October 2014 - Arch-security - lists.archlinux.org

[arch-security] [Arch Linux Security Advisory ASA-201410-14] wget: arbitrary filesystem access
by Remi Gacogne 29 Oct '14

29 Oct '14

Arch Linux Security Advisory ASA-201410-14 ========================================== Severity: Medium Date : 2014-10-29 CVE-ID : CVE-2014-4877 Package : wget Type : arbitrary filesystem access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package wget before version 1.16-2 is vulnerable to arbitrary filesystem access. Resolution ========== Upgrade to 1.16-2. # pacman -Syu "wget>=1.16-2" The problem has been fixed upstream in version 1.16. Workaround ========== Do not use the --retr-symlinks=yes option when recursively retrieving a directory from an untrusted FTP server or over an untrusted connection. Description =========== It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. By default, when retrieving ftp directories recursively and a symbolic link is encountered, the symbolic link is traversed and the pointed-to files are retrieved. This option poses a security risk where a malicious FTP Server may cause Wget to write to files outside of the intended directories through a specially crafted .listing file. Impact ====== A malicious FTP server or a malicious attacker in position of man-in-the-middle could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877 https://bugzilla.redhat.com/show_bug.cgi?id=1139181 http://seclists.org/oss-sec/2014/q4/453

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-13] ejabberd: circumvention of encryption
by Levente Polyak 28 Oct '14

28 Oct '14

Arch Linux Security Advisory ASA-201410-13 ========================================== Severity: High Date : 2014-10-27 CVE-ID : CVE-2014-8760 Package : ejabberd Type : circumvention of encryption Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package ejabberd before version 14.07-2 allows clients to connect with an unencrypted connection even if starttls_required is set. Resolution ========== Upgrade to 14.07-2. # pacman -Syu "ejabberd>=14.07-2" The problems have been fixed upstream [0] but no release version is available yet. Workaround ========== Disable compression ('zlib' in c2s configuration) and find affected users with: # ejabberdctl connected_users_info | grep 'c2s_compressed\s' You may kick affected user sessions and they should be able to reconnect with encryption and without compression. Description =========== It was discovered that ejabberd does not enforce the starttls_required setting when compression is used, which causes clients to unexpectedly establish connections without encryption. Impact ====== A local user can unexpectedly connect without any encryption and send sensitive information in plaintext to the server even if encryption was set as required. References ========== [0] https://github.com/processone/ejabberd/commit/7bdc115 http://mail.jabber.org/pipermail/operators/2014-October/002438.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760 https://bugs.archlinux.org/task/42541

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-12] libxml2: Denial of service
by Levente Polyak 25 Oct '14

25 Oct '14

Arch Linux Security Advisory ASA-201410-12 ========================================== Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-0191, CVE-2014-3660 Package : libxml2 Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libxml2 before version 2.9.2-1 is vulnerable to denial of service, even if entity substitution is disabled. Resolution ========== Upgrade to 2.9.2-1. # pacman -Syu "libxml2>=2.9.2-1" The problems have been fixed upstream [0][1] in version 2.9.2. Workaround ========== None. Description =========== Daniel Berrange discovered that libxml2 incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, leads to the exhaustion of CPU and memory resources or file descriptors. Impact ====== A remote attacker is able to exploit this vulnerability using a specially crafted XML document containing malicious attributes to consume all available CPU and memory resources or file descriptors. References ========== [0] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c [1] https://git.gnome.org/browse/libxml2/commit/?id=be2a7 https://access.redhat.com/security/cve/CVE-2014-0191 https://access.redhat.com/security/cve/CVE-2014-3660 https://bugs.archlinux.org/task/40790 http://www.openwall.com/lists/oss-security/2014/05/06/4

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-11] ctags: Denial of service
by Levente Polyak 25 Oct '14

