Bug#699342: [Secure-testing-team] Bug#699342: libupnp6: Security problem in SSDP code widely publicized today
Control: forcemerge 699316 699342 Hi On Wed, Jan 30, 2013 at 02:04:53PM +0100, Eric Valette wrote: Package: libupnp6 Version: 1:1.6.17-1.1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, http://www.zdnet.com/millions-of-pcs-exposed-through-network-bugs-security-researchers-find-710478/ Fixed in 1.6.18. Thanks, merging with #699316. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699316: Patch for 1.6.x branch in RedHat Bugzilla
Control: tags -1 + patch Hi Attached is the debdiff created with the patch found in the RedHat Bugtracker[1]. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=883790 But I have not tested the resulting package. Regards, Salvatore diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog --- libupnp-1.6.17/debian/changelog 2012-05-08 16:59:15.0 +0200 +++ libupnp-1.6.17/debian/changelog 2013-01-30 23:49:00.0 +0100 @@ -1,3 +1,16 @@ +libupnp (1:1.6.17-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Add 19-699316-Fix-buffer-overflows-in-unique_service_name.patch patch +[SECURITY]: Multiple stack-based buffer overflows in +unique_service_name() by processing specially-crafted SSDP request +(VU#922681). +Fixes CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 +CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965. (Closes: #699316) +(LP: #1110273) + + -- Salvatore Bonaccorso car...@debian.org Wed, 30 Jan 2013 23:48:11 +0100 + libupnp (1:1.6.17-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch --- libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch 1970-01-01 01:00:00.0 +0100 +++ libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch 2013-01-30 23:49:00.0 +0100 @@ -0,0 +1,91 @@ +Description: Fix multiple buffer overflows + This patch addresses three possible buffer overflows in function + unique_service_name(). The three issues have the folowing CVE + numbers: + . + CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf + CVE-2012-5959 Issue #4: Stack buffer overflow of Event-UDN + CVE-2012-5960 Issue #8: Stack buffer overflow of Event-UDN + . + Notice that the following issues have already been dealt by previous + work: + . + CVE-2012-5961 Issue #1: Stack buffer overflow of Evt-UDN + CVE-2012-5962 Issue #3: Stack buffer overflow of Evt-DeviceType + CVE-2012-5963 Issue #5: Stack buffer overflow of Event-UDN + CVE-2012-5964 Issue #6: Stack buffer overflow of Event-DeviceType + CVE-2012-5965 Issue #7: Stack buffer overflow of Event-DeviceType +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=667153 +Bug-Debian: http://bugs.debian.org/699316 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=883790 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libupnp/+bug/1110273 +Forwarded: not-needed +Reviewed-by: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-01-30 +Applied-Upstream: yes + + +--- a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c +@@ -467,16 +467,16 @@ + else + return -1; + if (ptr3 != NULL) { +- if (strlen(uuid:) + strlen(ptr3 + 1) = sizeof(Evt-UDN)) ++ if (strlen(uuid:) + strlen(ptr3 + 1) = sizeof Evt-UDN) + return -1; +- snprintf(Evt-UDN, sizeof(Evt-UDN), uuid:%s, +- ptr3 + 1); ++ snprintf(Evt-UDN, sizeof Evt-UDN, uuid:%s, ptr3 + 1); + } + else + return -1; + ptr1 = strstr(cmd, :); + if (ptr1 != NULL) { + n = (size_t)ptr3 - (size_t)ptr1; ++ n = n = sizeof TempBuf ? sizeof TempBuf - 1 : n; + strncpy(TempBuf, ptr1, n); + TempBuf[n] = '\0'; + if (strlen(urn) + strlen(TempBuf) = sizeof(Evt-DeviceType)) +@@ -490,27 +490,28 @@ + if ((TempPtr = strstr(cmd, uuid)) != NULL) { + if ((Ptr = strstr(cmd, ::)) != NULL) { + n = (size_t)Ptr - (size_t)TempPtr; ++ n = n = sizeof Evt-UDN ? sizeof Evt-UDN - 1 : n; + strncpy(Evt-UDN, TempPtr, n); + Evt-UDN[n] = '\0'; + } else { + memset(Evt-UDN, 0, sizeof(Evt-UDN)); +- strncpy(Evt-UDN, TempPtr, sizeof(Evt-UDN) - 1); ++ strncpy(Evt-UDN, TempPtr, sizeof Evt-UDN - 1); + } + CommandFound = 1; + } + if (strstr(cmd, urn:) != NULL strstr(cmd, :service:) != NULL) { + if ((TempPtr = strstr(cmd, urn)) != NULL) { +- memset(Evt-ServiceType, 0, sizeof(Evt-ServiceType)); ++ memset(Evt-ServiceType, 0, sizeof Evt-ServiceType); + strncpy(Evt-ServiceType, TempPtr, +- sizeof(Evt-ServiceType) - 1); ++ sizeof Evt-ServiceType - 1); + CommandFound = 1; + } + } + if (strstr(cmd, urn
Bug#699441: [Secure-testing-team] Bug#699441: owncloud: Multiple security issues in owncloud
Control: merge 698737 699441 Hi John On Thu, Jan 31, 2013 at 07:25:38AM -0600, John Goerzen wrote: Package: owncloud Version: 4.0.4debian2-3.2 Severity: grave Tags: security Justification: user security hole The version of owncloud in both testing and unstable contains security holes. http://owncloud.org/changelog/ has details. Upstream versions 4.0.11 and 4.5.6 fixed: * Security: Fix multiple XSS problems: CVE-2013-0201, CVE-2013-0202, CVE-2013-0203 * Security: Removed remoteStorage app because of unfixed security problems. Yes, owncloud fixing these is in the delayed queue: See: http://bugs.debian.org/698737 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699441: [Secure-testing-team] Bug#699441: owncloud: Multiple security issues in owncloud
Hey John On Thu, Jan 31, 2013 at 08:39:42AM -0600, John Goerzen wrote: Ah, sorry for the noise. 698737 did not show up on bugs.debian.org/owncloud and I didn't think to check the src:. No problem. I'm unsure if I should have reported this against owncloude instead src:owncloud. But security-tracker tracks packages via source package name. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Hi Christine I noticed you already uploaded 1.31 fixing #699625 which is great, thanks for working on this issue and fixing it already. There is however one unfortunate thing: 91 files changed, 28516 insertions(+), 2085 deletions(-) This is a problem as the fix needs to go to testing too, but we are in Freeze for wheezy now so the freeze policy[1] applies. [1]: http://release.debian.org/wheezy/freeze_policy.html Could you isolate the fix needed and only perform a minimal update to the package in regard to the version in testing? 1.30. I guess the release team would like to see the changes reverted and have only the bug fixed at this stage of the freeze. I assue the only needed change is the following (only shortly looked at the debdiff)? cut-cut-cut-cut-cut-cut- --- latd-1.30/llogincircuit.cc 2008-08-20 13:10:23.0 + +++ latd-1.31/llogincircuit.cc 2013-02-04 11:54:27.0 + @@ -92,6 +92,11 @@ else { char error[1024]; + // Truncate cmdbuf at an arbitrary point to make sure it fits into error[], otherwise it's a + // potential security problem. Debian bug #699625 + if (len 900) + len = 900; + cmdbuf[len] = '\0'; debuglog((Connect from invalid llogin version %s\n, cmdbuf)); sprintf(error, llogin version %s does not match latd version VERSION, cmdbuf); send_reply(LATCP_ERRORMSG, error, -1); cut-cut-cut-cut-cut-cut- Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Hi On Tue, Feb 05, 2013 at 08:26:53AM +, Chrissie Caulfield wrote: On 04/02/13 22:14, Salvatore Bonaccorso wrote: Hi Christine I noticed you already uploaded 1.31 fixing #699625 which is great, thanks for working on this issue and fixing it already. There is however one unfortunate thing: 91 files changed, 28516 insertions(+), 2085 deletions(-) This is a problem as the fix needs to go to testing too, but we are in Freeze for wheezy now so the freeze policy[1] applies. [1]: http://release.debian.org/wheezy/freeze_policy.html Could you isolate the fix needed and only perform a minimal update to the package in regard to the version in testing? 1.30. I guess the release team would like to see the changes reverted and have only the bug fixed at this stage of the freeze. Sorry, my mistake. I'll do another upload later today with only that patch, then another one to fix the lintian bugs later in the week. TBH most of that diff was a sill yautoconf-generated file! Thank you for the quick reply! Btw, could you then also ask for the unblock to the release team? It should appear on their radar anyway as it's RC bug, but I think it's appreciated on their side. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698632: rstatd: Patch 03-627217-netio.patch breaks RPC protocol compatibility for rstatd
Hi Anibal On Mon, Jan 21, 2013 at 02:50:43PM +0100, Salvatore Bonaccorso wrote: Reverting the patch 03-627217-netio.patch let it work in a mixed squeeze, wheezy environment. If 627217 can be fixed, it should probably without breaking the protocol. After reverting the patch the requests give again correct results. [...] Could you please revert at least 03-627217-netio.patch (if fixing #627217 without creating the compatibility issue cannot be fixed)? At this stage of the freeze this option (droping the patch for 627217) looks the best to me, what do you think Anibal? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699835: keystone: CVE-2013-0247: Keystone denial of service through invalid token requests
Package: keystone Severity: grave Tags: security Justification: user security hole Hi, the following vulnerability was published for keystone. CVE-2013-0247[0]: Keystone denial of service through invalid token requests Patches should be available via [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0247 http://security-tracker.debian.org/tracker/CVE-2013-0247 [1] https://lists.launchpad.net/openstack/msg20689.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Hi One further follow up: The Security Team marked the issue as no-dsa in the Security-Tracker[1]. So an update for Squeeze might go trough a p-u upload. [1] https://security-tracker.debian.org/tracker/CVE-2013-0251 Thanks for fixing this issue quickly! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Source: ruby-rack Severity: grave Tags: security Hi, the following vulnerabilities were published for ruby-rack. CVE-2013-0262[0]: Path sanitization information disclosure CVE-2013-0263[1]: Timing attack in cookie sessions If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. Patches/upstream commits are referenced in the security tracker. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0262 [1] http://security-tracker.debian.org/tracker/CVE-2013-0263 Please adjust the affected versions in the BTS as needed. Note: According to the red hat bugtracker for CVE-2013-0262 only versions after 1.4.x are affected, for CVE-2013-0263 all previous versions. Could you please double check this, and mark accordingly? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700098: Propose to NMU cfingerd
Hi Martin Do you want to upload cfingerd? Otherwise I can prepare a NMU for this issue with Marc's submitted patch. In any case I would upload it to a delayed. Regards, Salvatore diff -u cfingerd-1.4.3/debian/changelog cfingerd-1.4.3/debian/changelog --- cfingerd-1.4.3/debian/changelog +++ cfingerd-1.4.3/debian/changelog @@ -1,3 +1,12 @@ +cfingerd (1.4.3-3.1) unstable; urgency=high + + * Non-maintainer upload. + * [SECURITY] CVE-2013-1049: fix buffer overflow in rfc1413 (ident) client. +Thanks to Malcolm Scott debian...@malc.org.uk and Marc Deslauriers +marc.deslauri...@ubuntu.com (Closes: #700098) (LP: #1104425) + + -- Salvatore Bonaccorso car...@debian.org Sat, 09 Feb 2013 18:38:28 +0100 + cfingerd (1.4.3-3) unstable; urgency=low * Approve NMU diff -u cfingerd-1.4.3/src/rfc1413.c cfingerd-1.4.3/src/rfc1413.c --- cfingerd-1.4.3/src/rfc1413.c +++ cfingerd-1.4.3/src/rfc1413.c @@ -25,7 +25,9 @@ * the implementation. Completely rewritten by yours truly to be self- * contained in a single program. Simple, easy to use. */ -#define BUFLEN (2 * INET6_ADDRSTRLEN) +#define UNAMELEN 64 +#define BUFLEN UNAMELEN + INET6_ADDRSTRLEN + 2 +#define INPUTLEN 256 char *get_rfc1413_data(struct sockaddr_storage * local_addr, struct sockaddr_storage * peer_addr ) { @@ -34,7 +36,7 @@ struct sockaddr_storage sin; struct sockaddr_in *sa4 = (struct sockaddr_in *) sin; struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) sin; -char buffer[1024], buf[BUFLEN], uname[64], *bleah; +char buffer[1024], buf[INPUTLEN], uname[UNAMELEN], *bleah; char *cp, *xp; struct servent *serv;
Bug#700098: cfingerd: diff for NMU version 1.4.3-3.1
tags 700098 + pending thanks Hi Martin, I've prepared an NMU for cfingerd (versioned as 1.4.3-3.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Note, I know with this upload I'm not strictly following the NMU guidelines mentioned in the dev-ref (the bug is not enough old). Thus, please let me know if I should cancel the upload and you would like to do it yourself. Regards, Salvatore diff -u cfingerd-1.4.3/debian/changelog cfingerd-1.4.3/debian/changelog --- cfingerd-1.4.3/debian/changelog +++ cfingerd-1.4.3/debian/changelog @@ -1,3 +1,12 @@ +cfingerd (1.4.3-3.1) unstable; urgency=high + + * Non-maintainer upload. + * [SECURITY] CVE-2013-1049: fix buffer overflow in rfc1413 (ident) client. +Thanks to Malcolm Scott debian...@malc.org.uk and Marc Deslauriers +marc.deslauri...@ubuntu.com (Closes: #700098) (LP: #1104425) + + -- Salvatore Bonaccorso car...@debian.org Sat, 09 Feb 2013 18:38:28 +0100 + cfingerd (1.4.3-3) unstable; urgency=low * Approve NMU diff -u cfingerd-1.4.3/src/rfc1413.c cfingerd-1.4.3/src/rfc1413.c --- cfingerd-1.4.3/src/rfc1413.c +++ cfingerd-1.4.3/src/rfc1413.c @@ -25,7 +25,9 @@ * the implementation. Completely rewritten by yours truly to be self- * contained in a single program. Simple, easy to use. */ -#define BUFLEN (2 * INET6_ADDRSTRLEN) +#define UNAMELEN 64 +#define BUFLEN UNAMELEN + INET6_ADDRSTRLEN + 2 +#define INPUTLEN 256 char *get_rfc1413_data(struct sockaddr_storage * local_addr, struct sockaddr_storage * peer_addr ) { @@ -34,7 +36,7 @@ struct sockaddr_storage sin; struct sockaddr_in *sa4 = (struct sockaddr_in *) sin; struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) sin; -char buffer[1024], buf[BUFLEN], uname[64], *bleah; +char buffer[1024], buf[INPUTLEN], uname[UNAMELEN], *bleah; char *cp, *xp; struct servent *serv;
Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Control: clone -1 -2 Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions Hi On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote: hi, For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0262 [1] http://security-tracker.debian.org/tracker/CVE-2013-0263 Please adjust the affected versions in the BTS as needed. Note: According to the red hat bugtracker for CVE-2013-0262 only versions after 1.4.x are affected, for CVE-2013-0263 all previous versions. Could you please double check this, and mark accordingly? With a quick look: the code which raises CVE-2013-0262 (calculate path depth sequentially) was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not affected. the code which raises CVE-2013-0263 (needs time string comparison) also affects stable version: https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49 This bts would have better to be split? thanks for the analysis! I'm cloning the bug and retitling both accordingly so that both CVE's can be tracked in separate bugs. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699724: radicale: Insufficient dependency on python-radicale
Hi Jonas, Hi Martin On Mon, Feb 04, 2013 at 04:12:00AM +0100, Cyril Brulebois wrote: Package: radicale Version: 0.7-1 Severity: serious Tags: patch Justification: dependency issue Hi, radicale depends on python-radicale, without a version. Partial upgrades from squeeze can leave python-radicale at 0.3-2, leading to: | ~$ /usr/bin/radicale -H 127.0.0.1 -p 8765 | Traceback (most recent call last): | File /usr/bin/radicale, line 29, in module | import radicale.__main__ | ImportError: No module named __main__ Tagging as patch as adding (= ${binary:Version) or ditto with = should fix this. Looking trough the RC bugs open for wheezy I noticed #699724 on package radicale. Do you have time to prepare a fix for this? I can prepare a NMU and upload to DELAYED/5 queue, so there will be enought time to cancel it in case. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698910: zoneminder: arbitrary command execution vulnerability
Hi James Disclaimer: Only did a quick check. On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: Control: tag -1 patch On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: Some additional information: In most usual cases where zoneminder is set up, there should be authentication first. So this limits somehow the vulnerability. The attached patch should address the issue, but I don't have a setup to test. I rebuilded the package with your patch and tested it shortly in a VM installing zoneminder. It now does not seem possible anymore to inject a command to be executed with webserver user rights. Thanks for working on this James. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699724: radicale: Insufficient dependency on python-radicale
Hi Jonas On Mon, Feb 11, 2013 at 05:37:06AM +0100, Jonas Smedegaard wrote: Quoting Salvatore Bonaccorso (2013-02-10 21:26:46) Hi Jonas, Hi Martin On Mon, Feb 04, 2013 at 04:12:00AM +0100, Cyril Brulebois wrote: Package: radicale Version: 0.7-1 Severity: serious Tags: patch Justification: dependency issue Hi, radicale depends on python-radicale, without a version. Partial upgrades from squeeze can leave python-radicale at 0.3-2, leading to: | ~$ /usr/bin/radicale -H 127.0.0.1 -p 8765 | Traceback (most recent call last): | File /usr/bin/radicale, line 29, in module | import radicale.__main__ | ImportError: No module named __main__ Tagging as patch as adding (= ${binary:Version) or ditto with = should fix this. Looking trough the RC bugs open for wheezy I noticed #699724 on package radicale. Do you have time to prepare a fix for this? I can prepare a NMU and upload to DELAYED/5 queue, so there will be enought time to cancel it in case. You are quite welcome to upload without delay (I am on LowNMU list). The package is in collab-maint: Would be nice if you commit and release with git-buildpackage. Thanks for your help, however you do it, Thank you! I will prepare an upload later on today and will push the changes to collab-maint git repo! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699724: radicale: Insufficient dependency on python-radicale
On Mon, Feb 11, 2013 at 12:42:10PM +0100, Jonas Smedegaard wrote: Quoting Salvatore Bonaccorso (2013-02-11 07:38:44) Hi Jonas On Mon, Feb 11, 2013 at 05:37:06AM +0100, Jonas Smedegaard wrote: Quoting Salvatore Bonaccorso (2013-02-10 21:26:46) Hi Jonas, Hi Martin On Mon, Feb 04, 2013 at 04:12:00AM +0100, Cyril Brulebois wrote: Package: radicale Version: 0.7-1 Severity: serious Tags: patch Justification: dependency issue Hi, radicale depends on python-radicale, without a version. Partial upgrades from squeeze can leave python-radicale at 0.3-2, leading to: | ~$ /usr/bin/radicale -H 127.0.0.1 -p 8765 | Traceback (most recent call last): | File /usr/bin/radicale, line 29, in module | import radicale.__main__ | ImportError: No module named __main__ Tagging as patch as adding (= ${binary:Version) or ditto with = should fix this. Looking trough the RC bugs open for wheezy I noticed #699724 on package radicale. Do you have time to prepare a fix for this? I can prepare a NMU and upload to DELAYED/5 queue, so there will be enought time to cancel it in case. You are quite welcome to upload without delay (I am on LowNMU list). The package is in collab-maint: Would be nice if you commit and release with git-buildpackage. Thanks for your help, however you do it, Thank you! I will prepare an upload later on today and will push the changes to collab-maint git repo! Excellent! NB! You need not worry about CDBS if you don't want to - just add the new dependency to control file directly (i.e. ignore control.in) and I can integrate with CDBS later. Okay I have uploaded the package, and the changes pushed back for collab-maint. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698910: zoneminder: arbitrary command execution vulnerability
Hi On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: Some additional information: In most usual cases where zoneminder is set up, there should be authentication first. So this limits somehow the vulnerability. The attached patch should address the issue, but I don't have a setup to test. The patches look they address the issue mentioned. What I've done: - Build both for Squeeze and unstable (debdiffs attached) - Installed zoneminder in a VM, confirmed that for both stable and unstable version zoneminder is vulnerable. - Installed the patched packages to verifiy the vulnerability. NOTE: I was not able to test setDeviceStatusX10 part, but the code fix is going the same by James: +--- a/web/includes/functions.php b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +-$string = ZM_PATH_BIN./zmpkg.pl $command; ++$string = ZM_PATH_BIN./zmpkg.pl .escapeshellarg( $command ); + $string .= 2/dev/null - - /dev/null; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +-$command = ZM_PATH_BIN./zmx10.pl --command $status --unit-code $key; ++$command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++$command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= 2/dev/null - - /dev/null; + $x10Response = exec( $command ); + } Security Team, how to proceed? Can/will a DSA be released for it? Regards, Salvatore diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog --- zoneminder-1.24.2/debian/changelog 2011-01-16 04:40:08.0 +0100 +++ zoneminder-1.24.2/debian/changelog 2013-02-11 22:38:45.0 +0100 @@ -1,3 +1,12 @@ +zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-0232 patch +[SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. +Thanks to James McCoy james...@debian.org (Closes: #698910) + + -- Salvatore Bonaccorso car...@debian.org Mon, 11 Feb 2013 22:32:17 +0100 + zoneminder (1.24.2-8) unstable; urgency=medium [ Vagrant Cascadian ] diff -Nru zoneminder-1.24.2/debian/patches/CVE-2013-0232 zoneminder-1.24.2/debian/patches/CVE-2013-0232 --- zoneminder-1.24.2/debian/patches/CVE-2013-0232 1970-01-01 01:00:00.0 +0100 +++ zoneminder-1.24.2/debian/patches/CVE-2013-0232 2013-02-11 22:38:45.0 +0100 @@ -0,0 +1,24 @@ +From: James McCoy james...@debian.org +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +-$string = ZM_PATH_BIN./zmpkg.pl $command; ++$string = ZM_PATH_BIN./zmpkg.pl .escapeshellarg( $command ); + $string .= 2/dev/null - - /dev/null; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +-$command = ZM_PATH_BIN./zmx10.pl --command $status --unit-code $key; ++$command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++$command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= 2/dev/null - - /dev/null; + $x10Response = exec( $command ); + } diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series --- zoneminder-1.24.2/debian/patches/series 2011-01-14 21:01:53.0 +0100 +++ zoneminder-1.24.2/debian/patches/series 2013-02-11 22:38:45.0 +0100 @@ -7,3 +7,4 @@ suppported-typo use_libjs-mootools fix_v4l2_cameras_without_crop +CVE-2013-0232 diff -Nru zoneminder-1.25.0/debian/changelog zoneminder-1.25.0/debian/changelog --- zoneminder-1.25.0/debian/changelog 2012-08-28 21:10:05.0 +0200 +++ zoneminder-1.25.0/debian/changelog 2013-02-11 22:33:50.0 +0100 @@ -1,3 +1,12 @@ +zoneminder (1.25.0-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-0232 patch +[SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. +Thanks to James McCoy james...@debian.org (Closes: #698910) + + -- Salvatore Bonaccorso car...@debian.org Sun, 10 Feb 2013 21:41:28 +0100 + zoneminder (1.25.0-3) unstable; urgency=low * debian/rules: Export CFLAGS, CPPFLAGS, CXXFLAGS and LDFLAGS, to ensure diff -Nru zoneminder-1.25.0/debian/patches/CVE-2013-0232 zoneminder-1.25.0/debian/patches/CVE-2013-0232 --- zoneminder-1.25.0/debian/patches/CVE-2013-0232 1970-01-01 01:00:00.0 +0100 +++ zoneminder-1.25.0/debian/patches/CVE-2013-0232 2013-02-11 22:33:50.0 +0100 @@ -0,0 +1,24 @@ +From: James McCoy james...@debian.org +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web
Bug#700234: CVE request: Transmission can be made to crash remotely
Control: retitle 700234 transmission-daemon: CVE-2012-6129: Transmission can be made to crash remotely Hi On Sun, Feb 10, 2013 at 01:22:28PM +0100, Yves-Alexis Perez wrote: On dim., 2013-02-10 at 11:50 +0100, Josselin Mouette wrote: Package: transmission-daemon Version: 2.52-3 Severity: grave Tags: security patch upstream Justification: user security hole The transmission-daemon package in wheezy crashes regularly. According to upstream this is a remote security hole (at least a remote DoS, but most probably there is a way to take control of the process). https://trac.transmissionbt.com/ticket/5044 https://trac.transmissionbt.com/ticket/5002 Apparently there is no CVE assigned. The bug is fixed upstream and I???m attaching the patch. I???m currently testing a patched package, and will report whether the fix is sufficient. Could a CVE be assigned for this? A CVE was assigned to this now: CVE-2012-6129. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700548: padre: Failed to start: Can't locate object method select via package Padre::DB::SyntaxHighlight
Control: tags -1 + unreproducible moreinfo Hi On Thu, Feb 14, 2013 at 10:43:45AM +0200, debuser1978 wrote: Package: padre Version: 0.63.ds1-1 Severity: grave Justification: renders package unusable Installed padre 0.63.ds1-1 (stable) from Synaptic. When starting from command line: user:~$padre Can't locate object method select via package Padre::DB::SyntaxHighlight at /usr/share/perl5/Padre/MimeTypes.pm line 463. Compilation failed in require at /usr/share/perl5/Padre/Document.pm line 135. BEGIN failed--compilation aborted at /usr/share/perl5/Padre/Document.pm line 135. Compilation failed in require at /usr/share/perl5/Padre/Wx/Main.pm line 46. BEGIN failed--compilation aborted at /usr/share/perl5/Padre/Wx/Main.pm line 46. Compilation failed in require at /usr/share/perl5/Padre/Wx/App.pm line 60. When starting from menu, silently failed. trying to reproduce your issue I installed padre in a minimal Squeeze environment. Installing padre there it starts without problem. Padre::DB::SyntaxHighlight is provided by the padre package itself. Do you get some errors on reinstalling padre? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698871: [Pkg-sssd-devel] Bug#698871: Bug#698871: CVE-2013-0219 CVE-2013-0220
Hi Timo On Thu, Feb 07, 2013 at 12:51:59AM +0200, Timo Aaltonen wrote: On 03.02.2013 23:59, Moritz Mühlenhoff wrote: On Sun, Jan 27, 2013 at 11:45:06AM +0200, Timo Aaltonen wrote: On 26.01.2013 23:06, Salvatore Bonaccorso wrote: Hi Timo On Thu, Jan 24, 2013 at 08:46:43PM +0200, Timo Aaltonen wrote: On 24.01.2013 20:30, Moritz Muehlenhoff wrote: Package: sssd Severity: grave Tags: security Hi, multiple security issues have been discovered in sssd. Please see the Red Hat bugzilla entries for details and patches: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0219 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0220 Yep, I'm aware of them and will prepare an upload later. The relevant commits seem to be: CVE-2013-0219: http://git.fedorahosted.org/cgit/sssd.git/commit/?id=020bf88fd1c5bdac8fc671b37c7118f5378c7047 and http://git.fedorahosted.org/cgit/sssd.git/commit/?id=94cbf1cfb0f88c967f1fb0a4cf23723148868e4a . See also https://fedorahosted.org/sssd/ticket/1782 . CVE-2013-0220: http://git.fedorahosted.org/cgit/sssd.git/commit/?id=2bd514cfde1938b1e245af11c9b548d58d49b325 . See https://fedorahosted.org/sssd/ticket/1781 . There's still no backported commits for 1.8.x which is in sid/wheezy (94cbf1cfb0f8 at least needs backporting), I'll ask upstream tomorrow. What's the status? Upstream released 1.8.6 with the patches, I have them staged in git and am discussing with the release team what other fixes can get in wheezy. Did you heard anything back from the release team? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698910: zoneminder: arbitrary command execution vulnerability
