Fiedler Roman | 26 Nov 14:45 2014
Picon

O_CREAT|O_DIRECTORY on nonexisting file expected behaviour?

Hello,

While trying to write a small python helper library for secure opening of
files, I found behaviour of following call unexpected because it created a
file instead of creating/failing in opening a directory:

open("xxx", O_RDONLY|O_CREAT|O_DIRECTORY, 0600) = 3

I call it unexpected, because man-page mentioned:

       O_DIRECTORY
              If pathname is not a directory, cause the open  to  fail.
This
              flag is Linux-specific, and was added in kernel version
2.1.126,
              to avoid denial-of-service problems if opendir(3) is called on
a
              FIFO or tape device.

The only topic I found dealing with such issue was [1].

Is the man page just wrong or what would be the correct behaviour of that
call? Is it likely, that some other tool could also end up with that,
illogic combination of flags, thus creating a file instead of opening a
directory?

Or perhaps to use it to escape syscall auditing if creation of files with
special flags would be monitored but directory creation is not?

[1] https://lkml.org/lkml/2005/9/23/166
(Continue reading)

Hanno Böck | 26 Nov 00:28 2014
Picon

OpenBSD patch issue also affects GNU patch

Hi,

I saw this
http://marc.info/?l=openbsd-tech&m=141693055412785&w=2

And thought "let's try this on GNU patch on my linux sys".

And bang... segfault.

I don't know if this is a random coincidence or if gnu patch and
openbsd patch share some common ancestor code (haven't checked details).

valgrind output indicates this is an oob write issue:
==22957== Invalid write of size 1
==22957==    at 0x40904A: another_hunk (pch.c:1902)
==22957==    by 0x40304E: main (patch.c:366)
==22957==  Address 0x80000000051d3b82 is not stack'd, malloc'd or
(recently) free'd

Reported upstream:
https://savannah.gnu.org/bugs/?43700

cu,
--

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...
GPG: BBB51E42
(Continue reading)

Damien Regad | 26 Nov 00:13 2014

CVE Request: MantisBT SQL injection in view_all_set.php

Description:

Both the 'sort' and 'dir' parameters to view_all_set.php are 
insufficiently validated before they are used in queries by 
view_all_bug_page.php.

Both parameters are split into chunks on ','. After splitting, only the 
first two values are validated. By supplying a third value, SQL 
injection can be performed.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Edwin Gozeling from ITsec Security Services 
(http://www.itsec.nl/), and fixed by Victor Boctor (MantisBT Developer)

References:
Further details available in our issue tracker [2]

D. Regad
MantisBT Developer
http://www.mantisbt.org

(Continue reading)

Salvatore Bonaccorso | 25 Nov 19:26 2014
Picon

CVE request: teeworlds: security issues fixed in 0.6.3 release

Hi

teeworlds's upstream mentioned the following regardin the 0.6.3 release[1]:

> 0.6.3 released - security fix
> 
> As a result of a recently reported security vulnerability in the server,
> this release contains little updates. In particular it's only the
> following changes:
> 
> Bugfixes:
> 
>  * Fix the above-mentioned security vulnerability (Memory reads,
>    Segmentation Fault) in all 0.6.x servers.
> 
>  * Fix server crash in the console code.
> 
>  * Fix master server lookup for servers.
> 
>  * Fix scripts/make_release.py script.
> 
>  * Fix client crash when opening a map with an invalid version.
> 
> As a result, server owners are urged to upgrade ASAP, you're running an
> exploitable server right now.
> 
> Client updates however, are not as urgent as the server updates, because
> the only fix is an editor crash.

I'm not sure if (and how many) CVEs might be assigned. The server
(Continue reading)

Kurt Seifried | 25 Nov 18:21 2014
Picon

CVE REJECT CVE-2014-3605

Docker upstream assigned CVE-2014-6407 and did not use CVE-2014-3605
(which we previously communicated to them, so we should not reuse it).

--

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Salvatore Bonaccorso | 25 Nov 14:42 2014
Picon

CVE Request: buffer overflow in ksba_oid_to_str in Libksba

Hi

Today a new upstream version for Libksba (1.3.2) was announced. The
upstream advisory mention following impact:

> Impact of the security bug
> ==========================
> 
> By using special crafted S/MIME messages or ECC based OpenPGP data, it
> is possible to create a buffer overflow.  The bug is not easy to exploit
> because there only 80 possible values which can be used to overwrite
> memory.  However, a denial of service is possible and someone may come
> up with other clever attacks.  Thus this should be fix.
> 
> Affected versions: All Libksba versions < 1.3.2
> 
> Background: Yesterday Hanno Böck found an invalid memory access in the
> 2.1 branch of GnuPG by conveying a malformed OID as part of an ECC key.
> It turned out that this bug has also been in libksba ever since and
> affects at least gpgsm and dirmngr.  The code to convert an OID to its
> string representation has an obvious error of not considering an invalid
> encoding for arc-2.  A first byte of 0x80 can be used to make a value of
> less then 80 and we then subtract 80 from it as required by the OID
> encoding rules.  Due to the use of an unsigned integer this results in a
> pretty long value which won't fit anymore into the allocated buffer.
> The actual fix for lib Libksba is commit f715b9e.

Announce: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
Upstream fix: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7

(Continue reading)

Martin Prpic | 25 Nov 13:07 2014
Picon

CVE request: missing checks for small-sized files in hivex

Hello,

Can a CVE please be assigned to the following issue?

It was reported that hivex [1], a library that can read and write hive files (undocumented binary files that
Windows uses to store the Windows Registry on disk), did not properly handle small-sized hive files. An
attacker able to supply a hive file of a small size to an application using the hivex library could use this
flaw to read, and possibly write, up to 4095 bytes beyond the end of the allocated buffer, potentially
resulting in arbitrary code execution with the with the privileges of the user running that application.

This issue has been fixed in upstream version 1.3.11 of hivex. Upstream patches are available at:

https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705

References:

[1] https://www.redhat.com/archives/libguestfs/2014-October/msg00235.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1167756

Thanks,

--
Martin Prpič / Red Hat Product Security

Daniele Bianco | 25 Nov 10:12 2014

[oCERT 2014-008] libFLAC multiple issues


Description:

FLAC is an open source lossless audio codec supported by several software
and music players.

The libFLAC project, an open source library implementing reference
encoders and decoders for native FLAC and Ogg FLAC audio content,
suffers from multiple implementation issues.

In particular, a stack overflow and a heap overflow condition, which may
result in arbitrary code execution, can be triggered by passing a maliciously
crafted .flac file to the libFLAC decoder.

Affected version:

libFLAC <= 1.3.0

The following packages were identified as affected as they statically
include libFLAC in their own packages.

Max <= 0.9.1
Cog <= 0.07
cinelerra <= 4.6
JUCE <= 3.1.0 (juce_audio_formats module)

Fixed version:

libFLAC >= 1.3.1

(Continue reading)

Joshua Rogers | 25 Nov 06:40 2014

CVE Request: Graphviz format string vuln

Hi,

A format string vulnerability has been found in `graphviz'.
The fix commit is here:
https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081

Could I get a CVE-ID for this?

Thanks,
--

-- 
-- Joshua Rogers <https://internot.info/>

Seth Arnold | 25 Nov 03:47 2014

parse_datetime() bug in coreutils

Hello,

Fiedler Roman discovered that coreutils' parse_datetime() function
has some flaws that may be exploitable if the date(1), touch(1),
or potentially other programs, accept untrusted input for certain
parameters. While researching this issue, he discovered that it
was independantly discovered by Bertrand Jacquin and reported at
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872

$ touch '--date=TZ="123"345"  <at> 1'
Segmentation fault (core dumped)
$ date '--date=TZ="123"345"  <at> 1'
*** Error in `date': double free or corruption (out): 0x00007fffc9866c20 ***
Aborted (core dumped)
$

The GNU bugtracker has this patch to fix the problem:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872
and this patch to include the fix in coreutils and a small test case:
http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872

Can a CVE please be assigned for this issue.

(Incidentally, that's some hairy-looking code; someone with time and an
inclination to join Hanno's fuzzing project might find it a fruitful
starting point.)

Thanks
Eric Windisch | 24 Nov 22:23 2014

Docker 1.3.2 - Security Advisory [24 Nov 2014]

Today, we are releasing Docker 1.3.2 in order to address two critical
security issues. This release also includes several bugfixes, including
changes to the insecure-registry option. Below are CVE descriptions for the
vulnerabilities addressed in this release.

Docker 1.3.2 is available immediately for all supported platforms:
https://docs.docker.com/installation/

Docker Security Advisory [24 Nov 2014]
=================================================================

=====================================================
[CVE-2014-6407] Archive extraction allowing host privilege escalation
=====================================================
Severity: Critical
Affects: Docker up to 1.3.1

The Docker engine, up to and including version 1.3.1, was vulnerable to
extracting files to arbitrary paths on the host during ‘docker pull’ and
‘docker load’ operations. This was caused by symlink and hardlink
traversals present in Docker's image extraction. This vulnerability could
be leveraged to perform remote code execution and privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been added
to pkg/archive and image extraction is now performed in a chroot. No
remediation is available for older versions of Docker and users are advised
to upgrade.

Related vulnerabilities discovered by Florian Weimer of Red Hat Product
Security and independent researcher, Tõnis Tiigi.
(Continue reading)


Gmane