Security

Tavis Ormandy discovered that Aptdeamon incorrectly handled the simulate dbus method. A local attacker could use this issue to possibly expose sensitive information, or perform other file access as the root user.

Changes since 0.2.8.3.2:

• security fix: do not read ahead of the beginning of network buffer.
• security fix: don't attribute network errors from processing random packets to the connection to the server
• security fix: while at it, don't process random packets unless they may be important
• fix for potential crash with friend list filtering
• intel driver compatibility
• fix for rare crash with sound lock
• fix for camera turning for bizarre axis configurations

Force cabal upload to always use digest auth and never basic auth

On 64-bit (not on 32-bit) OpenSUSE 13.2 when running command LANG=en_US.UTF-8 sort -f sort_bug_caseinsensitive.txt

I get the following error (remark: changing a single character in the file to sort won't show the error anymore; the same is true for not case-insensitive search, no UTF-8 or not running on 64-bit)

2015-06-12 - FileZilla Server 0.9.53 released

Bugfixes and minor changes:

Updated OpenSSL to 1.0.2b due to several security vulnerabilities in OpenSSL

It was reported that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the network, from https. This uses urllib2, which does not check https certificates. The files that are downloaded occur when attempting to activate non-present module features, such as via opening a DXF file. This can allow Man-in-the-Middle attack, leading to code execution.

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

CVE-2011-5321: Jiri Slaby discovered that tty_driver_lookup_tty() may leak a reference to the tty driver. A local user could use this flaw to crash the system.

CVE-2012-6689: Pablo Neira Ayuso discovered that non-root user-space processes can send forged Netlink notifications to other processes. A local user could use this flaw for denial of service or privilege escalation.

CVE-2014-9728 / CVE-2014-9729 / CVE-2014-9730 / CVE-2014-9731 / CVE-2015-4167: Carl Henrik Lunde discovered that the UDF implementation is missing several necessary length checks. A local user that can mount devices could use these various flaws to crash the system, to leak information from the kernel, or possibly for privilege escalation.

msrle: Use FFABS to determine the frame size in msrle_decode_pal4

A denial of service flaw was found when assembling a log message regarding invalid bit names (caused by a fuzzer setting all of them, and our bitnames buffer being too small). On libreswan, this hits a passert() and causes the daemon to restart.

From the Arch Linux advisory:

CVE-2015-1788 (denial of service) - When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.

CVE-2015-1789 (out-of-bounds read) - X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.

CVE-2015-1790 (denial of service) - The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.

CVE-2015-1791 (double free) - If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.

CVE-2015-1792 (denial of service) - When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.

From the Ubuntu advisory:

Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered that OpenSSL incorrectly handled memory when buffering DTLS data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

A flaw was found in the way the OpenSSL packages shipped with Red Hat Enterprise Linux 6 and 7 performed locking in the ssleay_rand_bytes() function. This issue could possibly cause a multi-threaded application using OpenSSL to perform an out-of-bounds read and crash.

Alexander Cherepanov discovered that p7zip is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory.

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

From the Tidy CVE request:

Tidy is affected by a write out of bounds when processing malformed html files. This issue could be abused on server side applications that use php-tidy extension with user input.

Kostya Kortchinsky discovered multiple flaws in wpa_supplicant and hostapd. A remote attacker could use these issues to cause wpa_supplicant or hostapd to crash, resulting in a denial of service.

CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding (boo#930077) CVE-2015-4143: EAP-pwd missing payload length validation (boo#930079)

From the Xen advisories:

CVE-2015-4163 - With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued this hypercall without a prior GNTTABOP_setup_table or GNTTABOP_set_version.

The effect is a possible NULL pointer dereferences. However, this cannot be exploited to elevate privileges of the attacking domain, as the maximum memory address that can be wrongly accessed this way is bounded to far below the start of hypervisor memory.

CVE-2015-4164 - A buggy loop in Xen's compat_iret() function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercall_iret with EFLAGS.VM set.

Given the use of __get/put_user(), and that the virtual addresses in question are contained within the lower canonical half, the guest cannot clobber any hypervisor data. Instead, Xen will take up to 2^33 pagefaults, in sequence, effectively hanging the host.