Hi (Hmm, strange I have not recieved this followup) On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote: Which allowed a shell accessible via netcat on port 1337 with the version present in squeeze (1.24.2-8). With a package built with the patch applied, I was not able to reproduce this problem. I haven't noticed any side-effects, running on a couple zoneminder machines for almost 24 hours... I can confirm this, I did the same on my testing. (but as said I was not able to test the setDeviceStatusX10 part, but is fixed with same approach). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: pyrad: CVE-2013-0294 and CVE-2013-0295
Package: pyrad Version: 2.0-1 Severity: grave Tags: security Control: found -1 1.2-1 Hi, the following vulnerabilities were published for pyrad. CVE-2013-0294[0]: potentially predictable password hashing CVE-2013-0295[1]: CreateID() creates serialized packet IDs for RADIUS Note: it's currently under discussion if there should only be assigned one CVE for this issue. A patch is available at [2] using random.SystemRandom() for to use cryptographic-safe random generator instead of random. I have choosen severity grave because of this reasoning: CVE-2013-0294: [...] In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed. (from Red Hat bugreports) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0294 [1] http://security-tracker.debian.org/tracker/CVE-2013-0295 [2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700608: pigz creates temp files with too wide permissions
Control: retitle -1 CVE-2013-0296: pigz creates temp files with too wide permissions Hi On Fri, Feb 15, 2013 at 12:30:09PM +0400, Michael Tokarev wrote: When asked to compress a file with restricted permissions (like mode 0600), the .gz file pigz creates while doing this has usual mode derived from umask (like 0644). If the file is large enough (and why we would use pigz instead of gzip for small files), this results in the original content being readable for everyone until the compression finishes. Here's the deal: $ fallocate -l 1G foo $ chmod 0600 foo $ pigz foo $ ls -l foo foo.gz -rw--- 1 mjt mjt 1073741824 ?? 15 12:27 foo -rw-rw-r-- 1 mjt mjt 502516 ?? 15 12:27 foo.gz When it finishes, it correctly applies original file permissions to the newly created file, but it is already waaay too late. Other one-file archivers (gzip, xz, bzip2, ...) usually create the temp file with very strict permissions first, and change it to the right perms only when done, so only the current user can read it. It looks like this bug deserves a CVE#. A CVE was assigned to this now[1]: CVE-2013-0296. Could you please include the CVE in your changelog when fixing the issue? [1]: http://marc.info/?l=oss-securitym=136099644815551w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: pyrad: use only CVE-2013-0294
Control: retitle -1 pyrad: CVE-2013-0294: potentially predictable password hashing Hi CVE-2013-0295 was rejected and only CVE-2013-0294 to be used for both issues. http://marc.info/?l=oss-securitym=136099660015589w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs
Hi Jeremy Thanks for already fixing the issue for pyrad in unstable. As the debdiff between 1.2-1 and 2.0-2 looks quite big, it cannot be a candidate for a unblock per se to testing. Could you prepare also a package targetting wheezy (versioned as 1.2-1+deb7u1) only containing the changes to fix CVE-2013-0294? See [1]. [1]: http://release.debian.org/wheezy/freeze_policy.html I don't know if the Security Team want's a DSA for this, CC'ing them. Else for stable there might be also an update trough proposed-updates. Thanks a lot for working on this, and Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Hi all On Sun, Feb 17, 2013 at 12:19:00AM +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote: Dear release team, Yesterday the following security vulnerability in the pyrad package was brought to my attention by Salvatore Bonaccorso: https://security-tracker.debian.org/tracker/CVE-2013-0294 It is tracked in the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy? It's traditional to seek approval *before* uploading; more so in this case since adding a patch system is a no-no. The change itself is fine, please upload with this only. You will have to bump the version number IIRC. I was involved reporting the problem: I noticed now a possible problem about the versioning: Current situation: pyrad | 1.2-1| squeeze| source pyrad | 1.2-1| wheezy | source pyrad | 1.2-1+deb7u1 | wheezy-p-u | source pyrad | 2.0-2| sid| source Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: 1.2-1 = 1.2-1+deb7u1 but 1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs
Hi Jeremy On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote: I have just uploaded the requested version to testing-proposed-updates and will get in touch with the release team to allow it into wheezy. Thank you, have seen the mail. For squeeze, the package will be exactly the same (squeeze / wheezy both have pyrad 1.2-1), but what should the version number be? This actually is a problem. Because the traditionall aproach for Squeeze was +squeeze1. But 1.2-1+squeeze1 is not smaller than 1.2-1+deb7u1. So in both cases either a DSA by the security team or a pu to stable, it will need some tweak to the version number. I asked for advice from the release team as reply to your previous mail. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699615: CVE-2013-0250 - corosync: Remote DoS due improper HMAC initialization
Hi Luciano and Moritz On Sat, Feb 02, 2013 at 01:54:32PM +0100, Luciano Bello wrote: Package: corosync Severity: important Tags: security patch Justification: user security hole Hi there, Please, take a look to this thread: http://seclists.org/oss-sec/2013/q1/212 The patch is included there too. Disclaimer: Did not made a throughout analysis, but upstream mentions in [1], which could help here: [1]: http://www.openwall.com/lists/oss-security/2013/02/01/2 cut-cut-cut-cut-cut-cut- No, this version is not correct. corosync = 2.0 to 2.3 are affected. corosync 2.3 and higher have the fix. Also, the DoS reason is not correct. The junk filter part is a consequence on how libnss work and should be dropped. Subject should be: CVE Request -- Corosync (2.0 = X 2.3): Remote DoS due improper HMAC initialization cut-cut-cut-cut-cut-cut- But this might still need some checking and/or confirmation with upstream. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs
Hi Jeremy On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote: For squeeze, the package will be exactly the same (squeeze / wheezy both have pyrad 1.2-1), but what should the version number be? This issue was now classified as 'no-dsa'[1]. Could you prepare an upload targeting stable and to go trough a stable-proposed-updates? According to previous comment a versioning like 1.2-1+deb6u1 would solve the sorting issue 1.2-1 = 1.2-1+deb6u1 = 1.2-1+deb7u2. [1]: https://security-tracker.debian.org/tracker/CVE-2013-0294 Many thanks for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service
Hi Luigi squid3 in stable is still affected by #696187: cachemgr.cgi denial of service. Could you prepare an upload for CVE-2012-5643 and subsequent CVE-2013-0189 targeting stable-security for a DSA? Note that the initial patch was incomplete and the full fix is at [1]. [1]: http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700912: zoneminder: local file inclusion vulnerability
Package: zoneminder Version: 1.24.2-8 Severity: grave Tags: security patch Justification: user security hole Control: fixed -1 1.25.0-1 Hi In zoneminder forum there is the following security patch announce: http://www.zoneminder.com/forums/viewtopic.php?f=1t=17979 1.24.2-8 is affected by this file inclusion vulnerability. Attached are the patches from svn, r3483 and r3488. Note: upstream 1.25.0 has a sligthly modified detaint function: function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up $path = preg_replace( '/\.(?:\.+[\\/][\\/]*)+/', '', $path ); $path = preg_replace( '/^[\\/]+/', '', $path ); return( $path ); } Regards Salvatore Index: web/includes/functions.php === --- web/includes/functions.php (revision 3482) +++ web/includes/functions.php (revision 3483) @@ -2350,13 +2350,21 @@ return( rand( 1, 99 ) ); } +function detaintPath( $path ) +{ +// Remove any absolute paths, or relative ones that want to go up +$path = preg_replace( '/\.\.\//', '', $path ); +$path = preg_replace( '/^\//', '', $path ); +return( $path ); +} + function getSkinFile( $file ) { global $skinBase; $skinFile = false; foreach ( $skinBase as $skin ) { -$tempSkinFile = 'skins'.'/'.$skin.'/'.$file; +$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } @@ -2369,7 +2377,7 @@ $skinFile = false; foreach ( $skinBase as $skin ) { -$tempSkinFile = 'skins'.'/'.$skin.'/'.$file; +$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } Index: web/index.php === --- web/index.php (revision 3482) +++ web/index.php (revision 3483) @@ -97,10 +97,13 @@ require_once( 'includes/functions.php' ); if ( isset($_REQUEST['view']) ) -$view = validHtmlStr($_REQUEST['view']); +$view = detaintPath($_REQUEST['view']); +if ( isset($_REQUEST['request']) ) +$request = detaintPath($_REQUEST['request']); + if ( isset($_REQUEST['action']) ) -$action = validHtmlStr($_REQUEST['action']); +$action = detaintPath($_REQUEST['action']); require_once( 'includes/actions.php' ); @@ -109,13 +112,10 @@ if ( isset( $_REQUEST['request'] ) ) { -$request = validHtmlStr($_REQUEST['request']); foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) { if ( !file_exists( $includeFile ) ) -{ Fatal( Request '$request' does not exist ); -} require_once $includeFile; } return; @@ -127,9 +127,7 @@ foreach ( $includeFiles as $includeFile ) { if ( !file_exists( $includeFile ) ) -{ Fatal( View '$view' does not exist ); -} require_once $includeFile; } } Index: web/includes/functions.php === --- web/includes/functions.php (revision 3487) +++ web/includes/functions.php (revision 3488) @@ -2353,8 +2353,8 @@ function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up -$path = preg_replace( '/\.\.\//', '', $path ); -$path = preg_replace( '/^\//', '', $path ); +$path = preg_replace( '/\.\.+\/\/*/', '', $path ); +$path = preg_replace( '/^\/\/*/', '', $path ); return( $path ); }
Bug#700948: keystone, nova, cinder: Assigned CVEs and three CVEs rejected
Hi Thomas This is to notify you about a problem in the CVEs used: There was a small unclear situation on assigning the CVEs for these issues aparently, see [1]. [1]: http://marc.info/?l=oss-securitym=136129931825949w=2 In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the respective issues. cut-cut-cut-cut-cut-cut- - From Thierry Carrez: After discussion with the Python security team and Kurt, we'll use the following common CVEs: CVE-2013-1664 Unrestricted entity expansion induces DoS vulnerabilities in Python XML libraries (XML bomb) ^ affects Keystone, Cinder, Nova CVE-2013-1665 External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities ^ affects Keystone The vulnerabilities are actually in those Python libraries, they are just being worked around in OpenStack patches. The description will be updated to clarify this (see below). As you can see from the advisories: http://seclists.org/oss-sec/2013/q1/338 CVE: CVE-2013-1664, CVE-2013-1665 They were correctly referenced in the OpenStack advisories, however the CVE's did get used elsewhere: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html CVE-2013-0278 OpenStack Keystone CVE-2013-0279 Cinder CVE-2013-0280 Nova So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify these issues. Sorry for the confusion. cut-cut-cut-cut-cut-cut- I know you have already updated the packages, if possible could you change the CVE identifiers in the changelog in your next upload? I will try to update the security-tracker with the above information. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701052: isync: CVE-2013-0289: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization
Package: isync Version: 1.0.4-2.1 Severity: grave Tags: security patch Hi, the following vulnerability was published for isync. CVE-2013-0289[0]: missing SSL subject verification A patch is available in upstream's git repository[1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0289 [1] http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700761: jenkins: multiple security vulnerabilities
Hi The following CVE's where assigned now to it[1]. Could you please include the CVE identifiers when fixing the package. [1]: http://marc.info/?l=oss-securitym=136142857313675w=2 CVE-2013-0327 CVE-2013-0328 CVE-2013-0329 CVE-2013-0330 CVE-2013-0331 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700912: zoneminder: local file inclusion vulnerability
Control: retitle -1 zoneminder: CVE-2013-0332: local file inclusion vulnerability Hi A CVE was assigned now to this issue: CVE-2013-0332. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701115: owncloud: multiple XSS vulnerabilities (oC-SA-2013-003)
Package: owncloud Severity: grave Tags: security Hi Another owncloud advisory announcing multiple XSS vulnerabilities in owncloud was released. See [1] for more details. [1]: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ Assigned CVE's are: CVE-2013-0297, CVE-2013-0307 (4.0 4.5) CVE-2013-0298 (4.5) Please include the relevant CVEs in the changelog when updating the package. The update for testing needs to go trough t-p-u, as version from unstable cannot migrate. Can you prepare fixed packages? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701115: owncloud: multiple vulnerabilities
Control: retitle -1 owncloud: multiple vulnerabilities (oC-SA-2013-003, oC-SA-2013-004, oC-SA-2013-006) Hi I have missed some more advisories: oC-SA-2013-003: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ - CVE-2013-0297, CVE-2013-0307 (affecting 4.0.x series) oC-SA-2013-004: http://owncloud.org/about/security/advisories/oC-SA-2013-004/ - CVE-2013-0299, CVE-2013-0301 (affecting 4.0.x series) oC-SA-2013-006: http://owncloud.org/about/security/advisories/oC-SA-2013-006/ - CVE-2013-0303 I have missed to report them all together in one batch in my first mail. Thanks to Lukas Reschke. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699615: Re: Bug#699615: CVE-2013-0250 - corosync: Remote DoS due improper HMAC initialization
Control: found -1 1.99.9-1 Hi all I had a look at the version in experimental: On Mon, Feb 18, 2013 at 09:23:20PM +0100, Martin Gerhard Loschwitz wrote: I don't think we have Corosync 2.0 anywhere (we have 1.99 in experimental, I don't know if that specific version is affected or not just yet). So can we please tag this bug accordingly? The version in experimental has on lines 407 and 408: 407 hash_param.data = 0; 408 hash_param.len = 0; which is in init_nss_hash. So this looks like corosync in experimental is affected. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Package: nagios-nrpe Severity: grave Tags: security Hi On bugtraq mailinglist it was reported publicly[1]. If support for command argument in the daemon are enabled then it would be possible to pass $() and possibly executing shell commands when run unter bash. Upstream has released 2.14 containing a patch and disabling bash command substitutions by default: 2.14 - 12/21/2012 - - Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley) - Patched to shutdown SSL connection completely (Jari Takkala) - Added SRC support on AIX (Thierry Bertaud) - Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley) - Updated logging to support compiling on AIX (Eric Stanley) According to [1], there is CVE-2013-1362 assigned to it. In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. [1]: http://seclists.org/bugtraq/2013/Feb/119 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547092: [Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem
Hi Alex, Hi Thijs I was looking trough the bugs for nagios-nrpe, and noticed #547092 where there was an upload to address it, but the bug was not closed. I wondered if this was intentional, als the original issue is only addressed by making clear in the documentation where the issues are. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547092: [Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem
Hi Alex On Sat, Feb 23, 2013 at 01:17:03PM +0100, Alexander Wirt wrote: On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: Hi Alex, Hi Thijs I was looking trough the bugs for nagios-nrpe, and noticed #547092 where there was an upload to address it, but the bug was not closed. I wondered if this was intentional, als the original issue is only addressed by making clear in the documentation where the issues are. imho the ssl is still borken, so I think the upload does not close the problem, per se. There is no real solution to this problem without rewriting the whole ssl support - which makes our nrpe incompatible to the rest of the world. Thanks. Maybe we can ask for a 'wheezy-ignore' by the release team for this bug, with given explanation? In any case it would be good to get the documentation update into wheezy (but this could go into testing in one 'batch' with #701227). Thanks a lot for your work on nagios related packages. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service
Ciao Luigi On Sat, Feb 23, 2013 at 04:41:51PM +0100, Luigi Gangitano wrote: Ciao Salvatore, Thanks a lot for your NMU. I really appreciate your help. Thank you for your feedback! I now also would have the package ready targeting stable-security. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701052: isync: diff for NMU version 1.0.4-2.2
tags 701052 + pending thanks Hi Nicolas, hi Theodore I've prepared an NMU for isync (versioned as 1.0.4-2.2) and uploaded it to DELAYED/7. Please feel free to tell me if I should delay it longer. Note I have choosen a slighly higher delay as proposed in dev-ref, to 7 days as I have not notified in the BTS that I would be interested in NMU. But the above holds: please let me know if you want to do the upload yourself and I should cancel the upload. Regards, Salvatore diff -u isync-1.0.4/debian/changelog isync-1.0.4/debian/changelog --- isync-1.0.4/debian/changelog +++ isync-1.0.4/debian/changelog @@ -1,3 +1,12 @@ +isync (1.0.4-2.2) unstable; urgency=low + + * Non-maintainer upload. + * Apply upstream patch for CVE-2013-0289. +Fix incorrect server's SSL x509.v3 certificate validation when +performing IMAP synchronization. (Closes: #701052) + + -- Salvatore Bonaccorso car...@debian.org Sun, 24 Feb 2013 09:27:55 +0100 + isync (1.0.4-2.1) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- isync-1.0.4.orig/src/drv_imap.c +++ isync-1.0.4/src/drv_imap.c @@ -48,6 +48,7 @@ # include openssl/ssl.h # include openssl/err.h # include openssl/hmac.h +# include openssl/x509v3.h #endif typedef struct imap_server_conf { @@ -187,9 +188,65 @@ #if HAVE_LIBSSL +static int +host_matches( const char *host, const char *pattern ) +{ + if (pattern[0] == '*' pattern[1] == '.') { + pattern += 2; + if (!(host = strchr( host, '.' ))) + return 0; + host++; + } + + return *host *pattern !strcasecmp( host, pattern ); +} + +static int +verify_hostname( X509 *cert, const char *hostname ) +{ + int i, len, found; + X509_NAME *subj; + STACK_OF(GENERAL_NAME) *subj_alt_names; + char cname[1000]; + + /* try the DNS subjectAltNames */ + found = 0; + if ((subj_alt_names = X509_get_ext_d2i( cert, NID_subject_alt_name, NULL, NULL ))) { + int num_subj_alt_names = sk_GENERAL_NAME_num( subj_alt_names ); + for (i = 0; i num_subj_alt_names; i++) { + GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value( subj_alt_names, i ); + if (subj_alt_name-type == GEN_DNS + strlen( (const char *)subj_alt_name-d.ia5-data ) == (size_t)subj_alt_name-d.ia5-length + host_matches( hostname, (const char *)(subj_alt_name-d.ia5-data) )) + { +found = 1; +break; + } + } + sk_GENERAL_NAME_pop_free( subj_alt_names, GENERAL_NAME_free ); + } + if (found) + return 0; + + /* try the common name */ + if (!(subj = X509_get_subject_name( cert ))) { + fprintf( stderr, Error, cannot get certificate subject\n ); + return -1; + } + if ((len = X509_NAME_get_text_by_NID( subj, NID_commonName, cname, sizeof(cname) )) 0) { + fprintf( stderr, Error, cannot get certificate common name\n ); + return -1; + } + if (strlen( cname ) == (size_t)len host_matches( hostname, cname )) + return 0; + + fprintf( stderr, Error, certificate owner does not match hostname %s\n, hostname ); + return -1; +} + /* this gets called when a certificate is to be verified */ static int -verify_cert( SSL *ssl ) +verify_cert( SSL *ssl, const char *hostname ) { X509 *cert; int err; @@ -204,12 +261,16 @@ } err = SSL_get_verify_result( ssl ); - if (err == X509_V_OK) - return 0; - - fprintf( stderr, Error, can't verify certificate: %s (%d)\n, - X509_verify_cert_error_string(err), err ); + if (err != X509_V_OK) { + fprintf( stderr, Error, can't verify certificate: %s (%d)\n, + X509_verify_cert_error_string(err), err ); + goto intcheck; + } + if (hostname verify_hostname( cert, hostname ) 0) + goto intcheck; + return 0; + intcheck: X509_NAME_oneline( X509_get_subject_name( cert ), buf, sizeof(buf) ); info( \nSubject: %s\n, buf ); X509_NAME_oneline( X509_get_issuer_name( cert ), buf, sizeof(buf) ); @@ -1100,7 +1161,7 @@ } /* verify the server certificate */ - if (verify_cert( imap-buf.sock.ssl )) + if (verify_cert( imap-buf.sock.ssl, ((imap_store_conf_t *)ctx-gen.conf)-server-host )) return 1; imap-buf.sock.use_ssl = 1;
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Hi On Sun, Feb 24, 2013 at 06:09:45PM +, Jonathan Wiltshire wrote: On Sat, Feb 23, 2013 at 01:33:58PM +, Adam D. Barratt wrote: On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote: Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: [...] Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for it though... This is the first I know of it. Might be that my reply in #700669 (message #83[1]), made the confusion. I mentioned there that #700669 was marked as no-dsa and needs to go trough a p-u. @Jeremy: to clarify: I'm not part of the Release Team, so the p-u should have a official request to the release team (peferably as bugreport via release.debian.org pseudo-package) [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669#83 @Adam and Jonathan: will make it clearer in future replies that this needs an approval first from Release Team when I say was classified no-dsa, could you please prepare targeting stable and to go trough a stable-proposed-updates (in case this was part of the problem). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698910: zoneminder: arbitrary command execution vulnerability
Hi Vagrant and Peter On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote: Anything more needed for the security team? Which queue should it be uploaded to? Apologies for the delay. Could you also adress #700912 (CVE-2013-0332) for the stable-security update. I think we can proceed afterwards. Thank you for preparing updated packages! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698871: [Pkg-sssd-devel] Bug#698871: Bug#698871: CVE-2013-0219 CVE-2013-0220
Hi Timo Any update on this? I see the patches at [1]. At this stage of the release I'm unsure the other changes are acceptable. Do you have time to prepare an upload only adressing #698871? If you get a ACK from release-team I would happily sonsor the upload if needed. [1]: http://anonscm.debian.org/gitweb/?p=pkg-sssd/sssd.git;a=commitdiff;h=5632b7d752b89a47a52f831e3ba97f70a9d6469d Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701649: Affected versions
Control: found -1 0.8.3-5+squeeze2 Control: found -1 0.9.12-6 Control: found -1 0.9.12-7 Hi Guido On Tue, Feb 26, 2013 at 11:44:28AM +0100, Guido Günther wrote: This also affects stable, bpo and wheezzy. The attached fix that I applied to the version in experimental applies to 0.9.12 as well. Only marking the versions accordingly in this bug. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#706482: gcc-msp430: generated interrupt table for MSP430FR5xxx parts will blow security fuse
Control: tags -1 + patch Only for direct reference: A patch looks available trough following commit: http://mspgcc.git.sourceforge.net/git/gitweb.cgi?p=mspgcc/gcc;a=commitdiff;h=0594213396817815f584efe3257987e704b4f187 http://thread.gmane.org/gmane.comp.hardware.texas-instruments.msp430.gcc.user/10623/focus=10627 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#706525: chicken: CVE-2013-2024: OS command injection vulnerability
Package: chicken Version: 4.5.0-1 Severity: grave Tags: security patch Hi, @Release Team: This probably should not delay the release for wheezy, as chicken has other security relevant bugreport open (#702410) with wheezy-ignore tag. The same can be done here, IMO. the following vulnerability was published for chicken. CVE-2013-2024[0]: OS command injection vulnerability in Chicken Scheme If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information and patch see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2024 http://security-tracker.debian.org/tracker/CVE-2013-2024 [1] http://lists.nongnu.org/archive/html/chicken-hackers/2013-02/msg00135.html [2] http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg0.html [3] http://lists.nongnu.org/archive/html/chicken-hackers/2013-04/msg00060.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690319: Fix regression for kfreebsd-{i386,amd64} builds (#690319/CVE-2013-0288)
