Security

Update to 1.9.2. Fixes CVE-2015-3908 (hostname and cert matching in some modules and plugins) and another not yet issued CVE on chroot/jail/zone connection plugins as well as a number of bugfixes.

A bit more information can be found on the Ansible security page:

CVE-2015-3908 - Ensure that hostnames match certificate names when using HTTPS - resolved in Ansible 1.9.2

Number pending - Improprer symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment - resolved in Ansible 1.9.2

A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query.

This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.

A remote attacker can crash a bind resolver performing DNSSEC validation by querying it for a specially crafted zone.

Petr Sklenar discovered that the cups-filters texttopdf filter incorrectly handled line sizes. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code as the lp user. (CVE-2015-3258, CVE-2015-3279)

From the Arch advisory:

CVE-2015-2726 (Miscellaneous memory safety hazards): Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

From the Mozilla advisories:

CVE-2015-2724, CVE-2015-2725: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

CVE-2015-2722, CVE-2015-2733: Security researcher Looben Yan used the Address Sanitizer tool to discover two related use-after-free vulnerabilities that occur when using XMLHttpRequest in concert with either shared or dedicated workers. These errors occur when the XMLHttpRequest object is attached to a worker but that object is incorrectly deleted while still in use. This results in exploitable crashes.

CVE-2015-2731: Security researcher Herre reported a use-after-free vulnerability when a Content Policy modifies the Document Object Model to remove a DOM object, which is then used afterwards due to an error in microtask implementation. This leads to an exploitable crash.

CVE-2015-2729: Security researcher Holger Fuhrmannek used the Address Sanitizer tool to discover an out-of-bound read while computing an oscillator rendering range in Web Audio. This could allow an attacker to infer the contents of four bytes of memory.

CVE-2015-2728: Security researcher Paul Bandha reported a type confusion error where part of IDBDatabase is read by the Indexed Database Manager and incorrectly used as a pointer when it shouldn't be used as such. This leads to memory corruption and the possibility of an exploitable crash.

CVE-2015-2727: Security researcher Jann Horn reported that when Mozilla Foundation Security Advisory 2015-25 was fixed in Firefox 37, an error was made that caused the fix to not be applied to Firefox 38, effectively causing the bug to be unfixed in Firefox 38 (and Firefox ESR38) once it shipped. As Armin Razmdjou reported for that issue, opening hyperlinks on a page with the mouse and specific keyboard key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. This could allow for local files or resources from a known location to be opened with local privileges, bypassing security protections.

CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740: Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.

From the Red Hat advisory:

It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741)

A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined with another vulnerability, it could allow execution of arbitrary code with the privileges of the user running Firefox. (CVE-2015-2743)

A vulnerability was found in the handling of HTTP pipelining. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session.

With the proper timing and by requesting files of specific sizes from the backend servers in HTTP pipelining mode, one can trigger a call to a buffer alignment function which was not designed to work with pending output data. The effect is that the output data pointer points to the wrong location in the buffer, causing corruption on the client. It's more visible with chunked encoding and compressed bodies because the client cannot parse the response, but with a regular content-length body, the client will simply retrieve corrupted contents. That's not the worst problem in fact since pipelining is disabled in most clients. The real problem is that it allows the client to sometimes retrieve data from a previous session that remains in the buffer at the location where the output pointer lies. Thus it's an information leak vulnerability.

Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet. (CVE-2015-4001)

drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions. (CVE-2015-4002)

The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet. (CVE-2015-4003)

Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this flaw to cause a denial of service (system crash).

From the Debian advisory:

(1) CVE-2015-1819 / #782782 Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 chokes on a crafted XML document, allocating gigabytes of data. This is a fine line issue between API misuse and a bug in libxml2. This issue got addressed in libxml2 upstream and the patch has been backported to libxml2 in squeeze-lts.

(2) #782985 Jun Kokatsu reported an out-of-bounds memory access in libxml2. By entering an unclosed html comment the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to the evoking application. In the Shopify application (where this issue was originally discovered), this caused ruby objects from previous http requests to be disclosed in the rendered page.

(3) #783010 Michal Zalewski reported another out-of-bound reads issue in libxml2 that did not cause any crashes but could be detected under ASAN and Valgrind.

The issue is due to a case of missing brackets in the patch '500-ssl.diff', which causes the execution of 'fclose(NULL)' and thus displays as a segmentation fault. The error appears while transmogrifying 'linux-ftpd' into 'linux-ftpd-ssl'.

A vulnerability has been reported concerning the impossibility for MySQL users (with any major stable version) to enforce an effective SSL/TLS connection that would be immune from man-in-the-middle (MITM) attacks performing a malicious downgrade.

While the issue has been addressed in MySQL preview release 5.7.3 in December 2013, it is perceived that the majority of MySQL users are not aware of this limitation and that the issue should be treated as a vulnerability.

The vulnerability lies within the behaviour of the '--ssl' client option, which on affected versions it is being treated as "advisory". Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently "strip" the SSL/TLS protection.

The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options ('--ssl-xxx') that imply '--ssl'.

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys (CVE-2015-2721).

Mozilla community member Watson Ladd reported that the implementation of Elliptical Curve Cryptography (ECC) multiplication for Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Network Security Services (NSS) did not handle exceptional cases correctly. This could potentially allow for signature forgery (CVE-2015-2730).

Under limited and specific circumstances an attacker can send a crafted remote-configuration packet containing a NUL-byte to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:

• ntpd set up to allow for remote configuration (not allowed by default)
• knowledge of the configuration password
• access to a computer entrusted to perform remote configuration

A remote attacker is able to send a specially crafted remote-configuration packet that is leading to an application crash resulting in denial of service.

When forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn.

A remote attacker is able to bypass the XSECURITY restrictions when forwarding X11 connections by making use of an ineffective timeout check.

ownCloud Desktop Client before 1.8.2 was vulnerable against MITM attacks when used in combination with self-signed certificates.

PCRE library is prone to a vulnerability which leads to Heap Overflow. During subpattern calculation of a malformed regular expression, an offset that is used as an array index is fully controlled and can be large enough so that unexpected heap memory regions are accessed.

Incorrect handling of paths with NULs (CVE-2015-4598).

OS command injection vulnerability in escapeshellarg (CVE-2015-4642).

Integer overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4643).

Segfault in php_pgsql_meta_data (CVE-2015-4644).

PHP has been updated to version 5.5.26, which fixes multiple bugs and potential security issues. Please see the upstream ChangeLog for details.

Local privilege escalation in polkit before 0.113 due to predictable authentication session cookie values (CVE-2015-4625).

Various memory corruption vulnerabilities in polkit before 0.113 in the use of the JavaScript interpreter, possibly leading to local privilege escalation (CVE-2015-3256).

Memory corruption vulnerability in polkit before 0.113 in handling duplicate action IDs, possibly leading to local privilege escalation (CVE-2015-3255).

Denial of service issue in polkit before 0.113 which allowed any local user to crash polkitd (CVE-2015-3218).

From the Debian advisory:

The python-kerberos checkPassword() method has been badly insecure in previous releases. It used to do (and still does by default) a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you.

From the Debian advisory:

Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a program designed to work as an universal SSL tunnel for network daemons. When Stunnel in server mode is used with the redirect option and certificate-based authentication is enabled with "verify = 2" or higher, then only the initial connection is redirected to the hosts specified with "redirect". This allows a remote attacker to bypass authentication.

From the Arch Linux advisory:

Wesnoth implements a text preprocessing language that is used in conjunction with its own game scripting language. It also has a built-in Lua interpreter and API. Both the Lua API and the preprocessor make use of the same function (filesystem::get_wml_location()) to resolve file paths so that only content from the user's data directory can be read.

However, the function did not explicitly disallow files with the .pbl extension. The contents of these files could thus be stored in saved game files or even transmitted directly to other users in a networked game. Among the information that's compromised is a user-defined passphrase used to authenticate uploads to the game's content server.

CVE-2015-5069 and CVE-2015-5070 have been assigned to this vulnerability. Version 1.12.3 included a fix for CVE-2015-5069 only, remaining vulnerable to CVE-2015-5070. Versions 1.12.4 and 1.13.1 contain a more complete fix that addresses both.