Security

The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up (AST-2016-007).

It was found that Kubernetes did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.

Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2016-5181, CVE-2016-5182, CVE-2016-5183, CVE-2016-5184, CVE-2016-5185, CVE-2016-5187, CVE-2016-5194, CVE-2016-5186, CVE-2016-5188, CVE-2016-5189, CVE-2016-5190, CVE-2016-5191, CVE-2016-5192, CVE-2016-5193)

A format string vulnerability in the reference bus implementation, dbus-daemon, could potentially allow local users to cause arbitrary code execution or denial of service.

Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.

CVE-2015-8538: A specially crafted ELF file can cause a segmentation fault.

CVE-2016-2050: Out-of-bounds write

CVE-2016-2091: Out-of-bounds read

Update WebKitGTK+ package to 2.14.1. Major changes in 2.14.0: * Threaded compositor is enabled by default in both X11 and Wayland. * Accelerated compositing is now supported in Wayland. * Clipboard works in Wayland too. * Memory pressure handler always works even when cgroups is not present or not configured. * The HTTP disk cache implements speculative revalidation of resources. * DRI3 is no longer a problem when using the modesetting intel driver. * The amount of file descriptors that are kept open has been drastically reduced. Fixes from 2.14.1: * MiniBrowser and jsc binaries are now installed in pkglibexecdir instead of bindir. * Improve performance when resizing a window with multiple web views in X11. * Check whether GDK can use GL before using gdk_cairo_draw_from_gl() in Wayland. * Updated default UserAgent string or better compatibility. * Fix a crash on github.com in IntlDateTimeFormat::resolvedOptions when using the C locale. * Fix BadDamage X errors when closing the web view in X11. * Fix UIProcess crash when using Japanese input method. * Fix build with clang due to missing header includes. * Fix the build with USE_REDIRECTED_XCOMPOSITE_WINDOW disabled. * Fix several crashes and rendering issues. * Translation updates: German. Update Epiphany to be compatible with the new WebKitGTK+ package.

- CVE-2016-7562: out-of-bounds array write fault via specially crafted avi files

- CVE-2016-7502: out-of-bounds array write via incorrect block values

- CVE-2016-7905: null-point-exception when decoding avi files with crafted 'gab2' structs

- CVE-2016-7555: memory leak when decoding avi files with crafted 'strh' struct

- CVE-2016-7785: assert fault via avi files with crafted 'strh' struct

- CVE-2016-8605 (information disclosure): The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777.

- CVE-2016-8606 (arbitrary code execution): It was reported that the REPL server is vulnerable to the HTTP inter- protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected.

A remote attacker is able to execute arbitrary code via a HTTP inter-protocol attack if the REPL server is listening on a loopback device or private network.

Running a multi-threaded guile application can cause directories or files to be created with world readable/writable/executable permissions during a small window which leads to information disclosure.

* It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. (CVE-2016-5582)

* It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim's browser send HTTP requests to the JDWP port of the debugged application. (CVE-2016-5573)

* It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2016-5542)

Note: After this update, MD2 hash algorithm and RSA keys with less than 1024 bits are no longer allowed to be used for Jar integrity verification by default. MD5 hash algorithm is expected to be disabled by default in the future updates. A newly introduced security property jdk.jar.disabledAlgorithms can be used to control the set of disabled algorithms.

* A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)

* A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. (CVE-2016-5597)

Note: After this update, Basic HTTP proxy authentication can no longer be used when tunneling HTTPS connection through an HTTP proxy. Newly introduced system properties jdk.http.auth.proxying.disabledSchemes and jdk.http.auth.tunneling.disabledSchemes can be used to control which authentication schemes can be requested by an HTTP proxy when proxying HTTP and HTTPS connections respectively.

Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.

Agostino Sarubbo of Gentoo discovered several security vulnerabilities in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause a buffer overflow or an out of bounds read using a carefully crafted input file.

CVE-2016-8687: Agostino Sarubbo of Gentoo discovered a possible stack-based buffer overflow when printing a filename in bsdtar_expand_char() of util.c.

CVE-2016-8688: Agostino Sarubbo of Gentoo discovered a possible out of bounds read when parsing multiple long lines in bid_entry() and detect_form() of archive_read_support_format_mtree.c.

CVE-2016-8689: Agostino Sarubbo of Gentoo discovered a possible heap-based buffer overflow when reading corrupted 7z files in read_Header() of archive_read_support_format_7zip.c.

Amount of memory allocated during memory reallocation in the shaper wasn't tracked, possibly resulting in undefined behavior (CVE-2016-7972).

Illegal read in Gaussian blur coefficient calculations (CVE-2016-7970).

Mode 0/3 line wrapping equalization in specific cases could result in illegal reads while laying out and shaping text. (CVE-2016-7969)

CVE-2016-6911: invalid read in gdImageCreateFromTiffPtr() (most of the code is not present in the Wheezy version)

CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf

CVE-2016-8568: * Read out-of-bounds in git_oid_nfmt:
https://github.com/libgit2/libgit2/issues/3936

CVE-2016-8569: * DoS using a null pointer dereference in git_commit_message:
https://github.com/libgit2/libgit2/issues/3937

Proposed patch:
https://github.com/libgit2/libgit2/pull/3956

Jerold Hoong discovered a flaw in the id3 tag processing code of libmpg123. A specially crafted mp3 input file could be used to cause a buffer over-read, resulting in a denial of service.

CVE-2016-7466: Quick Emulator(Qemu) built with the USB xHCI controller emulation support is vulnerable to a memory leakage issue. It could occur while doing a USB device unplug operation; Doing so repeatedly would result in leaking host memory, affecting other services on the host.

A privileged user inside guest could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process instance on the host.

CVE-2016-8576: Quick Emulator(Qemu) built with the USB xHCI controller emulation support is vulnerable to an infinite loop issue. It could occur while processing USB command ring in 'xhci_ring_fetch'.

A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS.

CVE-2016-7995: Qemu emulator(Qemu) built with the USB EHCI emulation support is vulnerable to a memory leakage flaw. It could occur while processing isochronous transfer descriptors(iTD), with buffer page select(PG) index that falls beyond buffer page array area.

A privileged user inside guest could use this flaw to leak Qemu memory bytes leading to a DoS on the host.

It was discovered that there was stack overrun in IPv6 RA receive code in quagga, a BGP/OSPF/RIP routing daemon.

A bug in openssl module caused using an all 0 IV for AES-GCM ciphers in some cases (when setting a key, an iv, and then setting a key a again.

The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.

It has been discovered that Tor treats the contents of some buffer chunks as if they were a NUL-terminated string. This issue could enable a remote attacker to crash a Tor client, hidden service, relay, or authority.

CVE assignment email.

Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it.