Andreas Lehmkuehler | 27 May 08:03 2016
Picon

[CVE-2016-2175] Apache PDFBox XML External Entity vulnerability

CVE-2016-2175: Apache PDFBox XML External Entity vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache PDFBox 1.8.0 to 1.8.11
Apache PDFBox 2.0.0
Earlier, unsupported Apache PDFBox versions may be affected as well

Description:
Apache PDFBox parses different XML data within PDF files such as XMP and the 
initialization of the XML parsers did not protect against XML External Entity 
(XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead to 
the disclosure of confidential data, denial of service, server side request 
forgery, port scanning from the perspective of the machine where the parser is 
located, and other system impacts."

Mitigation:
Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1

Credit:
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim, 
Mesut Timur and Microsoft Vulnerability Research.

[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

(Continue reading)

Seth Arnold | 26 May 02:27 2016

CVE Requests: libimobiledevice and libusbmuxd

Hello MITRE, all,

Please assign CVE(s) to libimobiledevice and libusbmuxd; both libraries
accidentally bound a listening IPv4 TCP socket to INADDR_ANY rather than
INADDR_LOOPBACK:

https://github.com/libimobiledevice/libimobiledevice/commit/df1f5c4d70d0c19ad40072f5246ca457e7f9849e
https://github.com/libimobiledevice/libusbmuxd/commit/4397b3376dc4e4cb1c991d0aed61ce6482614196

I do not know who to credit with discovery.

Thanks
Salvatore Bonaccorso | 25 May 15:52 2016
Picon

CVE Request: roundcube: XSS vulnerability in mail content page

Hi

Can you please assign a CVE for the following XSS vulnerability in
roundcube fixed with the recent 1.2 release:

RELEASE 1.2.0
-------------
[...]
- Fix XSS issue in href attribute on area tag (#5240)

References:
https://github.com/roundcube/roundcubemail/issues/5240
https://github.com/roundcube/roundcubemail/pull/5241

Thanks in advance,

Regards,
Salvatore

P J P | 25 May 14:34 2016
Picon

CVE Request Qemu: scsi: megasas: out-of-bounds read in megasas_lookup_frame() function

   Hello,

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter 
emulation support is vulnerable to an out-of-bounds read access issue. It 
could occur while looking up MegaRAID Firmware Interface(MFI) command frames 
in 'megasas_lookup_frame' routine.

A privileged user inside guest could use this flaw to read invalid memory 
leading to crash the Qemu process on the host.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04424.html

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1336461

This issue was discovered by Li Qiang of 360.cn Inc.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

P J P | 25 May 14:31 2016
Picon

CVE Request Qemu: scsi: megasas: out-of-bounds write while setting controller properties

   Hello,

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter 
emulation support is vulnerable to an out-of-bounds write access issue. It 
could occur while processing MegaRAID Firmware Interface(MFI) command to set 
controller properties in 'megasas_dcmd_set_properties'.

A privileged user inside guest could use this flaw to crash the Qemu process 
on the host resulting in DoS.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04340.html

This issue was discovered by Li Qiang of 360.cn Inc.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

P J P | 25 May 14:29 2016
Picon

CVE Request Qemu: scsi: megasas: stack information leakage while reading configuration

   Hello,

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter 
emulation support is vulnerable to an information leakage issue. It could 
occur while processing MegaRAID Firmware Interface(MFI) command to read device 
configuration in 'megasas_dcmd_cfg_read'.

A privileged user inside guest could use this flaw to leak host memory bytes.

Upstream patch
--------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04419.html

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1339583

This issue was discovered by Li Qiang of 360.cn Inc.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Stefan Horlacher | 25 May 10:13 2016
Picon

CVE-Request: TYPO3 Extbase Missing Access Check

Hi

A critical security vulnerability has been discovered in the TYPO3 Core. It has been fixed yesterday:
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/

Could you please assign a CVE for this issue?

Regards,
Stefan

Lior Kaplan | 25 May 09:51 2016
Picon

Fwd: CVE for PHP 5.5.36 issues

Hi,

Please assign CVE for the following issues, expected to be part of PHP
5.5.36
Code at http://git.php.net/?p=php-src.git;a=shortlog;h=refs/heads/PHP-5.5

#72227 is a backport from upstream, so we'd prefer to reuse their CVE (if
already exists).
#72135 and 72114 are PHP 5.x only bugs.

Thanks,

Kaplan

---------- Forwarded message ----------
From: Lior Kaplan <kaplanlior@...>
Date: Wed, May 25, 2016 at 12:55 AM
Subject: CVE for PHP 5.5.36 issues ?
To: "security@..." <security@...>

Following my mail bellow from last week, these are the issues which got
fixed in the security repository for PHP 5.5.

commit 7a1aac3343af85b4af4df5f8844946eaa27394ab
Author: Stanislav Malyshev <stas@...>
Date:   Mon May 23 00:28:02 2016 -0700

    Fixed bug #72227: imagescale out-of-bounds read

    Ported from
(Continue reading)

Huzaifa Sidhpurwala | 25 May 08:59 2016
Picon

3 libxml2 issues

Hi All,

The following issues were reported to us:

1. CVE-2016-4447: libxml2: Heap-based buffer underreads due to xmlParseName

https://bugzilla.redhat.com/show_bug.cgi?id=1338686

2. CVE-2016-4448 libxml2: Format string vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1338700

3. CVE-2016-4449 libxml2: Inappropriate fetch of entities content

https://bugzilla.redhat.com/show_bug.cgi?id=1338701

Each of the Red Hat bugs , contain links to the commits which fix these
issues. (The upstream bugs are currently private)

--

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

P J P | 24 May 12:10 2016
Picon

CVE-2014-3672 libvirt: DoS via excessive logging

   Hello,

A while back, Mr Andrew Sorensen reported a Qemu logging issue wherein Libvirt 
OR Xen directed 'stderr' of Qemu to a log file on the host.

This can be easily exploited by a user inside guest to flood the log file with 
endless messages, resulting in a DoS situation on the host, affecting other 
services and guests alike.

'CVE-2014-3672' was assigned to it by Red Hat Inc.

Until recently there was no remedy in sight, but quoting Mr Daniel P Berrange 
of libvirt

   "Since libvirt version 1.3.3, libvirt has 'virtlogd' daemon running. The
    QEMU stdout/err are no longer connected directly to a file on disk, instead
    they go to a pipe connected to virtlogd. virtlogd only allows 128 kb of
    data to be written before rolling over the logs, and only keeps 3 backups,
    so there is no longer an uncontrolled denial of service.

    With QEMU 2.6, it is further possible to use virtlogd in association with
    QEMU serial ports that need to log to a file, for the same reason."

Upstream patch:
---------------
   -> https://libvirt.org/git/?p=libvirt.git;a=commit;h=0d968ad715475a1660779bcdd2c5b38ad63db4cf

Note: It's probably not feasible to back port this solution to older versions.

Thank you.
(Continue reading)

P J P | 24 May 11:37 2016
Picon

CVE Request: Qemu: scsi: mptsas infinite loop in mptsas_fetch_requests

   Hello,

Quick Emulator(Qemu) built with the LSI SAS1068 Host Bus Adapter emulation 
support is vulnerable to an infinite loop issue. It could occur while fetching 
new requests in mptsas_fetch_requests().

A privileged user inside guest could use this flaw to consume excessive host 
resources or crash the Qemu process resulting in DoS.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html

This issue was discovered and reported by Li Qiang of 360.cn Inc.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F


Gmane