Hi Steven, hi Arthur On Thu, May 02, 2013 at 11:55:22PM +0200, Arthur de Jong wrote: On Wed, 2013-05-01 at 23:05 +0100, Steven Chamberlain wrote: I noticed (by chance) there is a problem with the squeeze-security patch for #690319; it introduces a regression on kfreebsd and has not built. I'm not sure where to find build logs of this, or if they are public, but I think it is due to using a non-standard EBADFD errno (file descriptor in bad state). I don't think the security build logs are public (even after the advisory is released) and I hadn't noticed the buil failure before. Perhaps EBADF (is not a valid file descriptor / bad file number) would be suitable instead and is more portable; please consider attached bug690319-amend-1.diff This looks like the right approach. The exact value of errno doesn't make that much of a difference in this case. I've applied this change upstream and am willing to prepare a 0.7.15+squeeze4 package. I think it's up to the security team to decide whether this should go to stable or stable-security. One thing to consider is that I'd also like to fix RC bug #700971 (the bug report contains the patch that would be applied). People run into this bug when installing a security update for nss-pam-ldapd. Thanks for notifying. Yes, indeed nss-pam-ldapd did not build for kfreebsd-amd64 and kfreebsd-i386. As the FTBFS is a regression for the kfreebsd builds when appliying the initial fix for CVE-2013-0288 I think we should release an updated version targetting squeeze-security to include the fix for it and send an updated DSA. But I'm cc'ing also Moritz explicitly, who released this DSA, to get an opinion from him. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702410: chicken: CVE-2012-6122 CVE-2012-6123 CVE-2012-6124 CVE-2012-6125
Hi Additional update for CVE-2012-6122: http://lists.nongnu.org/archive/html/chicken-announce/2013-05/msg0.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#707406: perlipq: FTBFS: libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
Control: tags -1 + confirmed Hi Lucas Thanks for your rebuilds :). Can confirm this. On Thu, May 09, 2013 at 10:12:27AM +0200, Lucas Nussbaum wrote: Source: perlipq Version: 1.25-3 Severity: serious Tags: jessie sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20130509 qa-ftbfs Justification: FTBFS on amd64 Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part: cc -c -I/usr/include/libipq -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -DVERSION=\1.25\ -DXS_VERSION=\1.25\ -fPIC -I/usr/lib/perl/5.14/CORE IPQueue.c In file included from IPQueue.xs:11:0: /usr/include/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory compilation terminated. make[1]: *** [IPQueue.o] Error 1 Problem is, linux/netfilter_ipv4/ip_queue.h was removed from linux with [1] and with the recent upload of 3.8.11 to unstable perlipq now FTBFS. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d16cf20e2f2f13411eece7f7fb72c17d141c4a84 Upstream for IPTables::IPv4::IPQueue has not released new versions since 2002, wonder if this module still can be used or if we should go towards a removal? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#708647: libvirt: CVE-2013-1962: DoS (max count of open files exhaustion) due sockets leak in the storage pool
Package: libvirt Version: 1.0.5-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for libvirt. CVE-2013-1962[0]: DoS (max count of open files exhaustion) due sockets leak in the storage pool Upstream patch can be found at [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1962 http://security-tracker.debian.org/tracker/CVE-2013-1962 [1] http://libvirt.org/git/?p=libvirt.git;a=commit;h=ca697e90d5bd6a6dfb94bfb6d4438bdf9a44b739 Only experimental version should be affected. Note, the serverity grave might be a bit overrated in this case, so if you do not agree please downgrade to important. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665555: gxine: Including individual glib headers no longer supported
Hi Gregor, hi Michael On Sat, May 18, 2013 at 07:14:56PM +0200, gregor herrmann wrote: On Sun, 16 Dec 2012 05:53:22 +0100, Michael Biebl wrote: Attached is a build-tested patch. Please review and apply. After applying the patch, the build fails for me (tested in an amd64 and in 386 sid cowbuilder chroot) with: Making all in src make[3]: Entering directory `/tmp/buildd/gxine-0.5.907/src' CC console_output.o console_output.c: In function 'console_log_captured': console_output.c:152:3: warning: function declared 'noreturn' has a 'return' statement [enabled by default] CC desktop_integration.o In file included from globals.h:38:0, from desktop_integration.c:27: script_engine.h:39:1: error: unknown type name 'jsdouble' script_engine.h:251:30: error: unknown type name 'JSInt32' script_engine.h:254:37: error: unknown type name 'JSInt32' script_engine.h:276:3: error: unknown type name 'uintN' script_engine.h:282:37: error: unknown type name 'uintN' script_engine.h:282:50: error: unknown type name 'uintN' desktop_integration.c:187:13: warning: 'di_gnome_vfs_flush' defined but not used [-Wunused-function] make[3]: *** [desktop_integration.o] Error 1 make[3]: Leaving directory `/tmp/buildd/gxine-0.5.907/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/buildd/gxine-0.5.907' make[1]: *** [all] Error 2 make[1]: Leaving directory `/tmp/buildd/gxine-0.5.907' make: *** [build-stamp] Error 2 Can confirm, and it builds under jessie with libmozjs 10.0.12esr-1+nmu1. It seems related to this typdef changes: [1] https://developer.mozilla.org/en-US/docs/SpiderMonkey/17#typedef_Changes Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#705909: libmath-prime-util-perl: FTBFS (failing tests) on some architectures
Hi On Thu, May 23, 2013 at 10:57:35PM -0700, Dana Jacobsen wrote: I just found this report of build failures on the Debian mailing list -- I had not seen these before. I managed to reproduce it on a Power7 machine, and found the fix. I see that the issue came up when I switched the ranged moebius return value from an IV* (long *) to char*. On every other machine, char is being treated as signed. On these platforms it is unsigned (which they technically may do). I switched to explicit signed char and that seems to have fixed it. I'll get a release out next week. Thank you! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#705909: libmath-prime-util-perl: FTBFS (failing tests) on some architectures
Hi Dana On Thu, May 23, 2013 at 10:57:35PM -0700, Dana Jacobsen wrote: I just found this report of build failures on the Debian mailing list -- I had not seen these before. I managed to reproduce it on a Power7 machine, and found the fix. I see that the issue came up when I switched the ranged moebius return value from an IV* (long *) to char*. On every other machine, char is being treated as signed. On these platforms it is unsigned (which they technically may do). I switched to explicit signed char and that seems to have fixed it. I'll get a release out next week. I know you just said above there will be a release fixing this in the coming week. To keep the diff a bit smaller at least I have uploaded the 0.28 package to unstable (including the patch), so can be used as additional step to verify it builds now again[1]. [1] https://buildd.debian.org/status/package.php?p=libmath-prime-util-perl Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697617: jenkins: remote code execution vulnerability
Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 Are there any news on this issue? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
Package: poppler Severity: grave Tags: security Hi, the following vulnerabilities were published for poppler. CVE-2013-1788[0]: invalid memory issues CVE-2013-1789[1]: crash in broken documents CVE-2013-1790[2]: uninitialized memory read Patches are referenced in the Red Hat Bugzilla to the relevant commits. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. Could you check which Debian package versions are affected? (not for all issues, all patches might be relevant). At least for the unitialized memory read issiue the code seems present in stable. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-1788 [1] http://security-tracker.debian.org/tracker/CVE-2013-1789 [2] http://security-tracker.debian.org/tracker/CVE-2013-1790 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
Ciao Pino Thanks for already working on it! On Sat, Mar 02, 2013 at 06:58:31PM +0100, Pino Toscano wrote: Would it be possible to have all the test cases references by the CVEs? (You can email them to me directly, of course.) Some of the commits mentioned in the Red Hat bugs refer to code paths not in any of the versions in Debian stable/testing/unstable/experimental, so I need to check all the issues one by one. Yes, as shortly discussed on IRC: I'm trying to get them and will forward them to you as soon I have them. Ciao, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802) Hi A separate CVE was assigned to this vulerability: CVE-2013-1802 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Control: tags -1 + patch Hi Alex On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. How about dissalowing $() completly if command arguments in case are enabled? I tried to extract the relevant part, see attached debdiff. But it's not yet tested. Regards, Salvatore diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog --- nagios-nrpe-2.13/debian/changelog +++ nagios-nrpe-2.13/debian/changelog @@ -1,3 +1,15 @@ +nagios-nrpe (2.13-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Add 08_CVE-2013-1362.dpatch patch. +If command arguments are enabled in the NRPE configuration, it was +possible to pass $() as arguments as the checking for nasty caracters +was not strict enough to catch $(). This allowed executing shell +commands under a subprocess and pass the output as a parameter to the +called script (if run under bash). CVE-2013-1362 (Closes: #701227) + + -- Salvatore Bonaccorso car...@debian.org Sun, 03 Mar 2013 23:39:37 +0100 + nagios-nrpe (2.13-2) unstable; urgency=high [ Thijs Kinkhorst ] diff -u nagios-nrpe-2.13/debian/patches/00list nagios-nrpe-2.13/debian/patches/00list --- nagios-nrpe-2.13/debian/patches/00list +++ nagios-nrpe-2.13/debian/patches/00list @@ -7,0 +8 @@ +08_CVE-2013-1362.dpatch only in patch2: unchanged: --- nagios-nrpe-2.13.orig/debian/patches/08_CVE-2013-1362.dpatch +++ nagios-nrpe-2.13/debian/patches/08_CVE-2013-1362.dpatch @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso car...@debian.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command +## DP: arguments to execute shell commands if command arguments are +## DP: explicitly enabled. Filtering out nasty caracters is not +## DP: strict enough to disallow $(), allowing executing shell commands +## DP: under a subprocess and pass the output as a parameter to the +## DP: called script (if run under bash). + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios-nrpe~/src/nrpe.c nagios-nrpe/src/nrpe.c +--- nagios-nrpe~/src/nrpe.c2013-03-03 23:13:22.0 +0100 nagios-nrpe/src/nrpe.c 2013-03-03 23:15:51.621025795 +0100 +@@ -1749,6 +1749,10 @@ + syslog(LOG_ERR,Error: Request contained an empty command argument); + return ERROR; + } ++ if(strstr(macro_argv[x],$()) { ++ syslog(LOG_ERR,Error: Request contained a bash command substitution!); ++ return ERROR; ++ } + } + } + #endif
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Hey Alex On Mon, Mar 04, 2013 at 09:06:52AM +0100, Alexander Wirt wrote: [...] In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks. It should be better this week. Okay and thank you! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2011-0790: XSS
Hi all On Mon, Feb 27, 2012 at 08:27:05PM +0100, Florian Weimer wrote: * Antoine Beaupré: I don't actually know - I followed your lead and used that patch in the bugzilla Redhat bugtrackers: https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw *grml* Fedora has already released the potentially incorrect patch. I've asked on the oss-security mailing list. Sorry for the delay. I have contacted Tobi Oetiker regarding the issues mentioned and he promptly replied to me. He uploaded a new upstream version (2.6.9) which changes the regexpes to: qr/[%';]/ So this can be integrated in the fix addressing stable-security. p.s.: could also be updated for testing/unstable to have the fix in upcoming stable release. p.s.2: Thank you Tobi! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702296: perl: CVE-2013-1667: rehashing flaw
Source: perl Version: 5.10.1-17squeeze4 Severity: grave Tags: security patch Control: found -1 5.16.2-1 Hi Niko and Dominic A a hash-related flaw was announced today and CVE-2013-1667 assigned to it. For further reference see [1,2]. [1]: http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html [2]: https://security-tracker.debian.org/tracker/CVE-2013-1667 Could you please include the CVE identifier when fixing the issue? I assume this should get a DSA. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700158: XSS flaws in ganglia
Hi Raphael, Ganglia maintainers On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote: The other operations related to views (in views_view.php) are all still vulnerable to XSS via the view_name GET parameter. Also reported this now to upstream issue tracker, sorry for the delay. https://github.com/ganglia/ganglia-web/issues/160 Please include also the CVE for this issue in the changelog when fixing the issue, it's assigned CVE-2013-1770. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700158: XSS flaws in ganglia
On Tue, Mar 05, 2013 at 03:26:46PM +0100, Salvatore Bonaccorso wrote: Hi Raphael, Ganglia maintainers On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote: The other operations related to views (in views_view.php) are all still vulnerable to XSS via the view_name GET parameter. Also reported this now to upstream issue tracker, sorry for the delay. https://github.com/ganglia/ganglia-web/issues/160 Please include also the CVE for this issue in the changelog when fixing the issue, it's assigned CVE-2013-1770. Upstream commited a fix for this issue: https://github.com/ganglia/ganglia-web/commit/552965f33bf79d41ccbec3f1f26840c8bab54ad6 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702486: libnet-twitter-perl: version 4.x required for new Twitter API
