Security
Progress in security module stacking
It would seem that a long-running saga in kernel development may be coming to a close. Stacking (also composing or chaining) of Linux Security Modules (LSMs) has been discussed, debated, and developed in kernel security circles for many years; we have looked at the issue from a number of angles starting in 2009 (and here), but patches go back to at least 2004. After multiple fits and starts, it looks like something might finally make its way into the mainline kernel.
In a nutshell, the problem is that any security enhancements that are suggested for the kernel are inevitably pushed toward the LSM API. But there can only be one LSM active in a given kernel instance and most distributions already have that slot filled. Linux capabilities would logically be implemented in an LSM, but that would conflict with any other module that was loaded. To get around that problem, capabilities have been hardwired into each LSM, so that the capability checks are done as needed by those modules. The Yama LSM has also been manually stacked, if it is configured into the kernel, by calling its four hooks before the hooks from the active LSM are called. These are ad hoc solutions that cannot really be used for additional modules that might need to all be active, so a better way has been sought.
The last time we looked in on the issue was after the 2013 Linux Security Summit (LSS). Smack creator Casey Schaufler, who has been the most recent one to push stacking, presented his solution to attendees; he was looking for feedback on his approach. Schaufler's proposal was a complex solution that attempted to solve "all" of the stacking problems at once. In particular, it allowed using more than one of the LSMs that provide a full security model (the so-called "monolithic" LSMs: SELinux, Smack, TOMOYO, and AppArmor), which is a bit hard to justify in some eyes. For most, the pressing need for stacking is to support several single-purpose LSMs atop one of those monolithic security models, much like is done with Yama.
In addition, Schaufler's patches tried to handle network packet labeling for multiple LSMs (to the extent possible) and added to the user-space interface under /proc/PID/attr. Each active LSM would have a subdirectory under attr with its attributes, while one LSM, chosen through a configuration option, would present its attributes in the main attr directory. These additions also added complexity, so the consensus that emerged from the 2013 LSS attendees was to go back to the basics.
Schaufler has been working on that simplification. The 21st version of the
patch set was posted on March 9,
though the changes in this round are mostly just tweaks. The previous version picked
up an ack from Yama developer Kees Cook, was tested by SELinux developer
Stephen Smalley, and got a "this version looks almost perfect
"
from TOMOYO developer Tetsuo Handa. It looks like it could get into
security maintainer James
Morris's branch targeting the -next tree, which might mean we will see it
in 4.1.
The approach this time is a return to a much simpler world. Gone are the thoughts of stacking more than one monolithic LSM; this proposal creates a mechanism to stack the LSM hooks and to consult them when trying to decide on access requests. The interface for a given LSM used to be a struct security_operations that was filled out with pointers for each of the hooks to be called when making access decisions. That has been replaced with a union (security_list_options) that can hold a pointer to each of the different hook functions. That union is meant to allow for a single list type that can hold any of the hook functions, but still provide type checking.
Instead of filling in the sparse security_operations structure, LSMs now initialize an array that contains each of their hooks. That gets handed off to the security_add_hooks() function that adds the hooks to the lists for each hook that the LSM infrastructure maintains internally. Those lists are initialized with the capabilities hooks; Yama hooks are then added if that LSM is configured for the kernel. For the rest of the LSMs, all of which are monolithic, only one can be chosen at boot time to have its hooks added to the list.
When an access decision needs to be made, the hooks are called in the order that they were added. Unlike some previous iterations, the access checking will terminate when any of the hooks on the list denies access. If none do, then the access is allowed.
That puts all of the machinery in place to provide stacking, but it doesn't allow choosing more than one of the monolithic LSMs on any given kernel boot. Multiple monolithic LSMs can be configured into the kernel, and one be specified as the default, but that can be overridden with the security= kernel boot parameter. New LSMs could be added to the kernel code, like Yama has been, but those will presumably be configured into the kernel at build time.
Currently, Yama is the only smaller LSM in the tree and it is chosen (or not) at build time; the others are either not optional (capabilities) or can only have a single chosen representative added into the hook list at kernel initialization time. Essentially, Schaufler's patches avoid multiple monolithic modules that are active in a given boot by not providing a mechanism to choose more than one. That avoids the conflicts and complexity that earlier attempts had run aground on. As he noted:
Another change that Schaufler has made is to split the security.h header file for LSMs in two: one for the internal, common LSM-handling mechanism (which stays in security.h) and one that defines the hooks and macros that will be used by LSMs (which is contained in the new lsm_hooks.h file). While that change is large in terms of lines of code, it is largely janitorial, but it will make the interface boundaries clearer.
