 12 weeks), perhaps beginning as soon as Firefox 39 (currently scheduled for late June). During the transition phase, extensions that fail the signature check will prompt a warning, but will continue to run. As of now, no other add-on types (such as themes, dictionaries, plug-ins, or search engines) will be signature-checked, and there are no plans to roll out signature checking for Thunderbird or for Seamonkey (although either of those projects could independently decide to deploy the same scheme).
Feedback
As might be expected, the announcement drew plenty of vitriolic criticism; quite a few commenters on the blog post accused Mozilla of "Apple-like" or "Google-like" behavior by exerting central control over extension distribution, for example. Others likened the plan to censorship, arguing (for instance) that once the process was in place, the US government or the entertainment industry would begin pressuring Mozilla not to sign extensions they disliked. The debate was also carried over to the mozilla.addons.user-experience discussion group, where the deliberations certainly had their own share of name-calling—although participants in that forum focused primarily on how the new system would impact the process of developing extensions.
In both discussions, however, some common questions recurred. Several asked why the signature-checking scheme relied only on a signing key from Mozilla—as opposed to, say, per-developer keys, or reusing some existing trust mechanism. Villalobos replied that per-developer keys are too easily compromised by malicious developers. Similarly, Adam Novak argued that trying to implement similar safeguards through the SSL Certificate Authority (CA) system would also be easily undermined by malware developers.
Since Mozilla is intent on being the only entity that can sign an extension as passing the good-behavior test, others complained about the fact that there will be no run-time mechanism to disable signature checking. At his blog, Jeff Lyon called the plan a violation of the core principles in the Mozilla manifesto and of the spirit of free software. Subsequently, he posted his own alternative proposal to the discussion forum, in which users would be able to switch off signature-checking by visiting a Mozilla-hosted site that would generate a cryptographic token (signed by Mozilla) for each user. The token, he said, would ensure that the user had expressed their consent to switch off signature-checking, and it could be hidden behind a CAPTCHA-like "human test" to prevent abuse by malware authors.
But Lyon's suggestion, like the other run-time switch proposals,
was rejected. Essentially, the Mozilla team argued, there is no
run-time mechanism that cannot be exploited: CAPTCHAs are easily broken,
web page interaction can be scripted and run without the user's
knowledge, and settings can be altered. Mike Connor replied
that there is no way to allow unsigned non-malware extensions to run
that would not be exploited. "It's unlocking a door to
let in a friend, then leaving it unlocked forever.
" In
addition, he said, the goal is to dramatically reduce the amount of
gray-area malware in the wild, as a "herd immunity" goal.
Forward progress
Ultimately, most of the extension developers' concerns boil down to the fact that they like to push out test builds for their extension's users—sometimes even making a special build to be sent directly to a single bug reporter. Villalobos and the other Mozilla employees continued to insist that the automated extension test would not introduce a significant slow-down to that process. But it seems like many extension developers find that hard to believe.
Perhaps it would be easier to make that case if there were more details available. After all, it is easy for skeptics to imagine that the extension-checking process will be slow and work poorly when there is no evidence to the contrary. That puts Mozilla in an unenviable position, to be sure.
Similarly, there is a lot of confusion about some parts of the plan that have yet to be rolled out—such as the "unbranded" Firefox builds that will have signature-checking disabled. As Villalobos described it, users will have to seek out the unbranded Firefox builds and install them intentionally (perhaps through the Mozilla Developer Network, rather than the usual download site). Once installed, the lack of "Firefox" branding should make it obvious that a different browser is in use, so it will be hard for a malware author to trick a user into installing the vulnerable build. But that, too, is a mechanism that it is all too easy to imagine not working as expected. Mozilla will still have to show it functioning in the wild to win over some developers.
It is also unclear how the signature scheme will affect Linux distributions. Some might be interested in making Firefox builds available that have the signature-checking code compiled out. Whether or not that change would be enough to trigger a trademark dispute of the sort that led Debian to rebrand its Firefox builds as "Iceweasel" has not been explored.
In the meantime, Connor reminded those in the thread that the real goal was to improve users' security:
Villalobos, too, pointed out that the problem Mozilla is attempting to solve is that the status quo offers essentially no mechanism to block bad actors:
Connor also took issue with the suggestion that the plan violates free-software principles, noting that anyone who objects to it can still install one of the Nightly or Developer Edition builds—or even recompile Firefox themselves.
Tyler Downer estimated that the number of gray-area Firefox extensions in the wild was in the millions. That is surely a problem that needs to be addressed. How onerous extension developers and users ultimately find the new signature-checking scheme remains to be seen. It may make a significant dent in this long-standing problem—although it will surely not be the end of the Firefox malware story.
Brief items
Security quotes of the week
But that's not all. Someone with physical access to your system could reflash your system. Even if you're paranoid enough that you X-ray your machine after every border crossing and verify that no additional components have been inserted, modified firmware could still be grabbing your disk encryption passphrase and stashing it somewhere for later examination.
deb.haskell.org compromised
The Haskell.org site is currently reporting that its Debian package repository, deb.haskell.org, has been compromised. "`deb.haskell.org` was already offline and suspended shortly after these traffic changes were detected by the host monitoring system, meaning the window for package compromise was very very small. We're continuing to investigate the breach and the extent to which it might have spread."
FreeBSD random number generator broken for last 4 months
As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD "current" kernel has been broken for the last four months. "If you are running a current kernel r273872 or later, please upgrade your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling randomdev_init_reader, which means that read_random(9) was not returning good random data. read_random(9) is used by arc4random(9) which is the primary method that arc4random(3) is seeded from. This means most/all keys generated may be predictable and must be regenerated. This includes, but not limited to, ssh keys and keys generated by openssl. This is purely a kernel issue, and a simple kernel upgrade w/ the patch is sufficient to fix the issue."
New vulnerabilities
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2014-9646 CVE-2014-9647 CVE-2014-9648 CVE-2015-1359 CVE-2015-1360 CVE-2015-1361 | ||||
| Created: | February 18, 2015 | Updated: | February 18, 2015 | ||||
| Description: | From the CVE entries:
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE% directory, as demonstrated by program.exe, a different vulnerability than CVE-2015-1205. (CVE-2014-9646) Use-after-free vulnerability in PDFium, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to fpdfsdk/src/fpdfview.cpp and fpdfsdk/src/fsdk_mgr.cpp, a different vulnerability than CVE-2015-1205. (CVE-2014-9647) components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of service (loss of browser access to that site) via crafted JavaScript code, as demonstrated by pandora.com and the Pandora application, a different vulnerability than CVE-2015-1205. (CVE-2014-9648) Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted PDF document, related to an "intra-object-overflow" issue, a different vulnerability than CVE-2015-1205. (CVE-2015-1359) Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text drawing, related to gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than CVE-2015-1205. (CVE-2015-1360) platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document, a different vulnerability than CVE-2015-1205. (CVE-2015-1361) | ||||||
| Alerts: |
| ||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2015-1461 CVE-2015-1462 CVE-2015-1463 | ||||||||||||||||
| Created: | February 13, 2015 | Updated: | February 18, 2015 | ||||||||||||||||
| Description: | From the CVE entries: CVE-2015-1461: ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted (1) Yoda's crypter or (2) mew packer file, related to a "heap out of bounds condition." CVE-2015-1462: ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upx packer file, related to a "heap out of bounds condition." CVE-2015-1463: ClamAV before 0.98.6 allows remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an "incorrect compiler optimization." | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
cpio: directory traversal
| Package(s): | cpio | CVE #(s): | CVE-2015-1197 | ||||||||||||||||||||||||
| Created: | February 16, 2015 | Updated: | March 29, 2015 | ||||||||||||||||||||||||
| Description: | From the Gentoo advisory:
A directory traversal vulnerability has been found in GNU cpio A remote attacker may be able to entice a user to open a specially crafted archive using GNU cpio, possibly resulting in execution of arbitrary code, a Denial of Service condition, or overwriting arbitrary files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2014-9679 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 16, 2015 | Updated: | July 18, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dbus: denial of service
| Package(s): | dbus | CVE #(s): | CVE-2015-0245 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 12, 2015 | Updated: | January 11, 2017 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes. A malicious local user could use this flaw to trick dbus-daemon into thinking that systemd failed to activate a system service, resulting in an error reply back to the requester. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
file: memory leak
| Package(s): | file | CVE #(s): | CVE-2014-9653 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2015 | Updated: | April 20, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported that a malformed elf file can cause file urility to access invalid memory. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
glibc: two vulnerabilities
| Package(s): | glibc | CVE #(s): | CVE-2015-1472 CVE-2015-1473 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2015 | Updated: | February 18, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer (CVE-2015-1472). The incorrect use of "__libc_use_alloca (newsize)" caused a different (and weaker) policy to be enforced which could allow a denial of service attack (CVE-2015-1473). | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
jython: code execution
| Package(s): | jython | CVE #(s): | CVE-2013-2027 | ||||||||||||
| Created: | February 12, 2015 | Updated: | March 30, 2015 | ||||||||||||
| Description: | From the SUSE bugzilla entry:
There are [several] problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure. # (umask 000; jython -c 'import xmllib') # ls -l '/usr/share/jython/Lib/xmllib$py.class' -rw-rw-rw-. 1 root root 52874 Apr 3 17:24 /usr/share/jython/Lib/xmllib$py.classJython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file. Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure. The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-7421 CVE-2014-9644 CVE-2015-1421 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2015 | Updated: | May 27, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Linux Kernel 2.6.38 through 3.18 are affected by a flaw in the Crypto API that allows any local user to load any installed kernel module on systems where CONFIG_CRYPTO_USER_API=y by abusing the request_module() call (CVE-2013-7421, CVE-2014-9644). When hitting an sctp INIT collision case during the 4WHS with AUTH enabled, it can create a local denial of service by triggerinf a panic on server side (CVE-2015-1421). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mdadm: command injection
| Package(s): | mdadm | CVE #(s): | CVE-2014-5220 | ||||
| Created: | February 18, 2015 | Updated: | February 18, 2015 | ||||
| Description: | From the openSUSE advisory:
mdcheck doesn't validate the input of mdadm --detail --export, possible command injection | ||||||
| Alerts: |
| ||||||
moodle: cross-site scripting
| Package(s): | moodle | CVE #(s): | CVE-2015-0216 | ||||
| Created: | February 16, 2015 | Updated: | February 18, 2015 | ||||
| Description: | From the Red Hat bugzilla:
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask Description: Users with capability to grade in Lesson module were not reported as users with XSS risk but their feedback was displayed without cleaning Issue summary: mod/lesson:grade capability missing RISK_XSS but essay feedback is displayed with noclean=true
Severity/Risk: Minor | ||||||
| Alerts: |
| ||||||
oracle-jre-bin: multiple unspecified vulnerabilities
| Package(s): | oracle-jre-bin | CVE #(s): | CVE-2014-0463 CVE-2014-0464 CVE-2014-2410 CVE-2014-4247 CVE-2014-6466 CVE-2014-6485 | ||||||||
| Created: | February 16, 2015 | Updated: | February 18, 2015 | ||||||||
| Description: | From the CVE entries
Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464. (CVE-2014-0463) Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463. (CVE-2014-0464) Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. (CVE-2014-2410) Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. (CVE-2014-4247) Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2014-6466) Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (CVE-2014-6485) | ||||||||||
| Alerts: |
| ||||||||||
perl-Gtk2: code execution
| Package(s): | perl-Gtk2 | CVE #(s): | |||||||||||||||||||||||||
| Created: | February 12, 2015 | Updated: | March 2, 2015 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php5: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2014-9652 CVE-2015-1351 CVE-2015-1352 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2015 | Updated: | April 27, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that PHP incorrectly handled certain pascal strings in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652) It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1351) It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pigz: directory traversal
| Package(s): | pigz | CVE #(s): | CVE-2015-1191 | ||||||||||||||||||||
| Created: | February 16, 2015 | Updated: | March 7, 2016 | ||||||||||||||||||||
| Description: | From the CVE entry:
Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
puppetlabs-stdlib: privilege escalation
| Package(s): | puppetlabs-stdlib | CVE #(s): | CVE-2015-1029 | ||||||||
| Created: | February 16, 2015 | Updated: | February 18, 2015 | ||||||||
| Description: | From the CVE entry:
The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. | ||||||||||
| Alerts: |
| ||||||||||
roundcubemail: cross-site scripting
| Package(s): | roundcubemail | CVE #(s): | CVE-2015-1433 | ||||||||||||||||
| Created: | February 13, 2015 | Updated: | February 18, 2015 | ||||||||||||||||
| Description: | From the openSUSE advisory: program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 did not properly quote strings, which allowed remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sudo: information disclosure
| Package(s): | sudo | CVE #(s): | CVE-2014-9680 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 17, 2015 | Updated: | November 4, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the sudo advisory:
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: code execution
| Package(s): | unzip | CVE #(s): | CVE-2015-1315 | ||||
| Created: | February 18, 2015 | Updated: | February 18, 2015 | ||||
| Description: | From the Ubuntu advisory:
William Robinet discovered that unzip incorrectly handled certain malformed zip archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code. | ||||||
| Alerts: |
| ||||||
virt-who: information leak
| Package(s): | virt-who | CVE #(s): | CVE-2014-0189 | ||||||||||||
| Created: | February 16, 2015 | Updated: | March 6, 2015 | ||||||||||||
| Description: | From the CVE entry:
virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
xorg-server: information leak/denial of service
| Package(s): | xorg-server | CVE #(s): | CVE-2015-0255 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 12, 2015 | Updated: | May 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.Org advisory:
Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request. The issue stems from the server trusting the client to send valid string lengths in the request data. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. The data length is at least up to 64k, it is possible to obtain more data by chaining strings, each string length is then determined by whatever happens to be in that 16-bit region of memory. A similarly crafted request can likely cause the X server to crash. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>