Security

The "attribute uniqueness" plugin did not properly NULL-terminate an array when building up its configuration if a so called 'old-style' configuration was being used. An attacker, authenticated, but possibly also unauthenticated, could possibly force the plugin to read beyond allocated memory and trigger a segfault. The crash could also possibly be triggered accidentally.

It is reported that in Ansible, under some circumstances the mysql_user module may fail to correctly change a password. Thus an old password may still be active when it should have been changed.

An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible-server privileges. (CVE-2016-9587)

This LWN article has additional details.

CVE-2017-5007 chromium-browser: universal xss in blink
CVE-2017-5006 chromium-browser: universal xss in blink
CVE-2017-5008 chromium-browser: universal xss in blink
CVE-2017-5010 chromium-browser: universal xss in blink
CVE-2017-5011 chromium-browser: unauthorised file access in devtools
CVE-2017-5009 chromium-browser: out of bounds memory access in webrtc
CVE-2017-5012 chromium-browser: heap overflow in v8
CVE-2017-5013 chromium-browser: address spoofing in omnibox
CVE-2017-5014 chromium-browser: heap overflow in skia
CVE-2017-5015 chromium-browser: address spoofing in omnibox
CVE-2017-5018 chromium-browser: universal xss in chrome://apps
CVE-2017-5020 chromium-browser: universal xss in chrome://downloads
CVE-2017-5021 chromium-browser: use after free in extensions
CVE-2017-5022 chromium-browser: bypass of content security policy in blink
CVE-2017-5023 chromium-browser: type confusion in metrics
CVE-2017-5024 chromium-browser: heap overflow in ffmpeg
CVE-2017-5025 chromium-browser: heap overflow in ffmpeg
CVE-2017-5026 chromium-browser: ui spoofing

The avi_read_nikon function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to infinite loop when it decodes an AVI file that has a crafted 'nctg' structure. (CVE-2016-7122)

The ff_log2_16bit_c function in libavutil/intmath.h in FFmpeg before 3.1.4 is vulnerable to reading out-of-bounds memory when it decodes a malformed AIFF file. (CVE-2016-7450)

flatpak 0.8.2 release, fixing a security issue that could lead to sandbox escaping. For details, see https://github.com/flatpak/flatpak/releases/tag/0.8.2

A heap-buffer overflow caused by integer overflow was found in ghostscript's jbig2dec-0.13 (a decoder implementation of the JBIG2 image compression format). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value is passed to function ‘malloc’ as the SIZE parameter and a buffer with zero size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service or possibly corrupt some memory data.

Numerous vulnerabilities were discovered in ImageMagick, an image manipulation program. Issues include memory leaks, out of bound reads and missing checks.

Bug #1416437 - CVE-2017-5577 kernel: vc4: Heap-buffer overflow due to failing checks.

Bug #1416436 - CVE-2017-5576 kernel: vc4: Integer overflow in temporary allocation layout.

Bug #1416126 - CVE-2017-5551 kernel: S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix).

Bug #1416110 - CVE-2017-5548 kernel: Using stack for buffers in ieee802154.

Bug #1416101 - CVE-2016-10153 kernel: introduce ceph_crypt() for in-place en/decryption.

Bug #1416096 - CVE-2017-5547 kernel: DMA buffers on stack.

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. (CVE-2004-0230)

Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations. (CVE-2016-9685)

- CVE-2016-7055 (incorrect calculation): There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behavior. Even then only clients that chose the curve will be affected.

- CVE-2017-3731 (denial of service): If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

- CVE-2017-3732 (information disclosure): There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.

An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.

CVE-2016-10167: Improper handling of issing image data can cause crash

CVE-2016-10168: GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows.

Multiple vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.

The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data. (CVE-2017-5209)

The main function in plistutil.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short. (CVE-2017-5545)

Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file.

Tobias Stoeckmann discovered that the libXpm library contained two integer overflow flaws, leading to a heap out-of-bounds write, while parsing XPM extensions in a file. An attacker can provide a specially crafted XPM file that, when processed by an application using the libXpm library, would cause a denial-of-service against the application, or potentially, the execution of arbitrary code with the privileges of the user running the application.

