Kristian Fiskerstrand | 1 Sep 23:30 2014

CVE assignment for c-icap Server


Hi,

[0] lists a vulnerability for c-icap Server as:  "contains a flaw in
the parse_request() function of request.c that may allow a remote
denial of service. The issue is triggered when the buffer fails to
contain a ' ' or '?' symbol, which will cause the end pointer to
increase and surpass allocated memory. With a specially crafted
request (e.g. via the OPTIONS method), a remote attacker can cause a
loss of availability for the program." as described in [1]. From what
I can see this was fixed in [2].

Has a CVE been assigned to this issue already? if not I request that
one is assigned.

References:
[0] http://www.osvdb.org/show/osvdb/89304
[1] http://osvdb.org/ref/89/c-icap.txt
[2] http://sourceforge.net/p/c-icap/code/1018/

--

-- 
----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter:  <at> krifisk
----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Veni vidi visa
(Continue reading)

Murray McAllister | 1 Sep 02:53 2014
Picon

CVE-2014-3565, net-snmp: snmptrapd crash

Good morning,

CVE-2014-3565 was assigned to the following:

A remote denial-of-service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the "-OQ" option. If an attacker
sent an SNMP trap containing a variable with a NULL type where an
integer variable type was expected, it would cause snmptrapd to crash.

http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/
https://bugzilla.redhat.com/show_bug.cgi?id=1125155

Upstream do not consider it a serious issue as very few people
use the "-OQ" option. It should be fixed in a new release due soon.

--
Murray McAllister / Red Hat Product Security

Jorge Manuel B. S. Vicetto | 31 Aug 03:10 2014
Picon

Fwd: ezmlm warning

Hi.

I'm forwarding this email to the ml as I just noticed this is the 3rd
time since Jun 19th that because of DMARC emails from some members are
being rejected by receivers domains, like gmail for me. As I don't
recall reading about this topic before in this ml, I'm raising the
issue in case others are unaware and start getting warnings for losing
emails or are surprised by some members not getting their emails.
From the warnings sent to me, this seems to have affected messages
with numbers 10358, 10965, 10969, 10972, 13596 and 13652.
I'm not sure if at this point there's anything that can be done by
members to avoid losing emails - except perhaps using a different mail
service or hosting their own as it seems unlikely that gmail, yahoo
and others can be forced to change their policies.
I first heard about this from my colleague at Gentoo Robin H. Johnson
(robbat2), who raised this issue with the IETF[1]. I see that gmail
now has a support article about it as well[2].

 [1] - http://www.ietf.org/mail-archive/web/ietf/current/msg87171.html
 [2] - https://support.google.com/mail/answer/2451690

Regards,

Jorge Manuel B. S. Vicetto
Gentoo Developer

---------- Forwarded message ----------
From:  <oss-security-help@...>
Date: Sat, Aug 30, 2014 at 10:47 AM
Subject: ezmlm warning
(Continue reading)

Nicolas Guigo | 29 Aug 23:09 2014

RE: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable)

[cced debian security and package maintainer]

-----Original Message-----
From: Nicolas Guigo
Sent: Friday, August 29, 2014 2:08 PM
To: 'oss-security@...'
Subject: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian 
stable)

Hi oss-sec,

Please find the vulns descriptions at the below links:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759574
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759573

thanks!
Nicolas

--
Nicolas Guigo
Senior Security Engineer
iSEC Partners (NCC GROUP)
(206) 948-3687
9C80 28B2 F016 4DA4 24C9  D1D7 129C FDF6 0CDC B828

Attachment (smime.p7s): application/pkcs7-signature, 6152 bytes
Salvatore Bonaccorso | 29 Aug 18:39 2014
Picon

CVE Request: Clipboard Perl module: clipedit: insecure use of temporary files

Hi

The Clipboard Perl module distribution [1] ships a small script
'clipedit' which insecurely uses temporary files by using the pid of
the process in the used filename in /tmp[2]. The affected code looks
like:

 [...]
  7 my $tmpfilename = "/tmp/clipedit$$";  
  8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!";  
  9 print $tmpfile $orig;  
 10 close $tmpfile;
 [...]
 13 system($ed, $tmpfilename);  
 14   
 15 open $tmpfile, $tmpfilename or die "Failure to open $tmpfilename: $!";
 16 my $edited = join '', <$tmpfile>;
 [...]
 49 unlink($tmpfilename) or die "Couldn't remove $tmpfilename: $!";

Could you assing a CVE for this issue?

 [1] https://metacpan.org/release/Clipboard
 [2] https://rt.cpan.org/Ticket/Display.html?id=98435

Regards,
Salvatore

Florian Weimer | 29 Aug 14:24 2014
Picon

CVE request: glibc character set conversion from IBM code pages

In 2012, a crasher in IBM930 decoding was reported and fixed:

<https://sourceware.org/bugzilla/show_bug.cgi?id=14134>
<https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=6e230d11837f3a>

This change went into glibc 2.16.

Today, Adhemerval Zanella Netto reported in additional code page 
decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):

<https://sourceware.org/bugzilla/show_bug.cgi?id=17325>
<https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html>

Upstream commit is still pending.

These crashers are out-of-bounds reads at a fixed offset relative to the 
data segment of a DSO, and in all cases I've seen, they were right in 
the middle of an unmapped segment of the same DSO.  This means that 
these bugs are just crashers, but they can still result in 
denial-of-service conditions.

Since the affected version ranges are not identical, this needs two 
separate CVE identifiers, probably one from 2012 and one from 2014.

--

-- 
Florian Weimer / Red Hat Product Security

Pierre Schweitzer | 28 Aug 18:42 2014

Full disclosure: denial of service in srvx

Hi all,

ZeRoFiGhter and I (Pierre Schweitzer), at OnlineGamesNet.net discovered
the following issue on OnlineGamesNet.net on the 14th of July.

This is full disclosure of a denial of service security issue in srvx
software (http://www.srvx.net/). Vendor was contacted a month ago (on
the 16th of July) and acknowledge good reception of the issue and the
patches. The issues is today still unfixed in development trunk.

1 - Description:
=========
When configuring the HelpServ bots in srvx, there is not bound check for
intervals in which various functions are executed (for instance the
EmptyInterval parameter). These parameters can be accessed and set by
either IRCops (with access to OpServ bot) or by HelpServ bot managers
(who do not require to be IRCops).

Putting an extremely high value to these parameters, such as
184467440723049 will lead to an integer overflow. When attempting to
queue the function execution, srvx will add it in the past, will attempt
to execute it immediately and thus will loop forever on this, and will
finally crash due to memory exhaustion.

Furthermore, any restart of the service will not be possible, as the
value is stored in the configuration file. It will be required to
manually edit the configuration file to correct the wrongly set values
for the bot.

2 - How to reproduce:
(Continue reading)

Robert Scheck | 28 Aug 13:13 2014

Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881

Hello,

I discovered that Zarafa WebApp < 1.6 is affected by CVE-2010-4207 or
CVE-2012-5881 (depends on WebApp version) as it bundles charts.swf by
YUI, see http://yuilibrary.com/support/20121030-vulnerability/ for the
list of affected md5sums.

[root <at> tux ~]# rpm -q zarafa-webapp
zarafa-webapp-1.5-44025.noarch
[root <at> tux ~]#

[root <at> tux ~]# rpm -ql zarafa-webapp | grep charts.swf | xargs md5sum
923c8afe50fc45ed42d92d6ab83b11f6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
[root <at> tux ~]#

I don't know how to abuse this but upstream notice "This defect allows
JavaScript injection exploits to be created against domains that host
these affected .swf files, whether or not the .swf files are embedded
in your application." seems to be important enough for this heads up.

Given that Zarafa WebApp 1.6 (final release) happened on 2014-07-21
there might be distributions/downstreams still shipping Zarafa WebApp
1.5. Zarafa WebApp does not use that file so removing it on packaging
level is fine. Fedora is not affected; it doesn't ship Zarafa WebApp.

With kind regards

Robert Scheck
--

-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
(Continue reading)

Florian Weimer | 28 Aug 07:18 2014
Picon

CVE-2014-0485: unsafe Python pickle in s3ql

Nikolaus Rath discovered a vulnerability in s3ql which can result in
remote code execution, caused by the unsafe use of Python's pickle
serialization library.

The upstream commit is here:

  <https://bitbucket.org/nikratio/s3ql/commits/091ac263809b4e8>

(This issue was reported privately to Debian, the distros list was
notified, and this is the public heads-up required by list policy.)

Solar Designer | 28 Aug 01:04 2014

Open Source only?

Hi,

I've just rejected a posting giving the following reason:

Message lacks Subject, and the software appears to be non Open Source:
partial(?) source code is available, but under a EULA that doesn't
appear to meet OSI definition.

The message was CC'ed to full-disclosure, so it will probably appear
there.

While message lacking Subject is a technicality, which the sender may
address (and resend the message), the issue of software that comes with
source code, but isn't under an Open Source license is one we might want
to decide on, if we haven't already (I think we have, which is why I
mentioned it as one of two reasons to reject that posting).  Also, it
may at times be tricky (and unreliable and time-consuming) for list
moderators to determine whether a license is Open Source or not, as well
as whether the software is possibly dual-licensed.  Should we perhaps
err on the side of approving postings whenever in doubt?

Here's a relevant example, where the decision was not to proceed to
discuss the issue on oss-security as soon as it was pointed out that the
product in question wasn't Open Source:

http://www.openwall.com/lists/oss-security/2012/03/08/3

I now tried to find a counter-example, where a non Open Source issue
was actually discussed on oss-security with no one objecting to that,
and I could not.  The closest I found are some interactions between
(Continue reading)

Benjamin Harris | 28 Aug 00:14 2014

XRMS SQLi to RCE 0day

Hi

OSS-Security: Can I request a CVE for this please?

XRMS Description:
----------------------

The most advanced open source customer relationship management 
(CRM), Sales Force Automation (SFA) suite: also features business 
intelligence (BI) tools, Computer Telephony Integration (CTI), and 
advanced plugin architecture. PHP/ADOdb/LAMP

Brief:
-------------------------------

I tried to report this to the developers/get it fixed a month ago, 
although I've had no response from the developers. This should work 
against latest, was found a long time ago, and I recently found it 
while brushing off some hard drives.

Details:
------------------------

We get SQL injection via $_SESSION poisoning which we use to 
retrieve admin credentials. We then authenticate with these 
credentials and exploit a trivial command injection. Attached is a 
working POC.

Many thanks,
Ben
(Continue reading)


Gmane