Michael Samuel | 28 Jul 03:18 2014

rsync vulnerable to collisions


After some semi-public discussion on Twitter I have come up with a method
of creating blocks that collide under the rsync algorithm.

The rsync algorithm consists of two checksums - a rolling sum based off
Addler32 (notable difference - it doesn't use a prime modulus in
rsync), and MD5.
MD4 was used before rsync 3 (protocol version < 30), so presumably the change
was introduced do to security concerns about MD4.

Fast MD5 collisions have existed for quote some time - the attack I used as a
basis is from 2006, and the much more serious chosen-prefix collision is from
2009.  Generating a collision on my desktop PC takes less than a minute.  I have
not yet created a chosen-prefix collision, but I believe a similar
technique is possible.

Note that rsyncing a file over itself with two colliding blocks will
not break rsync as it
prefers copying data from it's original location.  The minimum
requirement is that an
attacker can write to synced file twice - the process would need to be:
- introduce collision 1
- rsync
- introduce collision 2
- rsync

Also note that a full file md5sum is calculated, so introducing these
collisions would
cause rsync to fail for that file (DoS attack)... unless it's the
(Continue reading)

Adan Alvarez | 24 Jul 20:59 2014

Duplicated CVE - Cacti XSS


I requested a CVE to mitre three days ago because of the security bug I
found: http://bugs.cacti.net/view.php?id=2456


Unfortunately, there are currently two CVE assigned to this security issue:
CVE-2014-5025 and CVE-2014-5026.

So I don't know what should I do.

On the other hand,  I just discovered another XSS vulnerability that is not
solved by the current patch.

Here you have the details to reproduce it:

Create a new user or edit an existing one with the following Full Name:
Then go to System Utilities - View User Log, and if the user has logged in
you will see a popup with the text "XSS".

Maybe the CVE-2014-5043 can by used to identify this last discovery.

Henri Salo | 24 Jul 20:11 2014

CVE request: WordPress plugin vitamin traversal arbitrary file access

Can I get 2012 CVE for WordPress plugin vitamin path parameter traversal
arbitrary file access vulnerability, thanks. Files: add_headers.php, minify.php

Affected: 1.0
Fixed in: 1.1

Short description of plugin:

 Vitamin is about SEO, speed and security. It includes sitemaps for SEO, cache
 for speed, antispam and hacker blocks for security. 

Plugin page: http://wordpress.org/plugins/vitamin/
Changelog: http://wordpress.org/plugins/vitamin/changelog/
OSVDB: http://osvdb.org/84463 http://osvdb.org/84464
SCM: https://plugins.trac.wordpress.org/changeset/582232/vitamin

Henri Salo
P J P | 24 Jul 16:00 2014

CVE request Linux Kernel: net: SCTP: NULL pointer dereference


Linux kernel built with the support for Stream Control Transmission Protocol 
(CONFIG_IP_SCTP) is vulnerable to a NULL pointer dereference flaw. It could 
occur when simultaneous new connections are initiated between a same pair of 

A remote user/program could use this flaw to crash the system kernel resulting
in DoS.

Upstream fix:
   -> http://patchwork.ozlabs.org/patch/372475/

Thank you.
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Hanno Böck | 24 Jul 11:26 2014

CVE request: Mailpoet (wordpress-plugin) remote file upload exploited in the wild


A remote file upload in the wordpress plugin Mailpoet is currently
widely exploited:

It is fixed in the version 2.6.7. Upstream changelog:
Fixed security issue reported by Sucuri

The changelog lists also another security issue, fixed in version 2.6.8,
however without any details:
Fixed security issue reported by our dear Dominic. Thank you sir!

I know that CVE requests without details aren't liked much here,
however at the moment I don't have the time to digg into version diffs.

Please assign CVE for the first and proceed how you think appropriate
for the second.


Hanno Böck

mail/jabber: hanno@...
Vasily Averin | 23 Jul 16:40 2014

CVE request: kernel: vfs: refcount issues during unmount on symlink

A flaw was found in the way reference counting was handled in the Linux kernel's
VFS subsystem when unmount on symlink was performed.

On Red Hat Enterprise Linux 6 an unprivileged local user could use this flaw to
cause OOM conditions leading to denial of service or, potentially, trigger
use-after-free error.

On Red Hat Enterprise Linux 7 a privileged local user with CAP_SYS_ADMIN
capability (also in a container) could use this flaw to cause OOM conditions
leading to denial of service or, potentially, trigger use-after-free error.

Red Hat would like to thank Vasily Averin of Parallels for reporting this issue.

