Kurt Seifried | 19 Dec 00:38 2014
Picon

request for CVEs for git clients

Can we please get CVEs for
https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

In addition, the following updated versions of Git address this
vulnerability:

The Git core team has announced maintenance releases for all current
versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).

Git for Windows (also known as MSysGit) has released maintenance version
1.9.5.

The two major Git libraries, libgit2 and JGit, have released maintenance
versions with the fix. Third party software using these libraries is
strongly encouraged to update.

====

looks like most Linux users are ok though "The vulnerability concerns
Git and Git-compatible clients that access Git repositories in a
case-insensitive or case-normalizing filesystem."

--

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Andy Lutomirski | 18 Dec 20:35 2014
Picon

CVE Request: Linux x86_64 userspace address leak

On all* Linux x86_64 kernels, malicious user programs can learn the
TLS base addresses of threads** that they preempt.

In principle, this bug will allow programs to partially bypass ASLR
when attacking other user programs.  Figuring out how to adapt the
test code to do that is left as an exercise to the reader.

The bug is fixed here:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e

There's a test case in the patch description.

Note: the patch description mentions another unfixed but and has a
test for that bug as well.  As far as I can tell, the other bug has no
security implications -- it merely allows a program to cause the
kernel to replace its segment bases with predictable values during the
next context switch.

* It's possible that I missed something and this bug was introduced
more recently.

** The attack won't work against 64-bit threads with TLS bases > 4GB,
but AFAIK that's unusual.  It also won't work against the small number
of programs using obsolete threading libraries that point their TLS
segments into the LDT.

--Andy

(Continue reading)

Andrea Barisani | 18 Dec 15:06 2014

[oCERT-2014-012] JasPer input sanitization errors

#2014-012 JasPer input sanitization errors

Description:

The JasPer project is an open source implementation for the JPEG-2000 codec.

The library is affected by a double-free vulnerability in function
jas_iccattrval_destroy() as well as a heap-based buffer overflow in function
jp2_decode().

A specially crafted jp2 file, can be used to trigger the vulnerabilities.

Affected version:

JasPer <= 1.900.1

Fixed version:

JasPer, N/A

Credit: vulnerability report received from the Google Security Team.

CVE: CVE-2014-8137 (double-free), CVE-2014-8138 (heap overflow)

Timeline:

2014-12-10: vulnerability report received
2014-12-10: contacted affected vendors
2014-12-10: assigned CVEs
2014-12-18: patch contributed by Tomas Hoger from Red Hat Product Security
(Continue reading)

Florian Weimer | 18 Dec 10:52 2014
Picon

Embargoes for secondary issues

Suppose we have an unfixed, public issue, and while working on a fix, 
other issues in the same code are discovered which are different flaws, 
but have similar impact than the original issue.

Do we need an embargo for the secondary issues, or can we just make them 
public immediately?  I would strongly prefer the latter.

--

-- 
Florian Weimer / Red Hat Product Security

Tute Costa - thoughtbot | 17 Dec 19:29 2014

[CVE-2014-8144] CSRF vulnerability in doorkeeper

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
and earlier allows remote attackers to hijack the user's OAuth
autorization code. This vulnerability has been assigned the CVE
identifier CVE-2014-8144.

Versions Affected:  1.4.0 and below
Fixed Versions:     1.4.1, 2.0.0

Impact
------

Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
on the Internet can then read a user's authorization code with
arbitrary scope from any Doorkeeper-compatible Rails app you are
logged in.

Releases
--------

The 1.4.1 and 2.0.0 releases are available at
https://rubygems.org/gems/doorkeeper and
https://github.com/doorkeeper-gem/doorkeeper.

Upgrade Process
---------------

Upgrade doorkeeper version at least to 1.4.1.

Workarounds
-----------
(Continue reading)

Tute Costa | 17 Dec 18:57 2014

CSRF vulnerability in doorkeeper OAuth provider rubygem

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
and earlier allows remote attackers to hijack the user's OAuth
autorization code. This vulnerability has been assigned the CVE
identifier CVE-2012-5664.

Versions Affected:  1.4.0 and below
Fixed Versions:     1.4.1, 2.0.0

Impact
------

Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
on the Internet can then read a user's authorization code with
arbitrary scope from any Doorkeeper-compatible Rails app you are
logged in.

