Petr Matousek | 24 Oct 20:49 2014
cve | 24 Oct 19:58 2014

CVE-2014-8369 - Linux kernel iommu.c excessive unpinning

CVE-2014-8369 has been assigned to this virt/kvm/iommu.c issue:

(This vulnerability exists because of an incorrect fix for


CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Pierre Schweitzer | 24 Oct 12:23 2014

Vulnerability fixed in Quassel?

Dear all,

I'm looking for opinions regarding the commit 8b5ecd2:
It fixes the issue 1314:

It appears to me that this is a vulnerability in the Quassel-core
which allows clients to remotely crash the core and thus cause a
denial of service using ill-formed messages.

Would it deserve a CVE and/or fixes in distributions which ship it?
I'm not affiliated in any kind with that project, so I might not have
 enough information regarding this fix, nor legitimity to request a
CVE for this.

Looking for your comments.

With my best regards,
P. Schweitzer
Robert Scheck | 24 Oct 00:04 2014

Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414

Good evening,

I discovered that Zarafa WebAccess >= 6.40.4 is affected by CVE-2013-2205,
CVE-2013-2205 and CVE-2012-3414 as it bundles the vulnerable SWFUpload from Zarafa has been already notified.

[root <at> tux ~]# rpm -q zarafa-webaccess
[root <at> tux ~]# 

[root <at> tux ~]# rpm -ql zarafa-webaccess | grep swfupload.swf | xargs md5sum
3a1c6cc728dddc258091a601f28a9c12 /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
[root <at> tux ~]# 

Given that some distributions/downstreams are shipping that vulnerable .swf
file this is just meant as a simple "heads up". There are two solutions:

a) Replace the bundled swfupload.swf by the fork maintained by WordPress
   from (upstream will likely
   do the same for a future release of Zarafa) or
b) Remove the vulnerable SWFUpload e.g. at packaging time (this is what I
   did for Fedora because I never managed it to build the .swf file from
   source code to satisfy our Fedora Packaging Guidelines). Copy & paste
   example from .spec file for removal:

--- snipp ---
%if 0%{?no_multiupload}
sed '148,155d' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php > \
touch -c -r $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{,.new}
(Continue reading)

Andy Lutomirski | 23 Oct 19:44 2014

CVE Request: Linux 3.17 guest-triggerable KVM OOPS

On Linux 3.17, a KVM guest can trigger a NULL pointer dereference by
forcing the host to emulate certain well-formed RIP-relative
instructions or certain types of corrupt or page-straddling
instructions.  This is almost certainly just a DoS -- there is a
single read-modify-write to the NULL pointer, and no kernel code will
consume data loaded from the NULL pointer if something is mapped

The bugs, or at least dangerous code, arguably existed in much older
kernels, but the NULL pointer dereference was introduced in
41061cdb98a0bec464278b4db8e894a3121671f5, which is only present in

To fix it, you can either revert the broken patch or you can apply
both patches here as well as the attached patch:
(NB: I'm not sure whether "Emulator does not decode clflush well" is necessary.)


Depending on your point of view, there are either one or two bugs
here.  Nadav Amit discovered an error in the instruction decoder that
would cause certain RIP-relative instructions to OOPS the decoder.
Specifically, rather than adding RIP to the operand address, RIP would
be added to *0 from the host's perspective.

I wrote an ugly proof-of-concept to trigger it (kvm_clflush_oops.c,
although I've cleaned it up somewhat since I originally wrote it).
That PoC only works on an SMP guest, and only when run as root.

(Continue reading)

Hanno Böck | 23 Oct 12:12 2014

strings / libbfd crasher


I'm forwarding this here so it doesn't get lost:

Short: Michal Zalewski (who is also on this list and probably can give
us some more info) fuzzed a sample that crashes the strings command,
due to a bug in libbfd.
(by the way: nice catch, always interesting to see potential vulns in
places you don't expect them.)

strings/libbfd belong to binutils.
I haven't seen a corresponding commit, their latest release is a bit

I think it deserves a CVE and further analysis. Seems to be "only" an
out of bounds read.

Some valgrind output that gives an idea whats going on:

==6858== Memcheck, a memory error detector
==6858== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==6858== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==6858== Command: strings stringme
==6858== Invalid read of size 1
==6858==    at 0x4E8708F: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/
(Continue reading)

Salvatore Bonaccorso | 22 Oct 21:53 2014

CVE Request: smarty: secure mode bypass


Can a CVE be assigned for the following smarty issue: upstream
released new version 3.1.21:

> Smarty 3.1.21 Released Oct 18, 2014
> Smarty 3.1.21 minor bug fixes and improvements. Also following up a
> security bug fix where <script language="php"> tags still worked in
> secure mode. To note, this only affects users using Smarty in secure
> mode and exposing templates to untrusted third parties.


Debian Bugreport:


Kurt Seifried | 22 Oct 18:55 2014

CVE-2014-3712 Katello: user parameters passed to to_sym

Jan Rusnacko of Red Hat reports:

Katello code exposes potential to_sym Denial of Service attack vector
from user input parameters. The two places identified are:

This type of attack is documented here -

This has been confirmed in testing by Eric Helms of Red Hat.



Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Marc Deslauriers | 22 Oct 15:41 2014

CVE Request: systemd-shim DoS issue


systemd-shim version 8 shipped with a debugging clause enabled that may result
in a denial of service attack by local users.

Fixed by:

Could a CVE please be assigned to this issue?




Marc Deslauriers
Ubuntu Security Engineer     |
Canonical Ltd.               |

Tristan Cacqueray | 21 Oct 23:36 2014

[OSSA 2014-037] Nova VMware instance in resize state may leak (CVE-2014-8333)

OpenStack Security Advisory: 2014-037
CVE: CVE-2014-8333
Date: October 21, 2014
Title: Nova VMware instance in resize state may leak
Reporter: Zhu Zhu (IBM)
Products: Nova
Versions: up to 2014.1.3

Zhu Zhu from IBM reported a vulnerability in Nova VMware driver. If an
authenticated user deletes an instance while it is in resize state, it
will cause the original instance to not be deleted. An attacker can use
this to launch a denial of service attack. All Nova VMware setups are

Juno fix:

Icehouse fix:

This fix was included in the 2014.2 release and will appear in a future
2014.1.4 stable point release.


(Continue reading)

Andy Lutomirski | 21 Oct 22:48 2014

CVE-2014-3690: KVM DoS triggerable by malicious host userspace

[sorry for somewhat late notice -- I didn't notice that the patch was
public until just now]

KVM has a bug that allows malicious host user code that can open the
/dev/kvm device on a VMX (Intel) machine to DoS the system.  (In my
proof of concept, the DoS is a rather spectacular failure of the whole
system, although I haven't checked whether the kernel panics.  A more
refined exploit *might* be able to kill targetted user processes, but
it would be tricky and is subject to possibly unavoidable races that
are likely to take down the whole system.)

This is *not* triggerable by a guest, although a guest that can
compromise its host QEMU could use this bug to take down everything
else running on the host.

I would guess that all kernels that support VMX are vulnerable, but I
haven't tested old kernels.

The fix is here:

PoC available upon request, and I'll post it publicly in a few days,
because it's kind of fun to watch the fireworks.