25 Oct '14

Arch Linux Security Advisory ASA-201410-11 ========================================== Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-7204 Package : ctags Type : Denial of service Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package ctags before version 5.8-5 is vulnerable to denial of service. Resolution ========== Upgrade to 5.8-5. # pacman -Syu "ctags>=5.8-5" The problem has been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== Stefano Zacchiroli discovered a vulnerability in ctags, a tool to build tag file indexes of source code definitions: Certain JavaScript files cause ctags to enter an infinite loop until it runs out of disk space, resulting in denial of service. Impact ====== A local user can run out of disk space resulting in denial of service after running ctags on JavaScript files from an affected or specially prepared public repository. References ========== [0] http://sourceforge.net/p/ctags/code/791/ https://access.redhat.com/security/cve/CVE-2014-7204 https://bugs.archlinux.org/task/42246 http://www.openwall.com/lists/oss-security/2014/09/29/40

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-10] libvncserver: remote code execution, denial of service
by Remi Gacogne 24 Oct '14

24 Oct '14

Arch Linux Security Advisory ASA-201410-10 ========================================== Severity: Critical Date : 2014-10-24 CVE-ID : CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055 Package : libvncserver Type : Remote code execution, Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libvncserver before version 0.9.10-1 is vulnerable to remote code execution client-side, and denial of service server-side. Resolution ========== Upgrade to 0.9.10-1. # pacman -Syu "libvncserver>=0.9.10-1" The problem has been fixed upstream in version 0.9.10. Workaround ========== None. Description =========== CVE-2014-6051 Integer overflow in MallocFrameBuffer() on client side. A malicious VNC server could advertise a very large screen size (by RFB protocol, width and height are 16-bit integers), resulting in an integer overflow during malloc() on client-side. Heap corruption, and possibly remote code execution on client-side could ensue. CVE-2014-6052 Lack of malloc() return value checking on client side. malloc() return value was not checked on client-side during framebuffer setup. A malicious VNC server that advertises a large enough screen size to make malloc() fail could basically map the framebuffer at address 0, and write anything-anywhere in client process memory using selective FramebufferUpdate messages. This could certainly turn into remote code execution on client-side. CVE-2014-6053 Server crash on a very large ClientCutText message. A malicious client could advertise a very large ClientCutText message size (by RFB protocol, size is encoded on a 32-bit integer). malloc() is likely to fail in that case; as malloc() return value is not checked, this will most likely result in a server crash. CVE-2014-6054 Server crash when scaling factor is set to zero. A malicious client could set the scaling factor to 0, which will result in a server crash (division by zero). CVE-2014-6055 Multiple stack overflows in File Transfer feature. 1/ The non-standard file transfer messages (UltraVNC feature) will blindly strcpy() client-provided file and directory names into a stack-based buffer of size MAX_PATH, resulting in multiple stack-based buffer overflows on server-side. 2/ Client-supplied FileTime attribute is copied into a stack-based buffer of size 64 during rfbFileTransferOffer message parsing, resulting in a stack-based buffer overflow on server-side. Impact ====== A malicious server or an attacker in position of man-in-the-middle could remotely execute arbitrary code on a vulnerable client. A malicious client or an attacked in position of man-in-the-middle could remotely crash a vulnerable server. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6051 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6052 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6053 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6054 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6055 http://seclists.org/oss-sec/2014/q3/639 https://bugs.archlinux.org/task/42321

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-9] libpurple: remote dos and information leakage
by Remi Gacogne 23 Oct '14

23 Oct '14

Arch Linux Security Advisory ASA-201410-9 ========================================= Severity: High Date : 2014-10-22 CVE-ID : CVE-2014-3695, CVE-2014-3696, CVE-2014-3698 Package : libpurple Type : Remote denial of service, Information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libpurple before version 2.10.10-1 is vulnerable to a remote denial of service and remote information leakage. Resolution ========== Upgrade to 2.10.10-1. # pacman -Syu "libpurple>=2.10.10-1" The problem has been fixed upstream in version 2.10.10. Workaround ========== None. Description =========== A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. A malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon via MXit with an overly large length value. A malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in a Novell Groupwise message. Impact ====== A remote attacker could access arbitrary memory from any application using libpurple via a specially crafted XMPP message. A remote attacker in position of man-in-the-middle, or a malicious server, could remotely crash any application using libpurple via a MXit or Novell Groupwise message. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3695 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3696 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3698 https://pidgin.im/news/security/?id=87 https://pidgin.im/news/security/?id=88 https://pidgin.im/news/security/?id=90

