Security

It has been reported that arts uses the insecure mktemp() function to create the temporary directory it uses to host user-specific sockets. It is thus possible for another user to hijack this temporary directory and gain IPC access it should not have.

Address fetch context reference count handling error on socket error.

An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries.

An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs.

Adam Chester discovered that missing input sanitising in the foomatic-rip print filter might result in the execution of arbitrary commands.

A buffer overflow flaw was found in the way grub2 checked the password entered by the user during bootup. A local attacker could use this flaw to circumvent the password check and, potentially, execute arbitrary code on the system.

See the original report for lots of details on this vulnerability.

It has been reported that kdelibs uses the insecure mktemp() function to create the temporary directory it uses to host user-specific sockets. It is thus possible for another user to hijack this temporary directory and gain socket accesses it should not have.

From the Arch Linux advisory:

It was found that XML export function creates hidden XML file containing user passwords in plaintext without warning, when the export is canceled, which may go unnoticed by the user.

In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database) and is world readable.

CVE-2015-7515: An out-of-bounds memory access flaw was found in aiptek USB tablet driver in aiptek_probe() function in drivers/input/tablet/aiptek.c. The driver assumes that the interface always has at least one endpoint. By using a specially crafted USB device with no endpoints on one of its interfaces an unprivileged user with a physical access to the system can trigger a kernel NULL pointer dereference causing the system to panic.

CVE-2015-8374: An information leak vulnerability was found when truncating a file to a smaller size which consists of an inline extent that is compressed. The data between the new file size and the old file size were not discarded, wasting metadata space and allowing for the truncated data to be leaked and the data corruption/loss to occur. The number of bytes used by the inode were not correctly decremented, which gives wrong report for callers of the stat(2) syscall. It is possible for a caller of the clone ioctl to actually read the data that was truncated, allowing for a security breach without requiring root access to the system, using only standard filesystem operations.

Note that this is a Btrfs vulnerability; see this commit for details.

From the Fedora advisory:

New upstream release: - security fix: out-of-bound read in packet parser for malformed NAPTR record.

- CVE-2015-7201 CVE-2015-7202 (arbitrary code execution): Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

- CVE-2015-7203 CVE-2015-7220 CVE-2015-7221 (buffer overflow): Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.

- CVE-2015-7204 (denial of service): Security researcher Cajus Pollmeier reported crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash when triggered by JavaScript content as well as leading to errors on some websites.

- CVE-2015-7205 (information disclosure): Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it.

- CVE-2015-7207 (same-origin policy bypass): Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if perfomance.getEntries() is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of going to the original location. This is a same-origin policy violation and could allow for data theft.

- CVE-2015-7208 (cookie injection): Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in concert with some web servers if the vertical tab character is mishandled during parsing.

- CVE-2015-7210 (arbitrary code execution): Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel, leading to a potentially exploitable crash.

- CVE-2015-7211 (URL spoofing): Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash ('#') symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site than the one loaded.

- CVE-2015-7212 (denial of service): Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when when allocating textures of extremely larges sizes during graphics operations. This results in a potentially exploitable crash when triggered.

- CVE-2015-7213 (denial of service): Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash.

- CVE-2015-7214 (cross-origin restriction bypass): Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-soure: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.

- CVE-2015-7215 (information disclosure): Security researcher Masato Kinugawa reported a cross-origin information leak through the error events in web workers. This violates same-origin policy and the leaked information could potentially be used by a malicious party to gather authentication tokens and other data from third-party websites.

- CVE-2015-7216 CVE-2015-7217 (denial of service): Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders were unmaintained and have several known vulnerabilities. Firefox has disabled the use of those decoders in gdk-pixbuf.

- CVE-2015-7218 CVE-2015-7219 (denial of service): Security researcher Stuart Larsen reported two issues with HTTP/2 resulting in integer underflows that lead to intentional aborts when the errors are detected. In the first issue, if a malformed HTTP2 header frame is received with only a single byte, an integer underflow can be created in some circumstances. In the second issue, a malformed HTTP2 PushPromse frame is received and the length of the decompressed buffer is miscalculated, leading to another integer underflow. In both of these instances, more memory is allocated than is allowed, triggering assertions and intentional aborts (a denial of service) but no exploitable crashes.

- CVE-2015-7222 (denial of service): Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can be triggered by a malformed MP4 file served by web content.

- CVE-2015-7223 (privilege escalation): Mozilla developer Kris Maglione reported a mechanism where WebExtension APIs could be used to escalate privilege. This could allow arbitrary web content to execute code with the privileges of a particular WebExtension when using these API calls. Depending on the privileges of the extension used, this could result in personal information theft and cross-site scripting (XSS) attacks, including theft of browser cookies. This is mitigated by the requirement to have a WebExtension installed that is vulnerable to this issue.

From the Ubuntu advisory:

Multiple security issues were discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process.

Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes.

The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary.

To avoid undue resource exhaustion by a remote client, mod_sftp should place a limit on the maximum length of acceptable extension keys/values.

It was discovered that there was a shell injection vulnerability in pygments, a syntax highlighting package written in Python.

Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client.

A privileged remote client could use this flaw to crash the guest resulting in DoS.

XENMAPSPACE_gmfn_foreign dumps the p2m, on ARM, when it fails to get a reference on the foreign page. However, dump_p2m_lookup does not use rate-limited printk.

A malicious infrastructure domain, which is allowed to map memory of a foreign guest, would be able to flood the Xen console.

Domains deliberately given partial management control may be able to deny service to other parts of the system.

As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design.