Problem was fixed in OpenVZ kernel 2.6.32-042stab092.3

Also I would like to add that KernelCare project (http://kernelcare.com) have released
a live hot update for this issue, both for affected OpenVZ and RHEL6 kernels.

Thank you,
	Vasily Averin

Florian Weimer | 23 Jul 14:04 2014

[CVE request] Array allocation fixes in libgfortran

Janne Blomqvist fixed several CVE-2002-0391-style integer overflows in 
array allocation in libgfortran, the run-time support library for the 
Fortran compiler which is part of the GNU Compiler Collection.  The 
upstream Subversion commit is here:


These changes will be part of the next version of GCC (whose version 
number is still to be decided).

I think this warrants a CVE assignment.


Florian Weimer / Red Hat Product Security

Daniele Bianco | 23 Jul 12:01 2014

[oCERT-2014-005] LPAR2RRD input sanitization errors

#2014-005 LPAR2RRD input sanitization errors


LPAR2RRD is a performance monitoring and capacity planning software for IBM
Power Systems. LPAR2RRD generates historical, future trends and nearly
"real-time" CPU utilization graphs of LPAR's and shared CPU usage.

Insufficient input sanitization on the parameters passed to the application
web gui leads to arbitrary command injection on the LPAR2RRD application

Affected version:

LPAR2RRD <= 4.53, <= 3.5

Fixed version:

LPAR2RRD > 4.53

Credit: vulnerability report and PoC code received from Jürgen Bilberger
        <juergen.bilberger AT daimler.com>.

CVE: CVE-2014-4981 (version <= 3.5), CVE-2014-4982 (version <= 4.53)


2014-07-08: vulnerability report received
2014-07-08: contacted LPAR2RRD maintainers
(Continue reading)

Raphael Geissert | 22 Jul 23:00 2014

ecryptfs-setup-private nitpick


Taking a look at ecryptfs-utils 103's ecryptfs-setup-private, there is a bit 
of code that writes the mount pass to a file in /dev/shm hoping to "keep it 
from leaking to the hard-drive":

        # This will be wrapped by pam_ecryptfs's chauthtok as soon as the 
        # chooses a password.  Until that happens (hopefully soon), standard
        # file permissions (600) are all that's protecting it.  Write it to
        # ramdisk, to keep it from leaking to the hard-drive.
        temp=`mktemp /dev/shm/.ecryptfs-XXXXXX`
        printf "%s" "$MOUNTPASS" > "$temp"
        mv -f -T "$temp" "/dev/shm/.ecryptfs-$USER" || error "Could not 
create passphrase file"

Fastforward to 2014 and /dev/shm is, well, not a ramfs/ramdisk:

/dev/shm -> /run/shm, which is a tmpfs at least on Debian.

And as clearly stated by Documentation/filesystems/tmpfs.txt:
"If you compare it to ramfs (which was the template to create tmpfs)
you gain swapping and limit checking."

So in the hope of avoiding a persistent storage the mount pass is written to 
a file in a tmpfs that can be swapped to... disk.

The file is left on /dev/shm until pam_ecryptfs actually wraps it with the 
(Continue reading)

Phil Pennock | 22 Jul 17:44 2014

Exim: 4.83 Released, CVE-2014-2972 fix

Attached should be two emails from one of my fellow Exim maintainers,
Todd, who has driven the past couple of releases and done the bulk of
the coordination for this CVE.

Our thanks, once more, to Rack911 and Cpanel.

-Phil, pdp@...
From: Todd Lyons <tlyons@...>
Subject: Exim 4.83 Released
Date: 2014-07-22 14:59:49 GMT

 have uploaded Exim 4.83 to:

This release of Exim includes one incompatible fix: the behavior of
expansion of arguments to math comparison functions (<, <=, =, =>, >)
was unexpected, expanding the values twice. This fix also addresses a
security advisory, CVE-2014-2972. This is not a remote exploit, but if
content that is searched by the above math comparison functions is under
the control of an attacker, specially crafted data can be inserted that
will cause the Exim mail server to perform various file-system functions
as the exim user.

This release contains the following enhancements and bugfixes:
(Continue reading)

Raphael Geissert | 22 Jul 14:45 2014

GLPI: unprivileged users can access cost information


A bug has been identified by Simone Imeri in GLPI where a user without
access to cost information can in fact see the information when
selecting cost as a search criteria[1]. This is fixed by commit [2]
which appears to have been included for version  0.84.7 [3].

I believe this should get a CVE id.



Raphael Geissert - Debian Developer
www.debian.org - get.debian.net