If Schaufler's patches make it into the mainline, that may spur some of the smaller out-of-tree LSMs to "come in from the cold" and get submitted to the mainline. It may also help to remove the "single LSM" barrier that crops up when new security protections are proposed for the kernel. Providing a mechanism to support these kinds of protections, while steering clear of core kernel code, could lead to more of those protections in the mainline and, eventually, available in distributions. It will be interesting to see what that leads.
Brief items
Security quote of the week
But what it highlights is the fact that we're living in a world where we can't easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget. And that ambiguity has profound implications for how countries will conduct foreign policy in the Internet age.
Exploiting the DRAM rowhammer bug to gain kernel privileges
The Project Zero blog looks at the "Rowhammer" bug. "“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory." (Thanks to Paul Wise)
New vulnerabilities
389-ds-base: multiple vulnerabilities
| Package(s): | 389-ds-base | CVE #(s): | CVE-2014-8105 CVE-2014-8112 | ||||||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | March 26, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords. (CVE-2014-8105) It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
autofs: privilege escalation
| Package(s): | autofs | CVE #(s): | CVE-2014-8169 | ||||||||||||||||||||||||||||||||
| Created: | March 11, 2015 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
The automount service autofs was updated to prevent a potential privilege escalation via interpreter load path for program-based automount maps. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser | CVE #(s): | CVE-2015-1213 CVE-2015-1214 CVE-2015-1215 CVE-2015-1216 CVE-2015-1217 CVE-2015-1218 CVE-2015-1219 CVE-2015-1220 CVE-2015-1221 CVE-2015-1222 CVE-2015-1223 CVE-2015-1224 CVE-2015-1225 CVE-2015-1226 CVE-2015-1227 CVE-2015-1228 CVE-2015-1229 CVE-2015-1230 CVE-2015-1231 | ||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | April 1, 2015 | ||||||||||||||||||||||||
| Description: | From the Chromium changelogs: CVE-2015-1213: Out-of-bounds write in skia filters. CVE-2015-1214: Out-of-bounds write in skia filters. CVE-2015-1215: Out-of-bounds write in skia filters. CVE-2015-1216: Use-after-free in v8 bindings. CVE-2015-1217: Type confusion in v8 bindings. CVE-2015-1218: Use-after-free in dom. CVE-2015-1219: Integer overflow in webgl. CVE-2015-1220: Use-after-free in gif decoder. CVE-2015-1221: Use-after-free in web databases. CVE-2015-1222: Use-after-free in service workers. CVE-2015-1223: Use-after-free in dom. CVE-2015-1224: Out-of-bounds read in vpxdecoder. CVE-2015-1225: Out-of-bounds read in pdfium. CVE-2015-1226: Validation issue in debugger. CVE-2015-1227: Uninitialized value in blink. CVE-2015-1228: Uninitialized value in rendering. CVE-2015-1229: Cookie injection via proxies. CVE-2015-1230: Type confusion in v8. CVE-2015-1231: Various fixes from internal audits, fuzzing and other initiatives. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dokuwiki: access control circumvention
| Package(s): | dokuwiki | CVE #(s): | CVE-2015-2172 | ||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | March 27, 2015 | ||||||||||||||||||||
| Description: | From the Mageia advisory: DokuWiki before 20140929c has a security issue in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also had permissions to set up their own ACL rules and thus circumventing any existing rules. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
ecryptfs-utils: information disclosure
| Package(s): | ecryptfs-utils | CVE #(s): | CVE-2014-9687 | ||||||||||||||||||||
| Created: | March 11, 2015 | Updated: | July 30, 2015 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Sylvain Pelissier discovered that eCryptfs did not generate a random salt when encrypting the mount passphrase with the login password. An attacker could use this issue to discover the login password used to protect the mount passphrase and gain unintended access to the encrypted files. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
glibc: denial of service
| Package(s): | glibc | CVE #(s): | CVE-2014-8121 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | September 28, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
glusterfs: denial of service
| Package(s): | glusterfs | CVE #(s): | CVE-2014-3619 | ||||||||||||||||
| Created: | March 11, 2015 | Updated: | April 27, 2015 | ||||||||||||||||
| Description: | From the openSUSE advisory:
glusterfs was updated to fix a fragment header infinite loop denial of service attack. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gnupg: multiple vulnerabilities
| Package(s): | gnupg | CVE #(s): | CVE-2014-3591 CVE-2015-0837 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | June 6, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora bug reports: A side-channel attack which can potentially lead to an information leak. (CVE-2014-3591) A side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak. (CVE-2015-0837) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2015-0275 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 9, 2015 | Updated: | March 16, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was found in the way the Linux kernel's EXT4 filesystem handled page size > block size condition when fallocate zero range functionality is used. Also from the Red Hat bugzilla, no CVE provided: It was reported that in vhost_scsi_make_tpg() the limit for "tpgt" is UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. In the context it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements, so anything higher than 255 then is invalid. Attached patch corrects this. In vhost_scsi_send_evt() the values higher than 255 are masked, but now that the limit has changed, the mask is not needed. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2014-8172 CVE-2014-8173 CVE-2015-0274 | ||||||||||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. (CVE-2015-0274) It was found that due to excessive files_lock locking, a soft lockup could be triggered in the Linux kernel when performing asynchronous I/O operations. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8172) A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8173) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
lftp: automatically accepting ssh keys
| Package(s): | lftp | CVE #(s): | |||||||||
| Created: | March 5, 2015 | Updated: | March 11, 2015 | ||||||||
| Description: | From the Red Hat bugzilla entry:
It was reported that lftp saves unknown host's fingerprint in known_hosts without any prompt | ||||||||||
| Alerts: |
| ||||||||||
libarchive: directory traversal
| Package(s): | libarchive | CVE #(s): | CVE-2015-2304 | ||||||||||||||||||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | March 30, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Alexander Cherepanov discovered that bsdcpio, an implementation of the 'cpio' program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
libssh2: information leak
| Package(s): | libssh2 | CVE #(s): | CVE-2015-1782 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2015 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mapserver: command execution
| Package(s): | mapserver | CVE #(s): | CVE-2013-7262 | ||||||||||||
| Created: | March 9, 2015 | Updated: | March 20, 2015 | ||||||||||||
| Description: | From the CVE entry:
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter | ||||||||||||||
| Alerts: |
| ||||||||||||||
maradns: denial of service
| Package(s): | maradns | CVE #(s): | |||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||
| Description: | From the Mageia advisory: maradns versions prior to 1.4.16 are vulnerable to a DoS-vulnerability through which a malicious authorative DNS-server can cause an infinite chain of referrals. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mod-gnutls: restriction bypass
| Package(s): | mod-gnutls | CVE #(s): | CVE-2015-2091 | ||||||||
| Created: | March 11, 2015 | Updated: | March 16, 2015 | ||||||||
| Description: | From the Debian advisory:
Thomas Klute discovered that in mod-gnutls, an Apache module providing SSL and TLS encryption with GnuTLS, a bug caused the server's client verify mode not to be considered at all, in case the directory's configuration was unset. Clients with invalid certificates were then able to leverage this flaw in order to get access to that directory. | ||||||||||
| Alerts: |
| ||||||||||
openstack-glance: denial of service
| Package(s): | openstack-glance | CVE #(s): | CVE-2014-9623 | ||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||
| Description: | From the Red Hat advisory: A storage quota bypass flaw was found in OpenStack Image (glance). If an image was deleted while it was being uploaded, it would not count towards a user's quota. A malicious user could use this flaw to deliberately fill the backing store, and cause a denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openssh: authentication bypass
| Package(s): | openssh | CVE #(s): | CVE-2014-9278 | ||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||
| Description: | From the Red Hat advisory: It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. | ||||||||||||||
| Alerts: |
| ||||||||||||||
oxide-qt: denial of service
| Package(s): | oxide-qt | CVE #(s): | CVE-2015-2238 | ||||
| Created: | March 10, 2015 | Updated: | March 11, 2015 | ||||
| Description: | From the CVE entry:
Multiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as used in Google Chrome before 41.0.2272.76, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||||
| Alerts: |
| ||||||
percona-toolkit: man-in-the-middle attack
| Package(s): | percona-toolkit, xtrabackup | CVE #(s): | CVE-2015-1027 | ||||
| Created: | March 11, 2015 | Updated: | March 11, 2015 | ||||
| Description: | From the openSUSE advisory:
Percona XtraBackup was vulnerable to MITM attack which could allow exfiltration of MySQL configuration information via the --version-check option. | ||||||
| Alerts: |
| ||||||
php: predictable cache filenames
| Package(s): | PHP 5.3 | CVE #(s): | CVE-2013-6501 | ||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||
| Description: | From the SUSE bug tracker: The php wdsl extension is reading predictable filename from a cache directory (default /tmp). Could allow injection of WSDL file. | ||||||||||
| Alerts: |
| ||||||||||
pngcrush: denial of service
| Package(s): | pngcrush | CVE #(s): | CVE-2015-2158 | ||||
| Created: | March 11, 2015 | Updated: | March 11, 2015 | ||||
| Description: | From the
pngcrush-1.7.84 fixes defects reported by Coverity-scan, so it should be more resistant to crashes due to malformed input files, such as the one presented in CVE-2015-2158. | ||||||
| Alerts: |
| ||||||
powerpc-utils: information disclosure
| Package(s): | powerpc-utils | CVE #(s): | CVE-2014-4040 | ||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||
| Description: | From the Red Hat advisory: A flaw was found in the way the snap utility of powerpc-utils generated an archive containing a configuration snapshot of a service. A local attacker could obtain sensitive information from the generated archive such as plain text passwords. | ||||||
| Alerts: |
| ||||||
putty: information disclosure
| Package(s): | putty, filezilla | CVE #(s): | CVE-2015-2157 | ||||||||||||||||||||||||||||
| Created: | March 9, 2015 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted form, and is present in PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
python: missing hostname check
| Package(s): | python | CVE #(s): | CVE-2014-9365 | ||||||||||||||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory: When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking (CVE-2014-9365). Note that this issue also affects python3, and is fixed upstream in version 3.4.3, but the fix was considered too intrusive to backport to Python3 3.3.x. No update for the python3 package for this issue is planned at this time. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
qpid-cpp: multiple vulnerabilities
| Package(s): | qpid-cpp | CVE #(s): | CVE-2015-0203 CVE-2015-0223 CVE-2015-0224 | ||||||||||||||||||||||||||||
| Created: | March 10, 2015 | Updated: | June 22, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was discovered that the Qpid daemon (qpidd) did not restrict access to anonymous users when the ANONYMOUS mechanism was disallowed. (CVE-2015-0223) Multiple flaws were found in the way the Qpid daemon (qpidd) processed certain protocol sequences. An unauthenticated attacker able to send a specially crafted protocol sequence set could use these flaws to crash qpidd. (CVE-2015-0203, CVE-2015-0224) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
redhat-access-plugin-openstack: information disclosure
| Package(s): | redhat-access-plugin-openstack | CVE #(s): | CVE-2015-0271 | ||||||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||||||
| Description: | From the Red Hat advisory: It was found that the local log-viewing function of the redhat-access-plugin for OpenStack Dashboard (horizon) did not sanitize user input. An authenticated user could use this flaw to read an arbitrary file with the permissions of the web server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
tiff: multiple vulnerabilities
| Package(s): | tiff | CVE #(s): | CVE-2014-8127 CVE-2014-8128 CVE-2014-8129 CVE-2014-8130 CVE-2014-9655 CVE-2015-1547 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 9, 2015 | Updated: | November 2, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
LibTIFF was updated to fix various security issues that could lead to crashes of the image decoder. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vlc: code execution
| Package(s): | vlc | CVE #(s): | CVE-2014-6440 | ||||||||
| Created: | March 6, 2015 | Updated: | March 11, 2015 | ||||||||
| Description: | From the Mageia advisory: VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to overflow buffers on the heap. With a non-malicious input, this could lead to heap corruption and a crash. However, under the right circumstances, a malicious attacker could potentially use this vulnerability to hijack program execution, and on some platforms, execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2015-2044 CVE-2015-2045 CVE-2015-2151 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2015 | Updated: | March 23, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Multiple security issues have been found in the Xen virtualisation solution: CVE-2015-2044: Information leak via x86 system device emulation. CVE-2015-2045: Information leak in the HYPERVISOR_xen_version() hypercall. CVE-2015-2151: Missing input sanitising in the x86 emulator could result in information disclosure, denial of service or potentially privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>