Security

CVE-2014-5015: Bozotic HTTP server (aka bozohttpd) before 201407081 truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.

CVE-2015-8212: A flaw in CGI suffix handler support was found, if the -C option has been used to setup a CGI handler, that could result in remote code execution.

- CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.

- CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

- CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.

- CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

- CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.

- CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.

- CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.

- CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.

- CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.

- CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.

- CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.

- CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.

- CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.

- CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.

- CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.

- CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.

- CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.

- CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.

- CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.

- CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.

- CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.

- CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.

- CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.

- CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.

While creating an XBM image (imagexbm) with an user supplied name, libgd isn't checking the vsnprintf return value and PHP 5.5 will trust this length and read more memory than it should, causing a read-out-of boundaries, leaking stack memory.

Martin Carpenter discovered that pt_chown in the GNU C Library did not properly check permissions for tty files. A local attacker could use this to gain administrative privileges or expose sensitive information. (CVE-2013-2207, CVE-2016-2856)

Removed popen() support to prevent another shell vulnerability. This issue was discovered by Bob Friesenhahn, of the GraphicsMagick project.

From the Debian advisory:

Bob Friesenhahn from the GraphicsMagick project discovered a command injection vulnerability in ImageMagick, a program suite for image manipulation. An attacker with control on input image or the input filename can execute arbitrary commands with the privileges of the user running the application.

From the Fedora advisory:

CVE-2016-3721: Arbitrary build parameters are passed to build scripts as environment variables.

CVE-2016-3722: Malicious users with multiple user accounts can prevent other users from logging in.

CVE-2016-3723: Information on installed plugins exposed via API.

CVE-2016-3724: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration.

CVE-2016-3725: Regular users can trigger download of update site metadata.

CVE-2016-3726: Open redirect to scheme-relative URLs.

CVE-2016-3727: Granting the permission to read node configurations allows access to overall system configuration.

The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data.

The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. (CVE-2016-4913)

From the Red Hat bugzilla:

Linux kernel built with the Kernel-based virtual machine(CONFIG_KVM) along with Hyper-v Synthetic Interrupt Controller(SynIC) support is vulnerable to an undue APIC register access issue. In that a guest with SynIC enabled, could gain access to host's Machine Specific Registers(MSR).

A privileged user inside guest could use this flaw to crash the host kernel resulting in DoS OR potentially leverage it to escalate privileges on the host. (CVE-2016-4440)

The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.

Followup xauth (security-related) permissions fix, less racy. See also http://bugs.kde.org/358593.

From the openSUSE bug report:

It was found that kdeinit5 creates /tmp/xauth-xxx-_y with inappropriate permission, which are 644 instead of 600. This can be exploited by stealing X11 cookie and running X11 keylogger. Malicious user is able to read key strokes of a different user which might be a sudo user. If attacker can log key events of a sudo user then it can lead to local privilege escalation.

https://bugs.kde.org/show_bug.cgi?id=358593

https://bugs.kde.org/show_bug.cgi?id=363140

Double free vulnerability in the Free_All_Memory function in jpeg/dectile.c in libfpx before 1.3.1-1, as used in the FlashPix PlugIn 4.2.2.0 for IrfanView, allows remote attackers to cause a denial of service (crash) via a crafted FPX image.

From the CVE entry:

The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function. ( CVE-2015-8877)

It was found that libimobiledevice and libusbmuxd libraries accidentally bound a listening IPv4 TCP socket to INADDR_ANY instead of INADDR_LOOPBACK.

From the Arch Linux advisory:

CVE-2016-1762 (denial of service) A vulnerability has been discovered that allows remote attackers to cause a denial of service (memory corruption) via a crafted XML document.

CVE-2016-1833 (denial of service) A maliciously crafted file could cause the application to crash due to a heap-based out-of-bounds memory read.

CVE-2016-1834 (arbitrary code execution) It has been discovered that a heap-buffer-overflow could happen in xmlStrncat.

CVE-2016-1835 (arbitrary code execution) It has been discovered that a maliciously crafted file could cause the application to crash due to a heap use-after-free in xmlSAX2AttributeNs.

CVE-2016-1836 (arbitrary code execution) It has been discovered that a heap-use-after free can happen in the xmlDictComputeFastKey.

CVE-2016-1837 (arbitrary code execution) It has been discovered that a maliciously crafted file could cause the application to crash due to a Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral.

CVE-2016-1838 (denial of service) It has been discovered that a heap-based buffer overread could happen in xmlParserPrintFileContextInternal

CVE-2016-1839 (denial of service) It has been discovered that a heap-based buffer overread could happen in xmlDictAddString.