The mbedtls package has been updated to version 1.3.18, which removes a non-default configuration option that could lead to session key recovery in very long TLS sessions and fixes a potential stack corruption that cannot be triggered remotely. See the mbed TLS release announcement for details.

Multiple security issues have been found in Ming. They may lead to the execution of arbitrary code or causing application crash.

CVE-2016-9264: global-buffer-overflow in printMP3Headers

CVE-2016-9265: divide-by-zero in printMP3Headers

CVE-2016-9266: left shift in listmp3.c

CVE-2016-9827: listswf: heap-based buffer overflow in _iprintf

CVE-2016-9828: listswf: heap-based buffer overflow in _iprintf

CVE-2016-9829: listswf: NULL pointer dereference in dumpBuffer

CVE-2016-9831: listswf: heap-based buffer overflow in parseSWF_RGBA

- CVE-2017-5374 (arbitrary code execution): Several memory safety bugs have been found in Firefox < 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

- CVE-2017-5377 (arbitrary code execution): A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash.

- CVE-2017-5379 (arbitrary code execution): A use-after-free vulnerability has been found in Firefox < 51, in Web Animations, when interacting with cycle collection.

- CVE-2017-5381 (arbitrary file overwrite): The "export" function in the Firefox < 51 Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes, allowing certificate content to be saved in unsafe locations with an arbitrary filename.

- CVE-2017-5382 (information disclosure): Feed preview for RSS feeds in Firefox < 51 can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of internal information not meant to be seen by web content.

- CVE-2017-5384 (information disclosure): Proxy Auto-Config (PAC) files in Firefox < 51 can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely.

- CVE-2017-5385 (information disclosure): In Firefox < 51, data sent with in multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header, leading to potential information disclosure for sites using this header.

- CVE-2017-5387 (information disclosure) The existence of a specifically requested local file can be found in Firefox < 51 due to the double firing of the onerror when the source attribute on a <track> tag refers to a file that does not exist if the source page is loaded locally.

- CVE-2017-5388 (denial of service): In Firefox < 51, a STUN server in conjunction with a large number of webkitRTCPeerConnection objects can be used to send large STUN packets in a short period of time due to a lack of rate limiting being applied on e10s systems, allowing for a denial of service attack.

- CVE-2017-5389 (access restriction bypass): WebExtensions in Firefox < 51 could use the mozAddonManager API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission.

- CVE-2017-5391 (privilege escalation): In Firefox < 51, special about: pages used by web content, such as RSS feeds, can load privileged about: pages in an iframe. If a content- injection bug were found in one of those pages this could allow for potential privilege escalation.

- CVE-2017-5393 (access restriction bypass): The mozAddonManager in Firefox < 51 allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions from the CDN in combination with an XSS attack on Mozilla AMO sites.

The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests.

CVE-2016-7056: A local timing attack was discovered against ECDSA P-256.

CVE-2016-8610: It was discovered that no limit was imposed on alert packets during an SSL handshake.

An information-disclosure flaw was discovered in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions. (CVE-2016-9590)

It has been found that rubygem archive-tar-minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.

- CVE-2017-5192 (arbitrary code execution): The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user.

- CVE-2017-5200 (arbitrary command execution): Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.

It was found that shadow-utils-4.2.1 had a potentially unsafe use of getlogin with the concern that the utmp entry might have a spoofed username associated with a correct uid (CVE-2016-6251).

It was found that shadow-utils-4.2.1 had an incorrect integer handling problem where it looks like the int wrap is exploitable as a LPE, as the kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) as returned by simple_strtoul() [map_write()]. (CVE-2016-6252).

Multiple vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or the execution of arbitrary code.

Version 3.9.6-11+deb7u1 and 3.9.6-11+deb7u2 introduced changes that resulted in libtiff writing out invalid tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image.

Prevent the server from overflowing a buffer in the client, causing DoS or potentially code execution.

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: GUI). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). (CVE-2016-5545)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 7.9 (Integrity and Availability impacts). (CVE-2017-3290)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: GUI). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS v3.0 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). (CVE-2017-3316)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: VirtualBox SVGA Emulation). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 8.4 (Integrity and Availability impacts). (CVE-2017-3332)

wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. (CVE-2017-5610)

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. (CVE-2017-5611)

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. (CVE-2017-5612)

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30.0, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server.