Raphael Geissert | 22 Jul 23:00 2014

ecryptfs-setup-private nitpick


Taking a look at ecryptfs-utils 103's ecryptfs-setup-private, there is a bit 
of code that writes the mount pass to a file in /dev/shm hoping to "keep it 
from leaking to the hard-drive":

        # This will be wrapped by pam_ecryptfs's chauthtok as soon as the 
        # chooses a password.  Until that happens (hopefully soon), standard
        # file permissions (600) are all that's protecting it.  Write it to
        # ramdisk, to keep it from leaking to the hard-drive.
        temp=`mktemp /dev/shm/.ecryptfs-XXXXXX`
        printf "%s" "$MOUNTPASS" > "$temp"
        mv -f -T "$temp" "/dev/shm/.ecryptfs-$USER" || error "Could not 
create passphrase file"

Fastforward to 2014 and /dev/shm is, well, not a ramfs/ramdisk:

/dev/shm -> /run/shm, which is a tmpfs at least on Debian.

And as clearly stated by Documentation/filesystems/tmpfs.txt:
"If you compare it to ramfs (which was the template to create tmpfs)
you gain swapping and limit checking."

So in the hope of avoiding a persistent storage the mount pass is written to 
a file in a tmpfs that can be swapped to... disk.

The file is left on /dev/shm until pam_ecryptfs actually wraps it with the 
(Continue reading)

Phil Pennock | 22 Jul 17:44 2014

Exim: 4.83 Released, CVE-2014-2972 fix

Attached should be two emails from one of my fellow Exim maintainers,
Todd, who has driven the past couple of releases and done the bulk of
the coordination for this CVE.

Our thanks, once more, to Rack911 and Cpanel.

-Phil, pdp@...
From: Todd Lyons <tlyons@...>
Subject: Exim 4.83 Released
Date: 2014-07-22 14:59:49 GMT

 have uploaded Exim 4.83 to:

This release of Exim includes one incompatible fix: the behavior of
expansion of arguments to math comparison functions (<, <=, =, =>, >)
was unexpected, expanding the values twice. This fix also addresses a
security advisory, CVE-2014-2972. This is not a remote exploit, but if
content that is searched by the above math comparison functions is under
the control of an attacker, specially crafted data can be inserted that
will cause the Exim mail server to perform various file-system functions
as the exim user.

This release contains the following enhancements and bugfixes:
(Continue reading)

Raphael Geissert | 22 Jul 14:45 2014

GLPI: unprivileged users can access cost information


A bug has been identified by Simone Imeri in GLPI where a user without
access to cost information can in fact see the information when
selecting cost as a search criteria[1]. This is fixed by commit [2]
which appears to have been included for version  0.84.7 [3].

I believe this should get a CVE id.



Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Sebastian Krahmer | 22 Jul 12:15 2014

Linux peer_cred Mischmasch


There seem to be some inconsistencies in the handling of peer credentials
on UNIX sockets. I checked kernel 3.15.1 and runtime-tested on a 3.11.10.

While maybe_add_creds() (via SOCK_PASSCRED) and scm_send()
(via unix_{stream,dgram}_sendmsg()) use the real UID,

cred_to_ucred() (via SO_PEERCRED) passes the EUID (this time
also kuid_munged()).

That should probably being consolidated and in particular its unclear
to me why one time you need kuid munging and onother time you dont.




~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@... - SuSE Security Team

Salvatore Bonaccorso | 22 Jul 06:59 2014

CVE Request: cups: Incomplete fix for CVE-2014-3537


CVE-2014-3537 was allocated for http://www.cups.org/str.php?L4450
(Insufficient checking leads to privilege escalation). The intention
in the fix was to dissalow symlinks.

With the fix applied fo CVE-2014-3537 this is still possible in some
cases (where language[0] is null), see https://cups.org/str.php?L4455

Additionally Michael Sweet wrote: 

> Yes, it looks like this needs to be an lstat as well, and we should
> probably add similar protections to the directory index files (which
> are also using stat).

Could a CVE be assigned to identify this? (Question: one CVE should be
enough for the additional fix for all the missing remaining lstat?).


Andrea Barisani | 22 Jul 03:36 2014

[oCERT-2014-004] Ansible input sanitization errors

#2014-004 Ansible input sanitization errors


The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option's acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:
(Continue reading)

Christian Hammond | 21 Jul 23:59 2014

CVE requests for Review Board


We have two security vulnerabilities that were just discovered, which both need CVEs assigned. This is for
Review Board (https://www.reviewboard.org). Neither are publicly disclosed.

The first was discovered in-house and applies to all Review Board 1.7.x and 2.0.x releases. It allows a user
without access to a private review request to retrieve the original or patched files associated with that
review request through the API, if they know all the relevant database IDs.

The second was discovered by “Uchida.” It allows a user to compose a URL to a rendered section of a diff on
Review Board and inject HTML through a query parameter. That URL could then be handed to another user (most
likely embedded in an iframe in another page), allowing a custom script to be executed on their behalf.
This also applies to both 1.7.x and 2.0.x.

Our plan is to get a release out with fixes for these sometime today/tonight.



Christian Hammond - christian <at> beanbaginc.com
Review Board - http://www.reviewboard.org
Beanbag, Inc. - http://www.beanbaginc.com
Tristan Cacqueray | 21 Jul 13:53 2014

[OSSA 2014-025] Denial of Service in Neutron allowed address pair (CVE-2014-3555)

OpenStack Security Advisory: 2014-025
CVE: CVE-2014-3555
Date: July 17, 2014
Title: Denial of Service in Neutron allowed address pair
Reporter: Liping Mao (Cisco)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Liping Mao from Cisco reported a denial of service vulnerability in
Neutron's handling of allowed address pair. By creating a large number
of allowed address pairs, an authenticated user may overwhelm neutron
firewall rules and render compute nodes unusable. All Neutron setups are

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.

(Continue reading)

Jorge Manuel B. S. Vicetto | 21 Jul 10:29 2014

CVE Request for Drupal Core


Has a CVE request been made for the following Drupal Security Advisory?

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities


Jorge Manuel B. S. Vicetto
Gentoo Developer


Sebastian Krahmer | 21 Jul 10:17 2014

CVE-Request: KAuth authentication bypass


We'd like to request a CVE for the following issue:

The polkit authentication backend in KDE's KAuth code
used the UnixProcess subject for authenticating actions.
This is subject to race conditions and allows local users
to elevate their privileges by bypassing any of the KAuth checks.
A followup of CVE-2013-4288.

Discussion and patch can be found here:





~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@... - SuSE Security Team

Michael de Raadt | 21 Jul 04:14 2014

Moodle security notifications public

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

MSA-14-0020: Identity confusion in Shibboleth authentication

Description:       Shibboleth was allowing empty session IDs and
                   confusing sessions when more than one instance was
                   associated with an empty ID.
Issue summary:     User taking over other user's session using
                   Shibboleth authentication plugin
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported
Versions fixed:    2.5.7 and 2.4.11
Reported by:       Colin Campbell
Issue no.:         MDL-45485
CVE identifier:    CVE-2014-3552
Changes (2.5):

MSA-14-0021: Code injection in Repositories

Description:       Serialised data passed by repositories could
                   potentially contain objects defined by add-ons that
                   could include executable code.
Issue summary:     Potential PHP Object Injection in Repositories
(Continue reading)