Kurt Seifried | 26 Jan 21:44 2015

CVE HOWTO - updated and moved to github


replaces the old

I'll also be adding some information on SPLIT/MERGE and other details
for people that want to know more. Feedback is welcome, pull requests
even more so.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Helmut Grohne | 26 Jan 21:12 2015

kamailio: multiple /tmp file vulnerabilities


There are multiple /tmp file vulnerabilities to be found in the kamailio
SIP proxy. While many of these issues only affect configuration examples
or outdated components, some do affect the default configuration.

Initial disclosures:
 http://bugs.debian.org/712083 (2013)
 http://bugs.debian.org/775681 (2015)
Upstream issue:

At this point, three issues are well understood:
 * The kamctl administrative utility and default configuration would use
   /tmp/kamailio_fifo (#712083, 2013, fixed in Debian's kamailio
 * The kamcmd administrative utility and default configuration would use
   /tmp/kamailio_ctl (#775681, 2015, patch available).
 * The kamailio build process would use constant filenames in /tmp
   allowing to elevate privileges to the build user (#775681, 2015,
   patch available).

The combined patch can be found at:

While the last issue definitely affects the upstream kamailio build,
arguably the first two issues are packaging specific. If they are
treated as such, it is worth noting that kamailio was never part of a
Debian stable release and thus this may not be worth issuing a CVE.

(Continue reading)

Tristan Cacqueray | 26 Jan 17:24 2015

[OSSA 2015-003] Glance user storage quota bypass (CVE-2014-9623)

OSSA-2015-003: Glance user storage quota bypass

:Date: January 26, 2015
:CVE: CVE-2014-9623

- Glance: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Tushar Patil from NTT reported a vulnerability in Glance. By deleting
images that are being uploaded, a malicious user can overcome the
storage quota and thus may overrun the backend. Images in deleted
state are not taken into account by quota and won't be effectively
deleted until the upload is completed. Only Glance setups configured
with user_storage_quota are affected.

- https://review.openstack.org/149646 (Icehouse)
- https://review.openstack.org/149387 (Juno)
- https://review.openstack.org/144464 (Kilo)

- Tushar Patil from NTT (CVE-2014-9623)

(Continue reading)

Fabian Keil | 26 Jan 11:58 2015

CVE request for Privoxy

Privoxy is a non-caching web proxy with advanced filtering capabilities
for enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. For details see:

Privoxy 3.0.23 contains fixes for the following security issues:

- Fixed a DoS issue in case of client requests with incorrect
  chunk-encoded body. When compiled with assertions enabled
  (the default) they could previously cause Privoxy to abort().
  Reported by Matthew Daley.

- Fixed multiple segmentation faults and memory leaks in the
  pcrs code. This fix also increases the chances that an invalid
  pcrs command is rejected as such. Previously some invalid commands
  would be loaded without error. Note that Privoxy's pcrs sources
  (action and filter files) are considered trustworthy input and
  should not be writable by untrusted third-parties.

- Fixed an 'invalid read' bug which could at least theoretically
  cause Privoxy to crash.

Please assign CVEs for them.

The second issue could potentially affect other programs that use pcrs.c,
but I'm not aware of any that do. Privoxy imported the file from the upstream
project pcrs (not to be confused with pcre) which is no longer maintained.
(Continue reading)

Florian Weimer | 26 Jan 09:53 2015

Reject CVE-2012-3878?

This was initially i assigned CVE-2012-3878, before it was determined
that it should not be treated as a vulnerability:


The CVE description has somehow leaked, but not the relationship with
the URL, making it non-obvious what this is about.