Further information at [1]. [1]: https://dev.twitter.com/blog/planning-for-api-v1-retirement Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695807: CVE-2012-5617: gksu-polkit privileged code execution with unprivileged credentials
Control: tags -1 + patch Hi I propose something like the attached debdiff, restricting to auth_admin only in the conffile. Regards, Salvatore diff -u gksu-polkit-0.0.3/debian/changelog gksu-polkit-0.0.3/debian/changelog --- gksu-polkit-0.0.3/debian/changelog +++ gksu-polkit-0.0.3/debian/changelog @@ -1,3 +1,12 @@ +gksu-polkit (0.0.3-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Request priviledged credentials in default policy. +Change default policy to allow privileged code execution only with +priviledged credentials. CVE-2012-5617. (Closes: #695807) + + -- Salvatore Bonaccorso car...@debian.org Thu, 07 Mar 2013 17:06:28 +0100 + gksu-polkit (0.0.3-1) unstable; urgency=low * Fix glib includes (Closes: #665534) only in patch2: unchanged: --- gksu-polkit-0.0.3.orig/data/org.gnome.gksu.policy +++ gksu-polkit-0.0.3/data/org.gnome.gksu.policy @@ -10,9 +10,9 @@ descriptionspawn/description messageSystem policy prevents executing a program with administration privileges/message defaults - allow_anyauth_self/allow_any - allow_inactiveauth_self/allow_inactive - allow_activeauth_self/allow_active + allow_anyauth_admin/allow_any + allow_inactiveauth_admin/allow_inactive + allow_activeauth_admin/allow_active /defaults /action signature.asc Description: Digital signature
Bug#702486: libnet-twitter-perl: version 4.x required for new Twitter API
Control: clone 702486 -1 Control: reassign -1 libnet-twitter-lite-perl Control: retitle -1 libnet-twitter-perl: needs update for new Twitter API On Thu, Mar 07, 2013 at 07:28:50AM +0100, Ansgar Burchardt wrote: Package: libnet-twitter-perl Severity: grave Let's turn this into a proper bug report: Patrick Brewer pwbre...@me.com writes: For those using Net:Twitter the latest version of the lib is needed ASAP. Twitter is turning off their old API sometime this month (official date was yesterday). A version of the module in 4.x is required for the new API. The very latest I can find for debian is 3.18003 here: http://packages.debian.org/sid/libnet-twitter-perl Cloning this for libnet-twitter-lite-perl as support for Twitter API 1.1 was also only introduced in Net::Twitter::Lite in 0.12000 2013-03-04 - URI encode POSTDATA to match Twitter's more stringent (non-standard) requirements - created Net::Twitter::Lite::WithAPIv1_1 for Twitter API v1.1 support Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702525: ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Source: ruby1.9.1 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for ruby1.9.1. CVE-2013-1821[0]: entity expansion DoS vulnerability in REXML More details are explained in the upstream announcement[1]. Patches are commited to svn with revision r39384[2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821 http://security-tracker.debian.org/tracker/CVE-2013-1821 [1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384 Please adjust the affected versions in the BTS as needed. Thanks for your work on the ruby1.9.1 source package! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702526: ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Source: ruby1.8 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for ruby. CVE-2013-1821[0]: entity expansion DoS vulnerability in REXML More details are explained in the upstream announcement[1]. Patches (for ruby1.9.1) are commited to svn with revision r39384[2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821 http://security-tracker.debian.org/tracker/CVE-2013-1821 [1] http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ [2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384 Could you doublecheck that ruby1.8 is also affected by this issue and adjust versions in the BTS as needed? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702525: ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Control: tags -1 + patch Hi I propose the attached patch applied from upstream's svn. I can do a NMU in case needed, but want first to have a second check on the resulting package. Regards, Salvatore diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog2013-02-23 15:29:56.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/changelog2013-03-08 21:49:19.0 +0100 @@ -1,3 +1,14 @@ +ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1821.patch patch. +CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When +reading text nodes from an XML document, the REXML parser could be +coerced into allocating extremely large string objects which could +consume all available memory on the system. (Closes: #702525) + + -- Salvatore Bonaccorso car...@debian.org Fri, 08 Mar 2013 21:48:20 +0100 + ruby1.9.1 (1.9.3.194-8) unstable; urgency=low * ruby1.9.1: add Breaks: apt-listbugs ( 0.1.6) to avoid breaking the diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch --- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 1970-01-01 01:00:00.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 2013-03-08 21:49:19.0 +0100 @@ -0,0 +1,110 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384view=patch +Bug-Debian: http://bugs.debian.org/702525 +Forwarded: not-needed +Author: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-03-08 +Applied-Upstream: yes + +--- a/lib/rexml/document.rb b/lib/rexml/document.rb +@@ -217,6 +217,18 @@ + return @@entity_expansion_limit + end + ++@@entity_expansion_text_limit = 10_240 ++ ++# Set the entity expansion limit. By default the limit is set to 10240. ++def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++end ++ ++# Get the entity expansion limit. By default the limit is set to 1. ++def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/lib/rexml/text.rb b/lib/rexml/text.rb +@@ -380,25 +380,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) ++ sum = 0 + string.gsub( /\r\n?/, \n ).gsub( REFERENCE ) { +-ref = $ +-if ref[1] == ?# +- if ref[2] == ?x +-[ref[3...-1].to_i(16)].pack('U*') +- else +-[ref[2...-1].to_i].pack('U*') +- end +-elsif ref == 'amp;' +- '' +-elsif filter and filter.include?( ref[1...-1] ) +- ref +-elsif doctype +- doctype.entity( ref[1...-1] ) or ref ++s = Text.expand($, doctype, filter) ++if sum + s.bytesize Document.entity_expansion_text_limit ++ raise entity expansion has grown too large + else +- entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] +- entity_value ? entity_value.value : ref ++ sum += s.bytesize + end ++s + } + end ++ ++def Text.expand(ref, doctype, filter) ++ if ref[1] == ?# ++if ref[2] == ?x ++ [ref[3...-1].to_i(16)].pack('U*') ++else ++ [ref[2...-1].to_i].pack('U*') ++end ++ elsif ref == 'amp;' ++'' ++ elsif filter and filter.include?( ref[1...-1] ) ++ref ++ elsif doctype ++doctype.entity( ref[1...-1] ) or ref ++ else ++entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] ++entity_value ? entity_value.value : ref ++ end ++end + end + end +--- a/test/rexml/test_entity.rb b/test/rexml/test_entity.rb +@@ -104,6 +104,24 @@ + assert_equal source, out + end + ++ def test_entity_string_limit ++template = '!DOCTYPE bomb [ !ENTITY a ^ ] bomb$/bomb' ++len = 5120 # 5k per entity ++template.sub!(/\^/, B * len) ++ ++# 10k is OK ++entities = 'a;' * 2 # 5k entity * 2 = 10k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++# above 10k explodes ++entities = 'a;' * 3 # 5k entity * 2 = 15k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_raises(RuntimeError) do ++ xmldoc.root.text ++end ++ end ++ + def test_raw + source = '!DOCTYPE foo [ + !ENTITY ent replace diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2013-02-13 16:20:21.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/series
Bug#702525: ruby1.9.1: diff for NMU version 1.9.3.194-8.1
tags 702525 + pending thanks Dear maintainer, I've prepared an NMU for ruby1.9.1 (versioned as 1.9.3.194-8.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2013-02-23 15:29:56.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/changelog 2013-03-08 21:49:19.0 +0100 @@ -1,3 +1,14 @@ +ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1821.patch patch. +CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When +reading text nodes from an XML document, the REXML parser could be +coerced into allocating extremely large string objects which could +consume all available memory on the system. (Closes: #702525) + + -- Salvatore Bonaccorso car...@debian.org Fri, 08 Mar 2013 21:48:20 +0100 + ruby1.9.1 (1.9.3.194-8) unstable; urgency=low * ruby1.9.1: add Breaks: apt-listbugs ( 0.1.6) to avoid breaking the diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch --- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 1970-01-01 01:00:00.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-1821.patch 2013-03-08 21:49:19.0 +0100 @@ -0,0 +1,110 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384view=patch +Bug-Debian: http://bugs.debian.org/702525 +Forwarded: not-needed +Author: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-03-08 +Applied-Upstream: yes + +--- a/lib/rexml/document.rb b/lib/rexml/document.rb +@@ -217,6 +217,18 @@ + return @@entity_expansion_limit + end + ++@@entity_expansion_text_limit = 10_240 ++ ++# Set the entity expansion limit. By default the limit is set to 10240. ++def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++end ++ ++# Get the entity expansion limit. By default the limit is set to 1. ++def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/lib/rexml/text.rb b/lib/rexml/text.rb +@@ -380,25 +380,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) ++ sum = 0 + string.gsub( /\r\n?/, \n ).gsub( REFERENCE ) { +-ref = $ +-if ref[1] == ?# +- if ref[2] == ?x +-[ref[3...-1].to_i(16)].pack('U*') +- else +-[ref[2...-1].to_i].pack('U*') +- end +-elsif ref == 'amp;' +- '' +-elsif filter and filter.include?( ref[1...-1] ) +- ref +-elsif doctype +- doctype.entity( ref[1...-1] ) or ref ++s = Text.expand($, doctype, filter) ++if sum + s.bytesize Document.entity_expansion_text_limit ++ raise entity expansion has grown too large + else +- entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] +- entity_value ? entity_value.value : ref ++ sum += s.bytesize + end ++s + } + end ++ ++def Text.expand(ref, doctype, filter) ++ if ref[1] == ?# ++if ref[2] == ?x ++ [ref[3...-1].to_i(16)].pack('U*') ++else ++ [ref[2...-1].to_i].pack('U*') ++end ++ elsif ref == 'amp;' ++'' ++ elsif filter and filter.include?( ref[1...-1] ) ++ref ++ elsif doctype ++doctype.entity( ref[1...-1] ) or ref ++ else ++entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] ++entity_value ? entity_value.value : ref ++ end ++end + end + end +--- a/test/rexml/test_entity.rb b/test/rexml/test_entity.rb +@@ -104,6 +104,24 @@ + assert_equal source, out + end + ++ def test_entity_string_limit ++template = '!DOCTYPE bomb [ !ENTITY a ^ ] bomb$/bomb' ++len = 5120 # 5k per entity ++template.sub!(/\^/, B * len) ++ ++# 10k is OK ++entities = 'a;' * 2 # 5k entity * 2 = 10k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++# above 10k explodes ++entities = 'a;' * 3 # 5k entity * 2 = 15k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_raises(RuntimeError) do ++ xmldoc.root.text ++end ++ end ++ + def test_raw + source = '!DOCTYPE foo [ + !ENTITY ent replace diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2013-02-13 16:20:21.0 +0100 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2013-03-08 21:49
Bug#702526: ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML
Control: tags -1 + patch Hi Attached is a proposed debdiff, based also on the changes done for ruby1.9.1. But there is one thing which might be sorted out first: The binary debdiff shows: cut-cut-cut-cut-cut-cut- ri1.8: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /usr/share/ri/1.8/system/IRB/Context/_set_last_value-i.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/IRB/WorkSpace/__evaluate__-i.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit%3d-c.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Document/entity_expansion_text_limit-c.yaml -rw-r--r-- root/root /usr/share/ri/1.8/system/REXML/Text/expand-c.yaml Files in first .deb but not in second - -rw-r--r-- root/root /usr/share/ri/1.8/system/RSS/Rss/Channel/Item/_setup_maker_element-i.yaml cut-cut-cut-cut-cut-cut- Regards, Salvatore diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog --- ruby1.8-1.8.7.358/debian/changelog 2012-11-01 01:20:28.0 +0100 +++ ruby1.8-1.8.7.358/debian/changelog 2013-03-09 13:39:28.0 +0100 @@ -1,3 +1,14 @@ +ruby1.8 (1.8.7.358-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1821.patch patch. +CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When +reading text nodes from an XML document, the REXML parser could be +coerced into allocating extremely large string objects which could +consume all available memory on the system. (Closes: #702526) + + -- Salvatore Bonaccorso car...@debian.org Sat, 09 Mar 2013 08:05:35 +0100 + ruby1.8 (1.8.7.358-6) unstable; urgency=high * Timeout the execution of the tests after 2 hours. This should fix the diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch --- ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch1970-01-01 01:00:00.0 +0100 +++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch2013-03-09 13:39:28.0 +0100 @@ -0,0 +1,120 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384view=patch +Bug-Debian: http://bugs.debian.org/702526 +Forwarded: not-needed +Author: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-03-09 + +--- a/lib/rexml/document.rb b/lib/rexml/document.rb +@@ -214,6 +214,18 @@ + return @@entity_expansion_limit + end + ++@@entity_expansion_text_limit = 10_240 ++ ++# Set the entity expansion limit. By default the limit is set to 10240. ++def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++end ++ ++# Get the entity expansion limit. By default the limit is set to 1. ++def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/test/rexml/test_document.rb b/test/rexml/test_document.rb +@@ -63,4 +63,23 @@ + ensure + REXML::Document.entity_expansion_limit = 1 + end ++ ++ def test_entity_string_limit ++template = '!DOCTYPE bomb [ !ENTITY a ^ ] bomb$/bomb' ++len = 5120 # 5k per entity ++template.sub!(/\^/, B * len) ++ ++# 10k is OK ++entities = 'a;' * 2 # 5k entity * 2 = 10k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++# above 10k explodes ++entities = 'a;' * 3 # 5k entity * 2 = 15k ++xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++assert_raises(RuntimeError) do ++ xmldoc.root.text ++end ++ end ++ + end +--- a/lib/rexml/text.rb b/lib/rexml/text.rb +@@ -308,37 +308,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) +- rv = string.clone +- rv.gsub!( /\r\n?/, \n ) +- matches = rv.scan( REFERENCE ) +- return rv if matches.size == 0 +- rv.gsub!( NUMERICENTITY ) {|m| +-m=$1 +-m = 0#{m} if m[0] == ?x +-[Integer(m)].pack('U*') ++ sum = 0 ++ string.gsub( /\r\n?/, \n ).gsub( REFERENCE ) { ++s = Text.expand($, doctype, filter) ++if sum + s.bytesize Document.entity_expansion_text_limit ++ raise entity expansion has grown too large ++else ++ sum += s.bytesize ++end ++s + } +- matches.collect!{|x|x[0]}.compact! +- if matches.size 0 +-if doctype +- matches.each do |entity_reference
