Security

CVE-2015-0556: Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive.

CVE-2015-0557: Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive.

CVE-2015-2782: Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj.

Buffer overflow vulnerability has been reported in CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only triggered when an integer greater than zero is passed as the optional START argument. As a work-around users are advised to switch to the equivalent string-contains procedure from SRFI 13 which is also shipped with CHICKEN.

All releases of CHICKEN up until 4.9.0.1 are affected.

From the Arch advisory:

CVE-2015-1233 (remote code execution): A combination of V8, Gamepad and IPC bugs can lead to remote code execution outside of the sandbox.

CVE-2015-1234 (buffer overflow): Buffer overflow via a race condition in GPU.

From the Drupal advisory:

Access bypass in autocomplete (Drupal 7 only):

Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID.

In CTools version 1.5, additional checks were created to defend against leaking titles for entities that the user doesn't have access to. However, certain edge cases were found to leak this private data.

This vulnerability is mitigated by the fact that you must perform the autocomplete search on custom entities that don't include an access query tag, or you must know the ID of the entity whose title you are trying to get.

Open redirect in confirmation pages (Drupal 6 and 7):

Also, CTools did not sanitize user provided URLs when processing confirmation delete pages, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that a module using CTools must allow for users to insert a malicious external URL that is sent to the confirmation page.

Taking the default account tech, he is only allowed to add users in the following groups: Self-Service, Technician. He has not the right over, for example, the super-admin group. So he cannot add the super-admin privileges to an existing user.

The problem is when creating a new user. When intercepting the POST request (GLPI_ROOT/front/user.form.php) of a user creation and modifying the _profiles_id parameter (corresponding to the group attached to the user) to 4, the new user will have the super-admin privileges.

From the SUSE advisory:

The XEN usb backend could leak information to the guest system due to copying uninitialized memory.

Jamie and I discovered there was a flaw in the way the xsave/xrstor (and their alternative instructions) were being protected against a fault in kernel space from linux 3.15. The problem was introduced in commit f31a9f7 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area") which ends up protecting the .altinstr_replacement from faulting instead of the target of the alternative in .text, leaving the instruction un-protected.

An uninitialized data structure flaw was found in lasso, a library that implements SSO standards. A remote attacker could potentially use this flaw to crash an application using the lasso library.

From the Arch advisory:

A two-byte stack overflow has been found in the ASN.1 DER decoding logic of libtasn1.

An attacker may be able to crash a program using libtasn1 by submitting a crafted X.509 structure to the program.

A path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system.

QtWebKit upstream are reviewing a patch that prevents it recording visited URLs to its favicon database (WebpageIcons.db) while using private browsing mode:

- https://codereview.qt-project.org/#/c/108936/

Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.

A remote attacker in position of man-in-the-middle can impersonate another site, bypassing certificate validation.

noVNC before 0.5.1 allows an attacker to steal insecurely set session token cookies, hijacking active or inactive VNC sessions.

CVE-2015-1798 (accept unauthenticated packets): When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server.

CVE-2015-1799 (denial of service): An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack

It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.

It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.

From the Mandriva advisory:

Login bypass when using user_ldap due to unauthenticated binds (CVE-2014-9043)

Login bypass when using the external FTP user backend (CVE-2014-9045)

CSRF in bookmarks application (CVE-2014-9041)

Stored XSS in bookmarks application (CVE-2014-9042)

Multiple stored XSS in contacts application (oC-SA-2015-001)

Multiple stored XSS in documents application (oC-SA-2015-002)

Bypass of file blacklist (oC-SA-2015-004)

It was discovered that Oxide did not correctly manage the lifetime of BrowserContext, resulting in a potential use-after-free in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program.

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.

The move_uploaded_file implementation in ext/standard/basic_FUNCTIONs.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathNAME upon encountering a x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected NAMEs via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for bug CVE-2006-7243.

Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

* quassel could crash when receiving an overlength CTCP query containing only multibyte characters (bnc#924930 CVE-2015-2778)

* quassel could incorrectly split a message in the middle of a multibyte character, leading to DoS (bnc#924933 CVE-2015-2779)

From the Mandriva advisory:

Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests (CVE-2015-0202).

Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers (CVE-2015-0248).

Subversion HTTP servers allow spoofing svn:author property values for new revisions (CVE-2015-0251).

From the Red Hat bug report:

A flaw was found in the pre-install script of texlive-base package derived from texlive package. This flaw allows unprivileged user to remove arbitrary files on the system.

CVE-2015-2928: "disgleirio" discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible.

CVE-2015-2929: "DonnchaC" discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors.