Security

From the Red Hat bug report:

A bug was found in libreport which causes that user's changes made to reported data are thrown away. Only the changes to the first file in the list are saved and the rest is discarded. It means that Bugzilla attachments can contain data that user wanted to remove.

bouncycastle versions older than 1.51 are vulnerable to an invalid curve attack as described in this article: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

The attack allows to extract private keys used in elliptic curve cryptography with a few thousands queries.

busybox, a collection of tiny utilities for small and embedded systems, was vulnerable to crashing when handling a specially crafted zip file. The issue was discovered by Gustavo Grieco.

Fix heap overflow and endless loop in exfatfsck

exfat-utils is a collection of tools to work with the exFAT filesystem. Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a write heap overflow and an endless loop.

Especially at risk are systems that are configured to run filesystem checks automatically on external devices like USB flash drives.

A malformed input can cause a write heap overflow in the function verify_vbr_checksum. It might be possible to use this for code execution.

Another malformed input can cause an endless loop, leading to a possible denial of service.

From the openSUSE vulnerability:

A vulnerability in keyrings garbage collector allowed a local user to trigger an oops was found, caused by using request_key() or keyctl request2.

- CVE-2015-2695: Applications which call gss_inquire_context() on a partially-established SPNEGO context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952188).

- CVE-2015-2696: Applications which call gss_inquire_context() on a partially-established IAKERB context could have caused the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. (bsc#952189).

- CVE-2015-2697: Incorrect string handling in build_principal_va can lead to DOS (bsc#952190).

Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment.

An out-of-bounds read in png_convert_to_rfc1123() in png.c in libpng 1.2.x before 1.2.54 could potentially be exploited by a crafted PNG file to leak information from an application's memory.

A flaw was discovered in the way Libreswan's IKE daemon processed IKE KE payloads. A remote attacker could send specially crafted IKE payload with a KE payload of g^x=0 that, when processed, would lead to a denial of service (daemon crash).

From the Arch Linux advisory (note: The original Arch advisory text incorrectly labels these vulnerabilities as CVE-2015-5714 and CVE-2015-5715, both of which are Wordpress vulnerabilities addressed in an advisory published on the same day):

CVE-2015-8011 (denial of service) - A buffer overflow has been discovered when handling management address TLV. When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow.

CVE-2015-8012 (denial of service) - A vulnerability has been discovered that is triggering an application crash while using assert() if a malformed packet is handled.

In MediaWiki before 1.23.11, the API failed to correctly stop adding new chunks to the upload when the reported size was exceeded, allowing a malicious user to upload add an infinite number of chunks for a single file upload (CVE-2015-8001).

In MediaWiki before 1.23.11, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (CVE-2015-8002).

In MediaWiki before 1.23.11, it is not possible to throttle file uploads, or in other words, rate limit them (CVE-2015-8003).

In MediaWiki before 1.23.11, a missing authorization check when removing suppression from a revision allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions (CVE-2015-8004).

In MediaWiki before 1.23.11, thumbnails of PNG files generated with ImageMagick contained the local file path in the image (CVE-2015-8005).

Improper sanitation of environment import allows for appending of values to passed parameters.

An attacker who already had access to the environment could so append values to parameters passed through programs (including sudo(8) or setuid) to shell scripts, including indirectly, after those programs intended to sanitise the environment, e.g. invalidating the last $PATH component.

It was reported that mod_nss is vulnerable to the issue similar to CVE-2015-3276, where incorrect parsing of multi-keyword cipherstring can lead to an unexpected ciphers list advertising.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7197)

A same-origin policy bypass flaw was found in the way Firefox handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Firefox to disclose sensitive information. (CVE-2015-7193)

A same-origin policy bypass flaw was found in the way Firefox handled URLs containing IP addresses with white-space characters. This could lead to cross-site scripting attacks. (CVE-2015-7188)

- CVE-2015-4514 (Miscellaneous memory safety hazards): Christian Holler, Andrew McCreight, Georg Fritzsche, Tyson Smith, and Carsten Book reported crash and memory safety problems that affect Firefox 41.

- CVE-2015-4515 (Information disclosure through NTLM authentication): Security researcher Tim Brown reported that Firefox discloses the hostname and possibly the Windows domain through NTLM-based HTTP authentication when sending type 3 messages as part of the authentication exchange. This is because the Workstation field is populated with the hostname of the system making the request. An attacker can craft a malicious page to send a silent NTLM request that will disclose the information without visibility in the client, leading to information disclosure. This is mitigated because NTLM v1 is disabled by default configurations.

- CVE-2015-4518 (CSP bypass due to permissive Reader mode whitelist): Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View explicitly disables script for rendered pages through a whitelist of allowed HTML content. Mario discovered that the whitelist was too permissive and a malicious site could manipulate content to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.

- CVE-2015-7187 (Disabling scripts in Add-on SDK panels has no effect): Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain Giroux reported a vulnerability when a panel is created using the Add-on SDK in a browser extension. Defining a panel with script: false is supposed to disable script execution but it was found that inline script would still execute. This flaw allows for the potential execution of script content in an extension when it was been explicitly disallowed.

The potential impact of this flaw would depend on whether the add-on was relying on script: false as a security mechanism and from location the panel content was loaded. No add-ons served from addons.mozilla.org are vulnerable to this flaw but add-ons installed from third party sites may be.

- CVE-2015-7195 (Certain escaped characters in host of Location-header are being treated as non-escaped): Security researcher Frans Rosén reported that URLs with certain escaped characters in hostnames are parsed incorrectly. This leads to parsing being abandoned when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When combined with a site allowing for navigation redirection that allows for escaped characters, this could lead to potential extraction of site specific tokens.

- CVE-2015-7198, CVE-2015-7199 CVE-2015-7200 (Vulnerabilities found through code inspection): Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.

A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182)

A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183)

From the CVE entry:

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.

From the OpenAFS advisory:

When constructing an Rx acknowledgment (ACK) packet, Andrew-derived Rx implementations do not initialize three octets of data that are padding in the C language structure and were inadvertently included in the wire protocol (CVE-2015-7762). Additionally, OpenAFS Rx in versions 1.5.75 through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0 through 1.7.33 include a variable-length padding at the end of the ACK packet, in an attempt to detect the path MTU, but only four octets of the additional padding are initialized (CVE-2015-7763).

Rx implementations derived from Project Andrew use a pool of packet structures, so that the uninitialized data sent on the wire in an ACK packet is the plaintext of some previous packet, including packets that were received encrypted and then decrypted in-place. (All packet decryption is performed in-place.)

Furthermore, when the packet being acknowledged is a duplicate or outside the valid window of sequence numbers, the decrypted packet is immediately used to construct the return ACK packet, giving an attacker control over what plaintext will be leaked.

From the Debian advisory:

Content spoofing vulnerability when redirecting user to an external site.

roundcubemail was updated to version 1.0.7 to fix two security issues.

These security issues were fixed:
- XSS issue in drag-n-drop file uploads
- Disallow unwanted access on files in the file system. The apache2 configuration file for roundcubemail allowed access to the roundcubemail/bin folder and possibly /logs, /config and /temp, if these were not symlinks (this was only the case when the configuration was manually changed) (bsc#952006)

The package comes with a fixed configuration. If you modified the file "/etc/apache2/conf.d/roundcubemail.conf", please replace it with the configuration "roundcubemail.conf.rpmnew" and reapply your changes. After that, a restart of apache2 is required.

Update: The XSS issue was assigned CVE-2015-8105. From the CVE entry:

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Buffer overflow / crash in colcrt with unclear effect.

"When running colcrt with a big input it crashes because of a global-buffer-overflow caused by a global variable 'page' defined in 'text-utils/colcrt.c:73:9"

The logcat_dump_text function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not properly handle a lack of \0 termination, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted message in a packet, a different vulnerability than CVE-2015-3815.

From the Arch Linux advisory:

A cross-site scripting vulnerability has been discovered in the user list tables.

libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. (CVE-2015-7311)

The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. (CVE-2015-7835)

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. (CVE-2015-7969)

Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. (CVE-2015-7971)

xscreensaver, a screensaver daemon and frontend for X11 was vulnerable to crashing when hot-swapping monitors.