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
Hi Tzafrir! Are there news on this? I have noticed that in the svn repository for asterisk there is already: asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high * Patches backported from Asterisk 1.8.19.1 (Closes: #697230): - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack allocations when using TCP. The following two fixes were also pulled in order to easily apply it: - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through Exploitation of Device State Caching -- Tzafrir Cohen tzaf...@debian.org Tue, 08 Jan 2013 00:06:09 +0200 Could you have a look if there is only the upload missing? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702735: firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability
Source: firebird2.1 Severity: grave Tags: security Hi the following vulnerability was published for firebird2.1. CVE-2013-2492[0]: Request Processing Buffer Overflow Vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see also [1] and [2]. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://security-tracker.debian.org/tracker/CVE-2013-2492 [1] http://tracker.firebirdsql.org/browse/CORE-4058 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492 Thank you for looking into this. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702736: firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability
Source: firebird2.5 Severity: grave Tags: security Hi the following vulnerability was published for firebird2.5. CVE-2013-2492[0]: Request Processing Buffer Overflow Vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see also [1] and [2]. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://security-tracker.debian.org/tracker/CVE-2013-2492 [1] http://tracker.firebirdsql.org/browse/CORE-4058 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492 Thank you for looking into this. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702574: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core
Control: retitle -1 TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843) Hi Only for reference, CVE's where assigned to it now: CVE-2013-1842 for Typo3 Extbase Framework SQL Injection CVE-2013-1843 for Typo3 Access tracking mechanism Open Redirection Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hi all On Thu, Mar 14, 2013 at 08:54:06AM -, Steve Hay wrote: Niko Tyni wrote on 2013-03-13: On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. The perl I built and tested with was made with ithreads enabled. There is an alternative patch to fix this test, submitted to mod_perl's rt.cpan.org queue after I'd applied the patch from the perl5-security queue on rt.perl.org: https://rt.cpan.org/Ticket/Display.html?id=83916 I haven't tried it myself yet, but is that any better for you? I tried to rebuild the Squeeze package with the mentioned first patch, the package builds now. Disclaimer: only did the build but haven't looked what's actually changing importantly. Thanky you Steve. Regards, Salvatore libapache2-mod-perl2_2.0.4-7+squeeze1_amd64.build.gz Description: Binary data
Bug#703000: apache-preforks, , modperl, segfaults
Hi Dmitry On Thu, Mar 14, 2013 at 04:01:25PM +0400, Dmitry E. Oboukhov wrote: Can you please downgrade back and verify that the crashes go away with 2.0.7-1? No, 2.0.7-1 is already removed from repo :( You can find old package versions at http://snapshot.debian.org/binary/libapache2-mod-perl2/ Thanks for url :) I downgraded mod-perl, 2.0.7-1 crashes, too (the same backtrace) Then I downgraded apache to 2.2.22-12 and 2.2.22-12 + modperl 2.0.7-1 don't crash. Also apache 2.2.22-12 and modperl 2.0.7-2 don't crash, too. But backtrace points to mod-perl, so I doubt to reassign the bugreport. also yesterday i upgraded apache from 2.2.22-12 to 2.2.22-13. PS: Mojolicious has no XS modules, but mod-perl crashes often. So I think that the problem is in mod-perl (backtrace points to) or apache :) Could you also check the way forward, with the recently rebuild libapache2-mod-perl2 in unstable (also only test fixes), to 2.0.7-3? libapache2-mod-perl2 2.0.7-3 was build after apache2 2.2.22-13 to unstable. Do you get the crashes then too? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703000: apache-preforks, , modperl, segfaults
Hi On Thu, Mar 14, 2013 at 05:03:21PM +0400, Dmitry E. Oboukhov wrote: I downgraded mod-perl, 2.0.7-1 crashes, too (the same backtrace) Then I downgraded apache to 2.2.22-12 and 2.2.22-12 + modperl 2.0.7-1 don't crash. Also apache 2.2.22-12 and modperl 2.0.7-2 don't crash, too. But backtrace points to mod-perl, so I doubt to reassign the bugreport. As an additional data point, I am happily running apache2/mod_perl2 from unstable/amd64 with no issues. apache2 is 2.2.22-13 and libapache2-mod-perl2 is 2.0.7-3, which basically is the same as Dmitry's environment. Now I've upgraded apache2 to 2.2.22-13 (again) and upgraded mod-perl to 2.0.7-3 and I can't reproduce the bug. So may be it is worth to rebuild mod-perl 2.0.7-2 with new apache or to push 2.0.7-3 to testing? This is the plan, since 2.0.7-3 fixes a FTBFS with the recent perl update needed. But there is still a wait period of 4 days left (it was already unblocked by the Release Team) and there is a build failure for s390 on buildds. But it's still curious what cause the incompatibility... Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703094: owncloud: multiple vulnerabilities (oC-SA-2013-009, oC-SA-2013-010)
Package: owncloud Severity: grave Tags: security Hi, the following vulnerabilities were published for owncloud. CVE-2013-1851[0]: user_migrate: Local file disclosure CVE-2013-1850[1]: Contacts: Bypass of file blacklist If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1851 http://security-tracker.debian.org/tracker/CVE-2013-1851 http://owncloud.org/about/security/advisories/oC-SA-2013-010 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1850 http://security-tracker.debian.org/tracker/CVE-2013-1850 http://owncloud.org/about/security/advisories/oC-SA-2013-009 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699888: new nss packages fixing cve-2013-1620
Hi! On Fri, Mar 15, 2013 at 03:33:05PM +0100, Yves-Alexis Perez wrote: On jeu., 2013-03-14 at 22:48 -0400, Michael Gilbert wrote: Hi, I've prepared new nss packages fixing the lucky 13 issue: http://people.debian.org/~mgilbert For the mozilla team, this is a new upstream, so would you be ok with it uploaded as an nmu, or would you like to upload? It seems the BTS never received your mail, not sure why (at least it doesn't appear on the BTS web interface). So I'm not sure mozilla people received it either. Hopefully this mail will reach them. Hmm, this is probably due to: Topic for #debian-devel: BROKEN: mailhandling of bugs.debian.org Current mailhandling for bugs.debian.org is not working. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hi On Fri, Mar 15, 2013 at 05:56:05PM -, Steve Hay wrote: [...] Zefram has now come up with an even better patch (on the same RT ticket), after reproducing the Debian 5.10.1 failure himself. Please take a look (I've also attached it here for your convenience) and let me know whether this works for you. If so then I hope to apply it to SVN over the weekend. I can confirm that the new patch works on Debian Squeeze, with Perl (5.10.1-17squeeze6) including the security fix. Thank you Steve for keeping us updated! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Control: fixed -1 2.6.7-1 Hi Steven On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote: Control: reopen -1 Hmm, as Adam wrote, was this intentional? Because this way we lost the version tracking for already fixed version. BTS handles fixed versions already. Btw, it's a nice timing, since I just yesterday uploaded also the fix for smokeping to stable to security-master which is not to be reviewed. Thank you furthermore for your analysis of further issues! If possible, could you bring these further possible issues to upstream (Tobias Oetiker is already in CC list however). Attached is the debdiff which I uploaded yesterday. Thank you and regards, Salvatore diff -u smokeping-2.3.6/debian/changelog smokeping-2.3.6/debian/changelog --- smokeping-2.3.6/debian/changelog +++ smokeping-2.3.6/debian/changelog @@ -1,3 +1,14 @@ +smokeping (2.3.6-5+squeeze1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2012-0790: Fix cross-site scripting vulnerability allowing a +remote attacker to inject arbitrary web script or html via the +displaymode parameter. Initial patch prepared by Antoine Beaupré. +Add an adjustment to the patterns to exclude more special +characters. (Closes: #659899) + + -- Salvatore Bonaccorso car...@debian.org Fri, 15 Mar 2013 22:46:57 +0100 + smokeping (2.3.6-5) unstable; urgency=medium * debian/patches/20_html-parser.dpatch: fix an incompatibility with diff -u smokeping-2.3.6/debian/patches/00list smokeping-2.3.6/debian/patches/00list --- smokeping-2.3.6/debian/patches/00list +++ smokeping-2.3.6/debian/patches/00list @@ -3,0 +4 @@ +30_cve-2012-0790.dpatch only in patch2: unchanged: --- smokeping-2.3.6.orig/debian/patches/30_cve-2012-0790.dpatch +++ smokeping-2.3.6/debian/patches/30_cve-2012-0790.dpatch @@ -0,0 +1,74 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## cve-2012-0790.dpatch by Vincent Danen, ported to 2.3 by Antoine Beaupré +## add additional fixes on the regexp from smokeping 2.6.9 +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix for CVE-2012-0790 + +@DPATCH@ +diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm +index d29a547..b74c3fc 100644 +--- a/lib/Smokeping.pm b/lib/Smokeping.pm +@@ -134,8 +134,10 @@ sub cgiurl { + sub hierarchy ($){ + my $q = shift; + my $hierarchy = ''; ++my $h = $q-param('hierarchy'); + if ($q-param('hierarchy')){ +- $hierarchy = 'hierarchy='.$q-param('hierarchy').';'; ++ $h =~ s/[%';]/./g; ++ $hierarchy = 'hierarchy='.$h.';'; + }; + return $hierarchy; + } +@@ -176,6 +178,7 @@ sub update_dynaddr ($$){ + my $address = $ENV{REMOTE_ADDR}; + my $targetptr = $cfg-{Targets}; + foreach my $step (@target){ ++$step =~ s/[%';]/./g; + return Error: Unknown target $step + unless defined $targetptr-{$step}; + $targetptr = $targetptr-{$step}; +@@ -979,6 +982,7 @@ sub get_detail (;$){ + my $open = shift; + my $mode = shift || $q-param('displaymode') || 's'; + ++$mode =~ s/[%';]/./g; + my $phys_tree = $tree; + my $phys_open = $open; + if ($tree-{__tree_link}){ +@@ -1376,13 +1380,15 @@ sub get_detail (;$){ + } elsif ($mode eq 's') { # classic mode + $startstr =~ s/\s/%20/g; + $endstr =~ s/\s/%20/g; ++my $t = $q-param('target'); ++$t =~ s/[%';]/./g; + for my $slave (@slaves){ + my $s = $slave ? ~$slave : ; + $page .= div; + # $page .= (time-$timer_start).br/; + # $page .= join ,map {'$_'} @task; + $page .= br/; +-$page .= ( qq{a href=}.cgiurl($q,$cfg).?.hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}.target=.$q-param('target').$s.'' ++$page .= ( qq{a href=}.cgiurl($q,$cfg).?.hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}.target=.$t.$s.'' + . qq{IMG BORDER=0 SRC=${imghref}${s}_${end}_${start}.png}./a ); # + $page .= /div; + } +@@ -1525,8 +1531,15 @@ sub hierarchy_switcher($$){ + sub display_webpage($$){ + my $cfg = shift; + my $q = shift; +-my ($path,$slave) = split(/~/,$q-param('target') || ''); ++my $targ = ''; ++my $t = $q-param('target'); ++if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ ++$targ = $1; ++$targ =~ s/[%';]/./g; ++} ++my ($path,$slave) = split(/~/,$targ); + my $hierarchy = $q-param('hierarchy'); ++$hierarchy =~ s/[%';]/./g; + die ERROR: unknown hierarchy $hierarchy\n + if $hierarchy and not $cfg-{Presentation}{hierarchies}{$hierarchy}; + my $open = [ (split /\./,$path||'') ];
Bug#659899: CVE-2012-0790: XSS