Florian Weimer / Red Hat Product Security

Kurt Seifried | 26 Jan 06:40 2015

unshield directory traversal


Package: unshield
Version: 1.0-1
Tags: security

unshield is vulnerable to directory traversal via "../" sequences. As a
proof of concept, unpacking the attached InstallShield archive creates a
file in /tmp:

$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory

$ unshield x data1.cab
Cabinet: data1.cab
--------  -------
         1 files

$ ls /tmp/moo

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

(Continue reading)

Kurt Seifried | 26 Jan 04:25 2015

busybox CVE-2014-9645

Just saw this, I'm guessing it affects all busybox:


Mathias Krause 2014-11-19 21:22:25 UTC
modprobe uses the "basename" of the module argument as the module to
load, as
can be seen here:

bbox:~# lsmod | grep vfat
bbox:~# modprobe foo/bar/baz/vfat
bbox:~# lsmod | grep vfat
vfat                   17135  0
fat                    61984  1 vfat
bbox:~# find /lib/modules/`uname -r` -name vfat.ko

It should instead fail to load the module -- actually fail to *find* the

This can even be abused to load arbitrary modules by nullifying enforced
prefixes some of the Linux kernel's subsystems try to apply to prevent just

bbox:~# lsmod | grep usb
bbox:~# ifconfig /usbserial up
ifconfig: SIOCGIFFLAGS: No such device
bbox:~# lsmod | grep usb
usbserial              32201  0
(Continue reading)

Henri Salo | 25 Jan 19:47 2015

CVE request: MSA-2015-01: Wordpress Plugin Pixabay Images Multiple Vulnerabilities


Can I get 2014 year CVEs for following vulnerabilities in WordPress plugin
pixabay-images, thanks.

Original advisory: http://seclists.org/bugtraq/2015/Jan/94

1) Authentication bypass
The plugin does not correctly check if the user is logged in. Certain
code can be called without authentication

2) Arbitrary file upload
The plugin code does not validate the host in the provided download URL,
which allows to upload malicious files, including PHP code.

3) Path Traversal
Certain values are not sanitized before they are used in a file operation.
This allows to store files outside of the "download" folder. 

4) Cross Site Scripting (XSS)
The generated author link uses unsanitized user values which can be
abused for Cross Site Scripting (XSS) attacks. 

Fixed in 2.4 version.

Listed in OSVDB as:
http://osvdb.org/117144 Pixabay Images Plugin for WordPress pixabay-images.php
image_user Parameter Reflected XSS
(Continue reading)

Larry Cashdollar | 25 Jan 15:10 2015

CVE for SEANux 1.0?

Hello CVE folks,
I am wondering if the recent vulnerability in SEANux 1.0 I posted should have a CVE assigned for the Apache
mis configuration that allows remote access to the SEA's tools and apparently the web shells bundled with
it?  What do you think

Thank you.

William Robinet | 24 Jan 23:06 2015

Multiple vulnerabilities in LibTIFF and associated tools

Dear oss-security list,

Multiple vulnerabilities have been discovered in several tools distributed
along with LibTIFF.

Upstream references:
- CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool
- CVE-2014-8127 libtiff: Out-of-bounds Read in the thumbnail tool
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2bw tool
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2rgba tool
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool
(Continue reading)

Larry W. Cashdollar | 24 Jan 21:05 2015

SEANux 1.0 remote back door

Hello All,
I thought you might be interested in this from by blog with screen shots
http://www.vapid.dhs.org/blog/01-23-2015/ :

SEANux 1.0 backdoor

Larry W. Cashdollar

SEANux 1.0 is a linux distribution Available here developed by the Syrian Electronic Army. It has an apache
webserver listening on
root <at> larry-VirtualBox:/etc/mysql# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0*               LISTEN     
tcp        0      0*               LISTEN     
tcp        0      0  *               LISTEN     
tcp        0      0    *               LISTEN     
tcp        0      0 *               LISTEN     
tcp        0      0      ESTABLISHED
tcp6       0      0 ::1:6010                :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       1      0 ::1:57375               ::1:631                 CLOSE_WAIT 
udp        0      0    *                          
udp        0      0 *                          
udp        0      0  *                          
udp        0      0 *                          
udp        0      0 *                          
(Continue reading)