Security

Multiple vulnerabilities were found in Bash, the worst of which may allow execution of arbitrary code.

A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

A flaw in the cryptographic authentication scheme in Borg allowed an attacker to spoof the manifest. The attack requires an attacker to be able to

1. insert files (with no additional headers) into backups
2. gain write access to the repository

If you have archives in your repository that were made with attic <= 0.13 (and later migrated to borg), running borg check would report errors in these archives.

The reason for this is a invalid (and useless) metadata key that was always added due to a bug in these old attic versions.

If you run borg check --repair, things escalate quickly: all archive items with invalid metadata will be killed. Due to that attic bug, that means all items in all archives made with these old attic versions.

While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes.

Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures." (CVE-2014-9651)

From the Gentoo advisory:

A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable. This function has been introduced in 7.52.0

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.

The flaw happens because the floating point conversion is using system functions without the correct boundary checks.

The functions have been documented as deprecated for a long time and users are discouraged from using them in "new programs" as they are planned to get removed at a future point. But as the functions are present and there's nothing preventing users from using them, we expect there to be a certain amount of existing users in the wild.

If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

This flaw does not exist in the command line tool.

We are not aware of any exploit of this flaw.

[1] Apache CXF HTTP transport module uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

[2] Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. This represents a major XXE risk.

wolfSSL CyaSSL before 2.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via (1) a request for the peer certificate when a certificate parsing failure occurs or (2) a client_key_exchange message when the ephemeral key is not found. (CVE-2014-2899)

wolfSSL CyaSSL before 2.9.4 does not properly validate X.509 certificates with unknown critical extensions, which allows man-in-the-middle attackers to spoof servers via crafted X.509 certificate. (CVE-2014-2900)

From the Gentoo advisory:

Multiple vulnerabilities have been found in CyaSSL, the worst of which may allow attackers to execute arbitrary code.

An attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or conduct a man-in-the-middle attack.

If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component.

Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message.

Multiple vulnerabilities have been discovered in Firejail. Please review upstream's release notes for details.

A remote attacker could possibly bypass sandbox protection, cause a Denial of Service condition, or change a system's DNS server.

gdk-pixbuf 2.36.2 release. * Remove the pixdata loader (#776004) * Fix integer overflows in the jpeg loader (#775218) * Add an external thumbnailer for images * Fix a NULL pointer dereference (#776026) * Fix a memory leak (#776020) * Support bmp headers with bitmask (#766890) * Add tests for scaling (#80925) * Handle compressed pixdata in resources (#776105) * Avoid a buffer overrun in the qtif loader ($#775648) * Fix a crash in the bmp loader (#775242) * Fix crash opening pnm images with large dimensions (#775232) * Prevent buffer overflow in the pixdata loader (#775693) * Translation updates

This is an old memory failure, discovered time ago. The maintainer, Mr. Bob Friesenhahn was able to reproduce the issue; I’m quoting his feedback about: The problem is that the embedded JPEG data claims to have dimensions 59395×56833 and this is only learned after we are in the JPEG reader.

CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses [bsc#1013663]

CVE-2016-0736: It was found that session data/cookies presented to mod_session_crypto were not authenticated that can lead to deciphering or tampering with a padding oracle attack.

Affects version 2.4.x up to 2.4.23

CVE-2016-2161: It was found that malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.

Affects versions 2.4.x up to 2.4.23

CVE-2016-8743: Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines.

These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possibility in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent.

Affects versions since 2.2.0 up to 2.4.23

heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)

An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks’s convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution.. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.

It was discovered that irssi-otr had a flaw in handing data returned by libotr. After the initiation of the OTR session only the first line was sent as a PRIVMSG, while additional data would be sent as raw commands to the IRC server. The additional data would ordinarily be a human-readable HTML-formatted instruction message from libotr, a fixed string. However this is a minor security concern and the remediation avoids further security issues.

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Linux kernel built with the KVM virtualisation support(CONFIG_KVM), with nested virtualisation(nVMX) feature enabled(nested=1), is vulnerable to an uncaught exceptions issue. It could occur if a L2 guest was to throw an exception which is not handled by L1 guest. A L1 guest user could use this flaw to crash the guest resulting in DoS.

The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option. (CVE-2012-6704)

The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver. (CVE-2016-7915)

The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. (CVE-2016-10088)

The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.

Gergely Gábor Nagy from Tresorit discovered that libcrypto++, a C++ cryptographic library, contained a bug in several ASN.1 parsing routines. This would allow an attacker to remotely cause a denial of service.

The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address. (CVE-2016-10033)

The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. (CVE-2016-10045)

These all fix a potential "NULL dereference" bug that has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened.

Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. (CVE-2016-9941)

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions. (CVE-2016-9942)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. (CVE-2016-3495)

Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Packaging. (CVE-2016-5625)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: DML. (CVE-2016-5628)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Memcached. (CVE-2016-5631)

Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer. (CVE-2016-5632)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Performance Schema, a different vulnerability than CVE-2016-8290. (CVE-2016-5633)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to RBR. (CVE-2016-5634)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Security: Audit. (CVE-2016-5635)

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call. (CVE-2016-6652)

Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows remote authenticated users to affect confidentiality via vectors related to Server: Security: Privileges. (CVE-2016-8286)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Replication. (CVE-2016-8287)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows local users to affect integrity and availability via vectors related to Server: InnoDB. (CVE-2016-8289)

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Performance Schema, a different vulnerability than CVE-2016-5633. (CVE-2016-8290)

CVE-2016-9037: From the Talos vulnerability report: An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key’s value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.

[1] Version-Release number of selected component (if applicable): 1.4.15-2

Steps to Reproduce:

1. . Take Oracle Enterprise Linux 6.1
2. . Install 389 Directory with SSL or take a working one.
3. . Install epel repository and latest nagios-plugins-ldap
4. . Run /usr/lib64/nagios/plugins/check_ldaps -H <389 hostname> -S -p <389 port> -b <389's base DN> -v

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS error -8172:Unknown code ___f 20
Could not bind to the LDAP server

LDAP OK - 0,008 seconds response time|time=0,007882s;;;0,000000

[2] Calling check_file_age is broken:

# /usr/lib64/nagios/plugins/check_file_age Can't locate utils.pm in @INC (you may need to install the utils module) (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/lib64/nagios/plugins/check_file_age line 30.

[3] check_mailq fails with syntax error:

[root@fedora24 ~]# /usr/lib64/nagios/plugins/check_mailq syntax error at /usr/lib64/nagios/plugins/check_mailq line 40, near ")

sub print_help ()" Execution of /usr/lib64/nagios/plugins/check_mailq aborted due to compilation errors.

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp. (CVE-2015-6972)

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp. (CVE-2015-6973)

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. (CVE-2015-7707)

Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG 2.1.2. (CVE-2016-9112)

There is a NULL pointer dereference in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a value after initialization(NULL). Impact is Denial of Service. (CVE-2016-9113)

There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service. (CVE-2016-9114)

Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9115)

NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9116)

NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9117)

Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of convert.c:1719 in OpenJPEG 2.1.2. (CVE-2016-9118)

- CVE-2016-10009 (arbitrary code execution): It was found that ssh-agent could load PKCS#11 modules from paths outside of a trusted whitelist. An attacker able to load a crafted PKCS#11 module across a forwarded agent channel could potentially use this flaw to execute arbitrary code on the system running the ssh- agent. Note that the attacker must have control of the forwarded agent- socket and the ability to write to the filesystem of the host running ssh-agent.

- CVE-2016-10010 (privilege escalation): It was found that when privilege separation was disabled in OpenSSH, forwarded Unix-domain sockets would be created by sshd with root privileges instead of the privileges of the authenticated user. This could allow an authenticated attacker to potentially gain root privileges on the host system. Privileges separation has been enabled by default since OpenSSH 3.3/3.3p1 (2002-06-21). Thus, OpenSSH is not affected by default. An affected OpenSSH configuration would have to specifically disable privilege separation with the "UsePrivilegeSeparation no" configuration directive in /etc/ssh/sshd_config.

- CVE-2016-10011 (information disclosure): It was found that there is a theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.

- CVE-2016-10012 (insufficient validation): It was found that the shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimizing compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first).

The SCardReleaseContext function normally releases resources associated with the given handle (including "cardsList") and clients should cease using this handle. A malicious client can however make the daemon invoke SCardReleaseContext and continue issuing other commands that use "cardsList", resulting in a use-after-free. When SCardReleaseContext is invoked multiple times, it additionally results in a double-free of "cardsList".

The issue allows a local attacker to cause a denial of service, but can potentially result in privilege escalation since the daemon is running as root while any local user can connect to the Unix socket. Fixed by patch "SCardReleaseContext: prevent use-after-free of cardsList" which is released with hpcsc-lite 1.8.20 on 30 December 2016.

When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.

Dawid Golunski discovered that a symlink in /var/log/postgresql/ could be used by the "postgres" system user to write to arbitrary files on the filesystem the next time PostgreSQL is started by root.

It was discovered that there was a vulnerability in python-crypto, a library of cryptographic algorithms and protocols for Python. Calling AES.new with an invalid parameter could crash the Python interpreter

This update contains a **SECURITY** fix for an issue with potentially serious consequences but very limited scope. If an administrator of a wiki you talked to using python-wikitcms were malicious, they could cause arbitrary code execution as the user running wikitcms. No-one besides a wiki administrator could do this, as it requires crafting the wiki's response to an edit request to include a malicious payload. It also drops some now useless or unneeded code (due to changes in mediawiki and mwclient).

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/ process could use this issue to leak host memory, resulting in DoS for a host.

A vulnerability in the Smack XMPP library was reported where the security of the TLS connection is not always enforced. By stripping the "starttls" feature from the server response with a man-in-the-middle tool, an attacker can force the client to authenticate in clear text even if the "SecurityMode.required" TLS setting has been set.

CVE-2016-9997: It was discovered that the 'id' parameter to the puce_statut action isn't sanitized properly. An attacker could inject arbitrary HTML code by tricking an authenticated SPIP user to open a specially crafted URL.

CVE-2016-9998: It was discovered that the 'plugin' parameter to the info_plugin action isn't sanitized properly. An attacker could inject arbitrary HTML code by tricking an authenticated SPIP user to open a specially crafted URL.

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Incorrect processing of responses to If-None-Modified HTTP conditional requests leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information (CVE-2016-10002).

Incorrect HTTP Request header comparison results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients (CVE-2016-10003).

This update adds security sandboxing to tracker-extract.

A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013)

PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024)

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional function pointer hvmemul_vmfunc was added to the hvm_emulate_ops table. As is intended, that new function pointer is NULL on non-VMX hardware, including AMD SVM hardware. However at a call site, the necessary NULL check was omitted before the indirect function call.

Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS).

QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.