CVE-2016-1840 (arbitrary code execution) It has been discovered that a heap-buffer overflow could happen in xmlFAParsePosCharGroup

CVE-2016-4483 (denial of service) It has been discovered that parsing a maliciously crafted XML file could cause the application to crash if recover mode is used.

Heap-based buffer underreads due to xmlParseName (CVE-2016-4447).

Format string vulnerability (CVE-2016-4448).

Inappropriate fetch of entities content (CVE-2016-4449).

Robie Basak discovered that LXD incorrectly set permissions when setting up a loop based ZFS pool. A local attacker could use this issue to copy and read the data of any LXD container. (CVE-2016-1581)

Robie Basak discovered that LXD incorrectly set permissions when switching an unprivileged container into privileged mode. A local attacker could use this issue to access any world readable path in the container directory, including setuid binaries. (CVE-2016-1582)

The mediawiki package has been updated to version 1.23.14, which fixes multiple security issues and other bugs. See the release announcements for more details.

https://lists.wikimedia.org/pipermail/mediawiki-announce/...

https://lists.wikimedia.org/pipermail/mediawiki-announce/...

Mozilla Firefox before 38.0 on Android does not properly restrict writing URL data to the Android logging system, which allows attackers to obtain sensitive information via a crafted application that has a required permission for reading a log, as demonstrated by the READ_LOGS permission for the mixed-content violation log on Android 4.0 and earlier. (CVE-2015-2714)

Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing. (CVE-2016-1940)

The file-download dialog in Mozilla Firefox before 44.0 on OS X enables a certain button too quickly, which allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended. (CVE-2016-1941)

Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method. (CVE-2016-1943)

Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is used for a lightweight-theme installation, which allows man-in-the-middle attackers to replace a theme's images and colors by modifying the client-server data stream. (CVE-2016-1948)

The setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.6.1, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted Graphite smart font. (CVE-2016-1969)

A vulnerability was found in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while handling the client request body.

A remote attacker is able to use a specially crafted request to crash the worker resulting in denial of service.

Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow local users to cause a denial of service (memory overwrite and system crash) via a pioctl with an input buffer size of 4096 bytes.

It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected.

Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)

An integer underflow resulting into arbitrary null character write in fread/gzread function was found. (CVE-2016-5096)

An out-of-bounds read vulnerability was found in get_icu_value_internal causes leakage of heap memory because of missing null character at the end of zend_string. (CVE-2016-5093)

main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses. (CVE-2015-8878)

The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table. (CVE-2015-8879)

In phpMyAdmin before 4.4.15.6, a specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

File Traversal Protection Bypass on Error Reporting (PMASA-2016-15):

A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file.

The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user.

This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested. (CVE-2016-5098)

Sensitive Data in URL GET Query Parameters (PMASA-2016-14):

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

As mitigation, avoid clicking on external links in phpMyAdmin which are not redirected through url.php script.

Affects versions prior to 4.6.2. (CVE-2016-5097)

The PostgreSQL project released a new version of the PostgreSQL 9.1 branch:

* Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

* Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)

* Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

These could advance off the end of the input string, causing subsequent format codes to read garbage.

* Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)

* Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

* Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

* Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)

* Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. (CVE-2016-4439)

The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. (CVE-2016-4441)

Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a whitepaper entitled "SMTP Injection via recipient email addresses" ( http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section discussing how one such vulnerability affected the 'mail' ruby gem (see section 3.1).

Whitepaper has all the specific details, but basically the 'mail' ruby gem module is prone to the recipient attack as it does not validate nor sanitize given recipient addresses. Thus, the attacks described in chapter 2 of the whitepaper can be applied to the gem without any modification. The 'mail' ruby gem itself does not impose a length limit on email addresses, so an attacker can send a long spam message via a recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation.

CVE-2016-1902: Lander Brandt discovered that the class SecureRandom might generate weak random numbers for cryptographic use under certain settings. If the functions random_bytes() or openssl_random_pseudo_bytes() are not available, the output of SecureRandom should not be consider secure.

CVE-2016-4423: Marek Alaksa from Citadelo discovered that it is possible to fill up the session storage space by submitting inexistent large usernames.

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.18 allows local users to affect confidentiality, integrity, and availability via vectors related to Core.

WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856. (CVE-2016-1857)

WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857. (CVE-2016-1856)

Multiple vulnerabilities were discovered in the dissectors/parsers for PKTC, IAX2, GSM CBCH and NCP which could result in denial of service.

This update also fixes many older less important issues by updating the package to the version found in Debian 8 also known as Jessie.

The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory.