Daniel Fahlgren | 5 Feb 15:26 2016
Picon

CVE Request uclibc-ng dns resolver issues

Hi,

Uclibc-ng 1.0.12 has been released which fixes some issues found in the
dns resolver code.

The first is a denial of service while parsing compressed items. An
attacker can make the application end up in an infinit loop. Fixed by:

http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

The other problem is that a crafted packet will make the parser
terminate early. The buffer is never initialized and is later passed to
strdup(). Fixed by:

http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac

Can one or two CVEs be assigned for these issues?

Best regards,
Daniel Fahlgren

Velmurugan Periasamy | 5 Feb 07:00 2016
Picon

CVE update (CVE-2015-5167 & CVE-2016-0733) - Fixed in Ranger 0.5.1

Hello:

Here¹s a CVE update for Ranger 0.5.1 release. Please see below details.

Thank you,
Velmurugan Periasamy

--------------------------------------------------------------------------
CVE-2015-5167: Restrict REST API data access for non-admin users
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Data access restrictions via REST API are not consistent with
restrictions in policy admin UI.
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------
CVE-2016-0733: Ranger Admin authentication issue
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Malicious Users can gain access to ranger admin UI without
proper authentication
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------

(Continue reading)

Zach W. | 4 Feb 21:30 2016
Picon

CVE Request: Open Source Media Center insecure default config

Hey all,

Using several other CVEs as an example (such as
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6850), I am
requesting a CVE for "OSMC: Open Source Media Center" default config.

1) Default user is osmc/osmc
2) SSH, and FTP are enabled by default, which osmc has access to
3) The interface does not require or request a password change for the
default user
4) osmc has full sudoers access and can gain root access via sudo

Thanks!

Zach W.

Salvatore Bonaccorso | 4 Feb 17:33 2016
Picon

CVE Request: WordPress: New 4.4.2 security and maintenance release: SSRF and open redirect vulnerability

Hi

A new security and maintanance release for WordPress was announced,
which addresses two security issues:

https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/

According to the announcement:
> WordPress versions 4.4.1 and earlier are affected by two security
> issues: a possible SSRF for certain local URIs, reported by Ronni
> Skansing; and an open redirection attack, reported by Shailesh
> Suthar.

Could two CVEs be assigned for the repspective issues?

References:
https://core.trac.wordpress.org/changeset/36444
https://core.trac.wordpress.org/changeset/36435

Regards,
Salvatore

Tristan Cacqueray | 4 Feb 13:44 2016
Picon

[OSSA 2016-006] Glance image status manipulation through locations removal (CVE-2016-0757)

=================================================================
OSSA-2016-006: Glance image status manipulation through locations
               removal
=================================================================

:Date: February 03, 2016
:CVE: CVE-2016-0757

Affects
~~~~~~~
- Glance: <=2015.1.2, >=11.0.0 <= 11.0.1

Description
~~~~~~~~~~~
Erno Kuvaja from HPE reported a vulnerability in Glance. By removing
the last location of an image, an authenticated user may change the
image status back to queued and may be able to upload new image data
resulting in a broken Glance's immutability promise. A malicious
tenant may exploit this flaw to silently replace image data it owns,
regardless of the original creator or the visibility settings. Only
setups with show_multiple_locations enabled (not default) are
affected.