Releases
--------

The 1.4.1 and 2.0.0 releases are available at
https://rubygems.org/gems/doorkeeper and
https://github.com/doorkeeper-gem/doorkeeper.

Upgrade Process
---------------

Upgrade doorkeeper version at least to 1.4.1.

Workarounds
-----------
(Continue reading)

Marcus Meissner | 17 Dec 18:00 2014
Picon

What is the "Grinch" polkit/wheel group issue?

Hi,

This probably needs a CVE too, or does it have one?

https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/
http://www.pcworld.com/article/2860032/this-linux-grinch-could-put-a-hole-in-your-security-stocking.html

Although it seems that the user is in the "wheel" group for this to be exploitable
and is hard to specify what actions should be safed by another query or which should not.

Ciao, Marcus

P J P | 17 Dec 12:02 2014
Picon

CVE Request Linux kernel: fs: isofs: infinite loop in CE records


    Hello,

Linux kernel built with the iso9660 file system(CONFIG_ISO9660_FS) support is 
vulnerable to an infinite recursion loop flaw, which could lead to a crash or 
render a system unresponsive/unusable after a while. This occurs while 
mounting an iso9660 image.

An unprivileged user/process could use this flaw to crash the system resulting 
in DoS.

Upstream fix:
-------------
   -> https://git.kernel.org/linus/f54e18f1b831c92f6512d2eedb224cd63d607d3d

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Alexander Cherepanov | 17 Dec 01:44 2014
Picon

CVE request: file(1) DoS

Hi!

There are two more DoSes fixed in ELF parser of file(1), similar to the 
recent CVE-2014-8116.

1. Limit the number of ELF notes processed
Report: http://mx.gw.com/pipermail/file/2014/001653.html
Fix: 
https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4

2. Limit string printing to 100 chars
Report: http://mx.gw.com/pipermail/file/2014/001654.html
Fix: 
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

Both problems amplified by the fact that the same section in ELF file 
can be referenced and processed by file(1) multiple times. This is also 
fixed in the first commit linked above.

Could CVE(s) please be assigned?

--

-- 
Alexander Cherepanov

Florian Weimer | 16 Dec 19:00 2014
Picon

mailx issues (CVE-2004-2771, CVE-2014-7844)

It turns out that various versions of mailx have shell command injection 
via crafted email addresses.  These issues are different from the 
POSIX-mandated shell escape in email bodies (“~!”), which most 
implementations switch off when the input is not a terminal.

There are two main branches of mailx these days, Heirloom mailx and BSD 
mailx.

Heirloom mailx appears defunct upstream.

For BSD mailx, OpenBSD seems the canonical source these days.  I 
discussed these issues with Todd Miller, who kindly provided patches for 
their version.

*** Heirloom mailx ***

For Heirloom mailx, the numbered patches address the following issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses 
by default.  That avoids a direct command injection with syntactically 
valid email addresses starting with “|”.

Such addresses can be specified both on the command line, the mail 
headers (with “-t”) or in address lines copied over from previous mail 
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx.  It is 
documented behavior for Heirloom mailx, and was mentioned in an old 
technical report about BSD mailx (which does not usually make its way 
into operating system installations).  The patch switches off this 
(Continue reading)

Ipstenu (Mika Epstein | 16 Dec 18:36 2014

Re: Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file


Thanks, we handled this 11 days ago.

> https://wpvulndb.com/vulnerabilities/7726 thanks!
> 
> On Tue, Dec 16, 2014 at 5:51 PM, Henri Salo <henri@...> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Product: WordPress plugin db-backup
> > Plugin page: https://wordpress.org/plugins/db-backup/
> > Developer: Syed Amir Hussain "syedamirhussain91"
> > Vulnerability Type: Remote Path Traversal File Access
> > CWE-23: Relative Path Traversal
> > Vulnerable Versions: 4.5 and earlier
> > Fixed Version: N/A
> > Vendor Notification: 2014-11-27
> > Public Disclosure: 2014-12-16
> > CVE Reference: CVE-2014-9119
> > Criticality: High
> >
> > Vulnerability details:
> >
> > DB Backup plugin for WordPress contains a flaw that allows traversing
> > outside of
> > a restricted path. The issue is due to the download.php script not
> properly
> > sanitizing user input, specifically path traversal style attacks (e.g.
> > '../').
(Continue reading)


Gmane