Hi Antoine Dropping Tobias Oetiker again from Cc, don't know if he is actually interested to follow this. But we might/should bring further issues with smokeping to him. On Sat, Mar 16, 2013 at 12:42:39PM -0400, Antoine Beaupré wrote: Control: found -1 2.6.7-1 Control: fixed -1 2.6.9-1~exp0 Control: fixed -1 2.3.6-5+squeeze1 Control: tags -1 pending Control: block -1 with 703193 On 2013-03-16, Salvatore Bonaccorso wrote: Control: fixed -1 2.6.7-1 Hi Steven On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote: Control: reopen -1 Hmm, as Adam wrote, was this intentional? Because this way we lost the version tracking for already fixed version. BTS handles fixed versions already. From what I understand from the upstream changelog, 2.6.7 would still be affected, because the patch we had before was incomplete. So I think that reopen was actually accurate. Indeed, Steven is right. 2.6.7-1 has not the full charatecter set as supplied later with the 2.6.9 release upstream, so this needs to be also updated and pushed for wheezy. So again, thanks Steven for pringing this up. I have done an upload of 2.6.9 to factor those changes in, which I hope to pass by the RM so that 2.6.9-1 gets into wheezy. 2.6.9 unfortunately has unrelated changes, so I have uploaded it to experimental, but those changes seem important enough, to me, to go into wheezy. Before going forward with the sid upload, I'll wait for RM's approval though. See #703193 for followup on that. Hmm, this will quite sure not be approved. And Jonathan Wiltshire already commented there. A new upstream version at this stage of the freeze is not acceptable. But how about the attached patch for unstable? Thank you for your work, and regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote: Hmm, this will quite sure not be approved. And Jonathan Wiltshire already commented there. A new upstream version at this stage of the freeze is not acceptable. But how about the attached patch for unstable? ... which I have forgotten to attach. Regards, Salvatore --- a/lib/Smokeping.pm +++ b/lib/Smokeping.pm @@ -170,7 +170,7 @@ my $hierarchy = ''; my $h = $q-param('hierarchy'); if ($q-param('hierarchy')){ - $h =~ s/[%]/./g; + $h =~ s/[%';]/./g; $hierarchy = 'hierarchy='.$h.';'; }; return $hierarchy; @@ -212,7 +212,7 @@ my $address = $ENV{REMOTE_ADDR}; my $targetptr = $cfg-{Targets}; foreach my $step (@target){ -$step =~ s/[%]/./g; +$step =~ s/[%';]/./g; return Error: Unknown target $step unless defined $targetptr-{$step}; $targetptr = $targetptr-{$step}; @@ -1047,7 +1047,7 @@ my $tree = shift; my $open = shift; my $mode = shift || $q-param('displaymode') || 's'; -$mode =~ s/[%]/./g; +$mode =~ s/[%';]/./g; my $phys_tree = $tree; my $phys_open = $open; if ($tree-{__tree_link}){ @@ -1447,7 +1447,7 @@ $startstr =~ s/\s/%20/g; $endstr =~ s/\s/%20/g; my $t = $q-param('target'); -$t =~ s/[%]/./g; +$t =~ s/[%';]/./g; for my $slave (@slaves){ my $s = $slave ? ~$slave : ; $page .= div; @@ -1601,7 +1601,7 @@ my $t = $q-param('target'); if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ $targ = $1; -$targ =~ s/[;%]/./g; +$targ =~ s/[%';]/./g; } my ($path,$slave) = split(/~/,$targ); if ($slave and $slave =~ /(\S+)/){ @@ -1610,7 +1610,7 @@ $slave = $1; } my $hierarchy = $q-param('hierarchy'); -$hierarchy =~ s/[;%]/./g; +$hierarchy =~ s/[%';]/./g; die ERROR: unknown hierarchy $hierarchy\n if $hierarchy and not $cfg-{Presentation}{hierarchies}{$hierarchy}; my $open = [ (split /\./,$path||'') ];
Bug#703208: [Pkg-libvirt-maintainers] Bug#703208: libvirt0: segfault after upgrade from version 0.8.3-5+squeeze2 to 0.8.3-5+squeeze4
Hi! On Sun, Mar 17, 2013 at 12:29:45PM +0100, Yves-Alexis Perez wrote: On dim., 2013-03-17 at 08:56 +0100, Salvatore Bonaccorso wrote: open /dev/kvm: Permission denied Could not initialize KVM, will disable KVM support Can you check permissions on the /dev/kvm device and the groups in which the libvirt-qemu user is? Only now back. It looks like Guido already found the issue. But here for reference the settings on the system where I saw this too (tough in my case the VMs do not crash): # ls -l /dev/kvm crw-rw 1 root kvm 10, 232 Mar 11 06:47 /dev/kvm # id libvirt-qemu uid=108(libvirt-qemu) gid=112(kvm) groups=112(kvm),115(libvirt-qemu) # getent group kvm kvm:x:112: No special settings in /etc/libvirt/qemu.conf. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703208: [Pkg-libvirt-maintainers] Bug#703208: Bug#703208: libvirt0: segfault after upgrade from version 0.8.3-5+squeeze2 to 0.8.3-5+squeeze4
Hi On Sun, Mar 17, 2013 at 08:07:51PM +0100, Yves-Alexis Perez wrote: On dim., 2013-03-17 at 19:23 +0100, Guido Günther wrote: Uploded. But can we please wait until somebody else confirms the packages at http://honk.sigxcpu.org/projects/libvirt/snapshots/ are working for them? Sure. Salvatore? I have tested the package in the environment where I confirmed the problem this morning. With 0.8.3-5+squeeze5 the problems went away. Further testing done was: with existing vm, create new snapshot, revert, delete old snapshot. Worked all as expected in these cases. Thanks for the quick followup! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702775: ganglia: limiting security support
Hi Michael On Sun, Mar 17, 2013 at 03:04:15PM -0400, Michael Gilbert wrote: control: tag -1 patch Hi, I've uploaded an nmu to delayed/2 fixing this issue. Please see attached patch. Thank you for taking this. I read trough your proposed text looks good. Only one comment if you could please fix this (note I'm not a native english speaker, don't see if there are more): diff -Nru ganglia-3.3.8/debian/README.Debian.security ganglia-3.3.8/debian/README.Debian.security --- ganglia-3.3.8/debian/README.Debian.security 1969-12-31 19:00:00.0 -0500 +++ ganglia-3.3.8/debian/README.Debian.security 2013-03-17 14:57:35.0 -0400 @@ -0,0 +1,12 @@ +The Debian security team has decided that security support for ganglia +will be limited only to installations behind a trusted HTTP zone. Thus, +any problems affecting this package in non-trusted zones will be treated +as a non-issue (updated packages and security announcements will not be +provided). + +This software was written under the expectation that it be used in a +local cluster environtment, and thus the security consequences of ^^ s/environtment/environment/ +exposing various interfaces to the wider untrusted internet were not +fully considered, and are consequently not handled well. The security +team does not have the time or resources to compensate for these +upstream limitations. Thank you and regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
Hi Pino On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote: I've verified the issues, and the situation that I found for current wheezy+sid (= 0.18.4-5) is the following: Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto: CVE-2013-1788[0]: invalid memory issues This applies, but not with all the reported documents. CVE-2013-1789[1]: crash in broken documents This seems to not apply. CVE-2013-1790[2]: uninitialized memory read This applies. I will backport and test the appropriate fixes for this version of poppler, and then upload. Thank you for checking these issues and for preparing the fixes. Regarding stable, I will do the proper investigation (and eventually backport fixes as needed) once sid is fixed and the fixed version has successfully migrated to wheezy; this way I want to reduce the potential issues. Is that okay for the security team? Yes this sound good for me. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Hi Benjamin On Tue, Mar 19, 2013 at 04:04:59PM -0400, Benjamin Kaduk wrote: On Tue, 19 Mar 2013, Adam D. Barratt wrote: On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote: reopen 702633 Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain a fix for this bug? The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, and as such the purpoted fix for this bug is incomplete, as the documentation of the change is incorrect. Now, it may be that the package maintainer or the security team may decide that a version bump is not necessary to correct this error, but such a decision should be explicitly made (IMHO). If the answer to my first question is because it's not fixed in stable yet, then the re-opening was incorrect, as the actual effect was to mark it as not fixed in _unstable_. My action of reopening the bug reflects the contents of the package in unstable. Thank you for noticing this. To track this I opened http://bugs.debian.org/703457 Hope that helps, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703000: apache-preforks, , modperl, segfaults
Control: severity -1 important Hi I'm downgrading the bug to severity important for now. Do you had already a chance to try again the downgrade of libapache2-mod-perl2 only and see if there are the segfaults again? If so could you give some more information as asked by Niko to see if this is easily reproducible? Thanks a lot in advance! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
Hi Pino On Mon, Mar 18, 2013 at 05:10:00PM +0100, Salvatore Bonaccorso wrote: Hi Pino On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote: I've verified the issues, and the situation that I found for current wheezy+sid (= 0.18.4-5) is the following: Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto: CVE-2013-1788[0]: invalid memory issues This applies, but not with all the reported documents. CVE-2013-1789[1]: crash in broken documents This seems to not apply. CVE-2013-1790[2]: uninitialized memory read This applies. I will backport and test the appropriate fixes for this version of poppler, and then upload. Thank you for checking these issues and for preparing the fixes. Did you had a chance already to test the resulting package? I'm asking as the release gets nearer now. Thank you for working on these issues, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702905: Bug#702911: unblock: almanah/0.9.1-1
Hi Angel Disclaimer: not part of the release team but noticed #702911 as the corresponding #702905 in almanah fixes a security bug. It looks that your unblock request never went trough the list, as the debdiff is quite big. At this stage of the release the release team will probably not acknowledge this unblock request. I did only a short test: this looks also to a regression from Squeeze, as in Squeeze it is possible to have a diary encrypted. But upgrading to wheezy then the diary.db does not get encrypted after closing. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703870: moodle: Multiple security issues reported
Source: moodle Severity: grave Tags: security Hi, the following vulnerabilities were published for moodle. CVE-2013-1829[0]: Calendar subscription capability issue (this seems not to affect moodle in Debian as versions affected are reported as 2.4 to 2.4.1) CVE-2013-1830[1]: Information leak in course profiles CVE-2013-1831[2]: Server information revealed through exception messages CVE-2013-1832[3]: Password revealed in WebDav repository CVE-2013-1833[4]: Cross-site scripting issue in Filepicker CVE-2012-3363[5]: | Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before | 1.12.0 does not properly handle SimpleXMLElement classes, which allows | remote attackers to read arbitrary files or create TCP connections via | an external entity reference in a DOCTYPE element in an XML-RPC | request, aka an XML external entity (XXE) injection attack. CVE-2013-1834[6]: Form manipulation issue in notes CVE-2013-1835[7]: Personal information leak through repositories CVE-2013-1836[8]: Unauthorised settings editing through WebDav repository If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829 http://security-tracker.debian.org/tracker/CVE-2013-1829 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830 http://security-tracker.debian.org/tracker/CVE-2013-1830 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831 http://security-tracker.debian.org/tracker/CVE-2013-1831 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832 http://security-tracker.debian.org/tracker/CVE-2013-1832 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833 http://security-tracker.debian.org/tracker/CVE-2013-1833 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 http://security-tracker.debian.org/tracker/CVE-2012-3363 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834 http://security-tracker.debian.org/tracker/CVE-2013-1834 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835 http://security-tracker.debian.org/tracker/CVE-2013-1835 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836 http://security-tracker.debian.org/tracker/CVE-2013-1836 Please adjust the affected versions in the BTS as needed. Thank you for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
Hi On Sat, Mar 09, 2013 at 07:20:44PM +0100, Salvatore Bonaccorso wrote: Hi Tzafrir! Are there news on this? I have noticed that in the svn repository for asterisk there is already: asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high * Patches backported from Asterisk 1.8.19.1 (Closes: #697230): - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack allocations when using TCP. The following two fixes were also pulled in order to easily apply it: - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through Exploitation of Device State Caching -- Tzafrir Cohen tzaf...@debian.org Tue, 08 Jan 2013 00:06:09 +0200 Could you have a look if there is only the upload missing? Ping? I'm asking again as the release of wheezy is getting nearer. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703870: moodle: Multiple security issues reported
Hi See also http://marc.info/?l=oss-securitym=136419144903756w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org