Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: FW: [DSA 3775-1] tcpdump security update] David Manouchehri (Jan 30)
The source along with samples can be found over here.

https://anonscm.debian.org/cgit/users/rfrancoise/tcpdump.git/commit/?id=b4f4a803b9b5f9d507201cd1c48ddd992a62aee2

CVE request Qemu: sd: sdhci OOB access during multi block SDMA transfer P J P (Jan 30)
Hello,

Quick emulator(Qemu) built with the SDHCI device emulation support is
vulnerable to an OOB heap access issue. It could occur while doing a multi
block SDMA transfer via 'sdhci_sdma_transfer_multi_blocks' routine.

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS or potentially execute arbitrary code with privileges of the
Qemu process on the host.

Upstream patch:...

FW: [DSA 3775-1] tcpdump security update] Leo Famulari (Jan 30)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3775-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tcpdump
CVE ID : CVE-2016-7922 CVE-2016-7923...

Requesting CVE for calibre file disclosure Martin Pitt (Jan 29)
Hello all,

Calibre 2.75 fixed what looks like a local data disclosure vulnerability:

https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c

@Kovid: Would you mind making the original Launchpad bug
https://launchpad.net/bugs/1651728 public?

@osssec: Can you please assign a CVE on this one?

Thanks to Antoine for pointing this out, this deserves an update in stable
distro releases.

Martin

mp3splt: NULL pointer dereference in main (mp3splt.c) Agostino Sarubbo (Jan 29)
Description:
mp3splt is a command line utility to split mp3 and ogg files without decoding.

A fuzz on it discovered a NULL pointer access.

The complete ASan output:

# mp3splt -P -f -t 0.1 -a $FILE
==3081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000046dbd9 bp 0x7ffc4cdabdb0 sp 0x7ffc4cdab520 T0)
==3081==The signal is caused by a READ memory access.
==3081==Hint: address points to the zero page.
#0 0x46dbd8...

mp3splt: invalid free in free_options (options_manager.c) Agostino Sarubbo (Jan 29)
Description:
mp3splt is a command line utility to split mp3 and ogg files without decoding.

A fuzz on it discovered an invalid free.

The complete ASan output:

# mp3splt -P -f -t 0.1 -a $FILE
==2631==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x000000d3ef65 in thread T0
#0 0x4d3770 in free /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47...

mp3splt: NULL pointer dereference in splt_cue_export_to_file (cue.c) Agostino Sarubbo (Jan 29)
Description:
mp3splt is a command line utility to split mp3 and ogg files without decoding.

A fuzz on it discovered a NULL pointer access.

The complete ASan output:

# mp3splt -P -f -t 0.1 -a $FILE
==2581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f36fb0a159a bp 0x7ffdc2708cb0 sp 0x7ffdc2708438 T0)
==2581==The signal is caused by a READ memory access.
==2581==Hint: address points to the zero page.
#0...

Re: Firejail local root exploit Ion Ionescu (Jan 29)
Hello,
The first fix for CVE-2017-5180 in Firejail version 0.9.44.4 and 0.9.38.8 (LTS) was incomplete. Changing .Xauthority to
.bashrc in the exploit code, the problem is still there - credit Sebastian Krahmer.
New releases are out: 0.9.44.8 and 0.9.38.10 (LTS). Please assign a new CVE.
Thank you,
Ion Ionescu

From: Sebastian Krahmer <krahmer () suse com>
To: oss-security () lists openwall com
Cc: netblue30 () yahoo com
Sent:...

Re: CVE request: GNU screen escalation cve-assign (Jan 29)
Use CVE-2017-5618.

Re: SSRF issue in the svgsalamander library cve-assign (Jan 29)
Use CVE-2017-5617.

Re: CVE request: rubygem minitar: directory traversal vulnerability cve-assign (Jan 29)
Use CVE-2016-10173 for both minitar and archive-tar-minitar.

Re: wavpack: multiple out of bounds memory reads cve-assign (Jan 28)
Use CVE-2016-10169.

Use CVE-2016-10170.

Use CVE-2016-10171.

Use CVE-2016-10172.

Note that http://openwall.com/lists/oss-security/2017/01/23/4 had an
incorrect URL for the open_utils.c issue. (It was a duplicate of the
previous URL.) The correct URL is in the quoted text above. Also, the
vendor response of "I am pretty confident that these particular
failures are not exploitable, although I am not an expert in that
area" is on the...

Re: CVE request: cgiemail multiple vulnerabilities cve-assign (Jan 28)
It is possible that the upstream distribution is unmaintained because the
latest release is from about 19 years ago:

http://web.mit.edu/wwwdev/cgiemail/webmaster.html#1.6

Use CVE-2017-5613.

Use CVE-2017-5614.

Use CVE-2017-5615.

Use CVE-2017-5616.

Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. cve-assign (Jan 28)
Use CVE-2004-2778.

This CVE is for the general issue that permissions can end up weaker
than intended because of the state of the filesystem at the time an
ebuild is installed. (It is not exclusively a CVE about directories
for cron.) As mentioned in the 607430 description, "it's not clear to
me whether Portage should provide a solution to that, or the ebuilds
authors should make sure to always depends, in case of touching
cronbase...

Re: CVE Requests: libgd: potential unsigned onderflow, denial-of-service in gdImageCreateFromGd2Ctx and signed overflow in gd_io.c cve-assign (Jan 28)
Use CVE-2016-10166.

Use CVE-2016-10167.

Use CVE-2016-10168.

(This CVE is for all of 69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6.
In other words, "make sure that either chunk count is actually greater
than zero" does not have a separate CVE.)

More Lists

Dozens of other network security lists are archived at SecLists.Org.