Hanno Böck | 23 Nov 21:49 2014

The Fuzzing Project


As already mentioned in various threads I hereby announce the Fuzzing

This is still a lot of work in progress. I welcome all feedback,
contributions and especially links to your reports of the bugs you


Hanno Böck

mail/jabber: hanno@...
Michal Zalewski | 23 Nov 10:24 2014

so, can we do something about lesspipe? (+ a cpio bug to back up the argument)

There have been some low-key discussions about this in the past, but...

In short, many Linux distributions ship with the 'less' command
automagically interfaced to 'lesspipe'-type scripts, usually invoked
via LESSOPEN. This is certainly the case for CentOS and Ubuntu.

Unfortunately, many of these scripts appear to call a rather large
number of third-party tools that likely have not been designed with
malicious inputs in mind. On CentOS, lesspipe appears to include
things such as groff + troff + grotty, man, and cpio. On Ubuntu,
there's isoinfo (?!), ar from binutils, and so on. Ancient and obscure
compression utilities and doc converters crop up, too.

Even grabbing something as seemingly innocuous as cpio, a short spin
with afl-fuzz (or, probably, anything else) will immediately yield


It's a file with declared block length of 0xffffffff. That gets us
here, with the value populated to c_filesize (copyin.c, list_file()):

  link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
  link_name[file_hdr->c_filesize] = '\0';

...where we end up allocating a zero-byte buffer and then promptly
writing out of bounds (just under the buffer on 32-bit systems or
somewhere above it on 64-bit).

While it's a single bug in cpio, I have no doubt that many of the
(Continue reading)

Tim Brown | 22 Nov 18:06 2014

Running Java across a privilege boundry


Does anyone know of any obvious cases where Java is executed across a 
privilege boundary? I'm specifically thinking of cases where it might be 
executed via sudo, via another set[ug]id binary or where it gets called from 
an untrusted working directory i.e. one not owned by the calling user? FWIW, 
I'm looking at openjdk as it is distributed by various F/OSS distros which is 
why I'm emailing this list in particular.


Tim Brown
Joshua Roers | 22 Nov 07:28 2014

Off-by-one question

Hi guys,

I'm just wondering, is it possible to use strncpy to overwrite memory


> char buf[4];
> strncpy(buf, "Four", sizeof(buf));
> buf[sizeof(buf)-1] = '\0';
> printf("%s\n", buf);

> strncpy(buf, "Four", sizeof(buf)); 
is not
> strncpy(buf, "Four", sizeof(buf)-1); 
will strncpy write beyond the memory of 'buf', and set it to NUL?

From my understanding from
http://cwe.mitre.org/data/definitions/193.html, it would.
".. creating a buffer overflow that may cause a memory address to be
overwritten .."

But actually RTFM, strncpy will not write, even the NUL, past the size.

So it looks like I'm either reading mitre wrong, or it may be outdated.

Any opinions on this?

(Continue reading)

Damien Millescamps | 21 Nov 12:04 2014

CVE request: heap buffer overflow in ClamAV


A heap buffer overflow was reported in [1] in ClamAV when scanning a specially crafted y0da Crypter
obfuscated PE file.
Note that this is remotely exploitable when ClamAV is used as a mail gateway scanner.

Upstream fix is available here: [2].
ClamAV 0.98.5 contains the above fix.

Additional references:
[1] https://bugzilla.clamav.net/show_bug.cgi?id=11155
[2] https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e

Can a CVE be assigned to this, please ?

Damien Millescamps | Oppida

Henri Salo | 20 Nov 21:47 2014

WordPress 4.0.1 Security Release


WordPress 4.0.1 is now available. This is a critical security release for all
previous versions and we strongly encourage you to update your sites

Can I get CVEs for vulnerabilities fixed in this release, thank you. I am not
sure if some or any of these has been requested already.

Henri Salo
Francisco Alonso | 20 Nov 17:38 2014

CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified


It was discovered that the wordexp() function could ignore the WRDE_NOCMD flag under certain input
conditions resulting in the execution 
of a shell for command substitution when the applicaiton did not request it. 

Bug report:

Git commit:


Francisco Alonso / Red Hat Product Security
PGP: 0xA026440E 0825 020C 7A5A 4F86 9038  B1C8 5562 688F A026 440E

Xen.org security team | 20 Nov 17:26 2014

Xen Security Advisory 113 - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

                    Xen Security Advisory XSA-113

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling


An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing


Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM


Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
(Continue reading)

Aaron Patterson | 20 Nov 16:44 2014

[AMENDED] [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack


The credits section was missing a name in the previous announcement, so
please see the credits section here.  Thanks!


Arbitrary file existence disclosure in Action Pack

There is an information leak vulnerability in Action Pack. This vulnerability
has been assigned the CVE identifier CVE-2014-7829.

Versions Affected:  >= 3.0.0
Not affected:       < 3.0.0, 4.2.0.beta4
Fixed Versions:     3.2.21, 4.0.12, 4.1.8

Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside the Rails application's root directory.  The
files will not be served, but attackers can determine whether or not the file
exists.  This vulnerability is very similar to CVE-2014-7818, but the
specially crafted string is slightly different.

This only impacts Rails applications that enable static file serving at
runtime.  For example, the application's production configuration will say:

  config.serve_static_assets = true

All users running an affected configuration should either upgrade or use one of the work arounds immediately.
(Continue reading)

Vasyl Kaigorodov | 20 Nov 15:43 2014

CVE request: heap buffer overflow in PCRE


Heap buffer overflow issue was reported [1] in PCRE when processing a
specially crafted regular expression.

Upstream patch for this:
The next upstream release that will contain the above fix is likely to
be around Feb/Mar next year (2015).

Additional references:
[1]: http://bugs.exim.org/show_bug.cgi?id=1546
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1166147

Can a CVE be assigned to this please?


Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
Hanno Böck | 20 Nov 13:34 2014

Fuzzing project brainstorming


Following the discussions here I feel this whole fuzzing thing could
need a project to coordinate efforts and I will probably start
something within the following days.

I wanted to lay out my rough plans / brainstorming and welcome any
feedback and especially if people have worries about such a project.

* The core of the project will be a list of free software projects that
  in one way or another parse fileformats (I'll leave fuzzing network
  and other input out for now). It should have rough categories (ok =
  fuzzed and no unfixed issues in latest release, wip: fuzzed and issues
  are being worked on or already fixed in source repo, stale: fuzzed and
  issues don't seem to be worked on, unavalable = project with no
  developers to contact, wontfix = developers don't feel memory access
  issues and crashes need to be fixed / declare their product
  unsuitable for untrusted input, unknown = no known fuzzing efforts)
  I feel that it's important to make the limitation of this info
  transparent (e.g. about to change rapidly, always further /different
  fuzzing strategies that might turn up more issues, fuzzing is not a
  good indicator for overall security etc.).
* A sharing place for stuff that might be useful for fuzzing, I think
  especially about patches that disable sanity checks (CRCs etc.) that
  make fuzzing harder. And maybe file collections with small example
  files for various file formats.
* Some introduction tutorials that should give people with no fuzzing
  experience a starter. Preferrably so easy that everyone with some
  basic linux/unix knowledge can follow them. Explain zzuf, asan, afl.
* All kinds of pointers/links to further information.
(Continue reading)