Patches
~~~~~~~
- https://review.openstack.org/275735 (Kilo)
- https://review.openstack.org/275736 (Liberty)
- https://review.openstack.org/275737 (Mitaka)

Credits
(Continue reading)

cve | 4 Feb 01:27 2016
Picon

Re: Socat security advisory 7 - Created new 2048bit DH modulus


> Here, there
> can be a CVE ID for the "was not prime" finding in the sense that p is
> supposed to be prime, and a non-prime value is an implementation error
> regardless of any other details of the situation.

Use CVE-2016-2217.

--

-- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
PASCAULT Wilfried | 3 Feb 16:55 2016

CVE Request: Datafari Local File Disclosure

Datafari, an Open source enterprise search software using Apache Solr, ManifoldCF and Tomcat is proned to
a local file disclosure vulnerability.

Product's information
---------------------
* Name : Datafari - http://www.datafari.com/
* Editor: France Labs
* Affected versions: 2.x<2.1.3
* Tested : 2.1.0 and 2.1.1 on Debian Wheezy 7 and Jesse 8

Description
-----------
When "filesystem" repository has been configured into Datafari (administrative privileges on Datafari
required), a user could access to any file of the system with root privileges.

On "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" configuration file,
"ALLOWLOCALFILEREADING" parameter allows by default to read file on system.

Datafari is by default running as user root, so any file could be downloaded with "url=file:/" parameter in
"/Datafari/URL" (token isn't checked).

This issue is exploitable only when "Filesystem" repository has been set on ManifoldCF.

Proof of concept
----------------
http://localhost:8080/Datafari/URL?url=file:/arbitrary_file

http://localhost:8080/Datafari/URL?url=file:/etc/shadow
=> file will be downloaded as _etc_shadow

(Continue reading)

Dmitry Kasyanov | 3 Feb 09:40 2016
Gravatar

CVE Request: PHP-5.5.31: multiple security vulnerabilities

There are some security vurnelabilities in PHP without CVEs assigned.
Can CVEs be assigned to these issues?

bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
https://bugs.php.net/bug.php?id=70661

A use-after free vulnerability was found that could possible lead to
arbitrary remote codeexecution. Vulnerable code:

if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
	target_hash = HASH_OF(ent2->data);
	if (ent1->varname) {
		if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
			Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
			...
			/* Clean up old array entry */
			zval_ptr_dtor(&ent2->data);
				
			/* Set stack entry to point to the newly created object */
			ent2->data = obj;
					
			/* Clean up class name var entry */
			zval_ptr_dtor(&ent1->data);

During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed
from the memory, however a crafted recordset can still use already freed
memory.

---------------

(Continue reading)

Eric Soroos | 2 Feb 19:51 2016
Picon

CVE Request -- Buffer overflow in Python-Pillow and PIL

Hello, 

I’d like to request a CVE number for all versions of Python Pillow <= 3.1.0  and PIL == 1.1.7 (at the least). 

There is a buffer overflow in PcdDecode.c, where the decoder writes assuming 4 bytes per pixel into a 3 byte
per pixel wide buffer, allowing writing 768 bytes off the end of the buffer. This overwrites objects in
Python's stack, leading to a crash. 

This issue and the patch are public:  https://github.com/python-pillow/Pillow/pull/1706

Thanks, 

Eric
Larry Cashdollar | 2 Feb 14:08 2016
Gravatar

Reflected XSS & Blind SQLi in wordpress plugin eshop v6.3.14

Title: Reflected XSS & Blind SQLi in wordpress plugin eshop v6.3.14
Author: Larry W. Cashdollar,  <at> _larry0
Date: 2016-01-27
Download Site: https://wordpress.org/plugins/eshop
Vendor: Richard Pedley
Vendor Notified: 2016-01-29
Vendor Contact: http://elfden.co.uk/
Description: An accessible Shopping Cart plugin. eShop is an accessible
shopping cart plugin for WordPress, packed with various features.
Vulnerability:
The following code snippets do not sanitize user input before passing back
to the user’s browser via $_GET request.

http://plugins.svn.wordpress.org/eshop/trunk/eshop-orders.php

From eshop-orders.php XSS via page & action variables:

144                
$apge=get_admin_url().'admin.php?page='.$_GET['page'].'&amp;action='.$_GET[
'action'];
145                         echo '<ul id="eshopsubmenu" class="stuffbox">';
146                         echo '<li><span>'.__('Sort Orders by
&raquo;','eshop').'</span></li>';
147                         echo '<li><a
href="'.$apge.'&amp;by=da"'.$cda.'>'.__('Date
Ascending','eshop').'</a></li>';
148                         echo '<li><a
href="'.$apge.'&amp;by=dd"'.$cdd.'>'.__('Date
Descending','eshop').'</a></li>';
149                         echo '<li><a
(Continue reading)

Hanno Böck | 2 Feb 10:56 2016
Picon
Gravatar

Miscomputations of elliptic curve scalar multiplications in Nettle

https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html

The Nettle library is a library for basic cryptographic functions. Its
most prominent user is GnuTLS.

Through fuzzing of elliptic curve scalar multiplications (multiplying a
point on an elliptic curve with a scalar number) I discovered two carry
propagation bugs that would lead the cauculations to produce wrong
results. They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.

While analyzing these bugs Nettle developer Niels Möller discovered
another carry propagation bug in P-256 that was fixed in the same
commit. Nettle 3.2 fixes all three bugs.

The impact is currently unclear, but miscalculations in cryptographic
functions should generally be considered security issues. I'd like to
encourage cryptographers to try to analyze whether these bugs can lead
to cryptographic breaks.

https://github.com/hannob/bignum-fuzz/blob/master/point-fuzz.c
I have published a code example on how to fuzz elliptic curve
multiplications. It can compare the output of OpenSSL with either
Nettle or NSS. It currently works only with prime field curves, but it
can probably be adapted to other curves.

P-256 bug:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
Mailing list post with code sample
(Continue reading)


Gmane