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-8] wpa_supplicant, hostapd: Arbitrary command execution
by Levente Polyak 20 Oct '14

20 Oct '14

Arch Linux Security Advisory ASA-201410-8 ========================================= Severity: Critical Date : 2014-10-20 CVE-ID : CVE-2014-3686 Package : wpa_supplicant, hostapd Type : Arbitrary command execution Remote : yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package wpa_supplicant and hostapd before version 2.3-1 are vulnerable to arbitrary command execution. Resolution ========== Upgrade to 2.3-1. # pacman -Syu "wpa_supplicant>=2.3-1" "hostapd>=2.3-1" The problem has been fixed upstream in version 2.3. Workaround ========== Disable use of wpa_cli/hostapd_cli command to run action scripts (this may break functionality). Description =========== Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa_supplicant and hostapd packages. A remote wifi system within range could provide a crafted frame triggering arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process. Impact ====== A remote attacker is able to perform arbitrary command execution with the with privileges of the affected process. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3686 https://bugs.archlinux.org/task/42401 http://www.openwall.com/lists/oss-security/2014/10/09/28 http://w1.fi/security/2014-1/

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-7] drupal: pre-auth sql injection
by Remi Gacogne 16 Oct '14

16 Oct '14

Arch Linux Security Advisory ASA-201410-7 ========================================= Severity: Critical Date : 2014-10-16 CVE-ID : CVE-2014-3704 Package : drupal Type : SQL injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package drupal before version 7.32-1 is vulnerable to a remote, non-authenticated, SQL injection. Resolution ========== Upgrade to 7.32-1. # pacman -Syu "drupal>=7.32-1" The problem has been fixed upstream in version 7.32. Workaround ========== None. Description =========== Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. This vulnerability has been marketed as drupageddon by the discoverer, Sektion Eins. Impact ====== A remote, non-authenticated, attacker can alter or drop the drupal database with a single HTTP request. This can be escalated to code execution. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704 https://www.drupal.org/SA-CORE-2014-005 https://bugs.archlinux.org/task/42388 https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerabil…

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-6] openssl: denial of service / man-in-the-middle / poodle mitigation
by Remi Gacogne 16 Oct '14

16 Oct '14

Arch Linux Security Advisory ASA-201410-6 ========================================= Severity: High Date : 2014-10-16 CVE-ID : CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 Package : openssl Type : Denial of service, Man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package openssl before version 1.0.1.j-1 is vulnerable to a remote denial of service via two different memory leaks. In addition to that, it fails to properly disable the SSLv3 protocol when building with the no-ssl3 option, thus leaving openssl vulnerable to the POODLE attack on SSLv3. This new version adds support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade, as exploited on the POODLE attack. Resolution ========== Upgrade to 1.0.1.j-1. # pacman -Syu "openssl>=1.0.1.j-1" The problem has been fixed upstream in version 1.0.1j. Workaround ========== The SRTP memory leak described in CVE-2014-3513 can be mitigated by building openssl with the OPENSSL_NO_SRTP option enabled. The POODLE attack can be avoided by disabling the use of SSLv3, or at least the downgrade of failed TLS connections to SSLv3. There is no workaround for the other leak or the no-ssl3 compile-time option. Description =========== SRTP Memory Leak (CVE-2014-3513) -------------------------------- A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. Session Ticket Memory Leak (CVE-2014-3567) ------------------------------------------ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. Build option no-ssl3 is incomplete (CVE-2014-3568) -------------------------------------------------- When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. SSL 3.0 Fallback protection --------------------------- OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Impact ====== The two memory leaks allow a remote, non-authenticated attacker to cause a denial of service. The no-ssl3 option error may prevent administrator from effectively disable SSLv3. The POODLE attack may allow an active attacker to decipher the content of an SSL connection, such as the content of a session cookie. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3513 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3567 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3568 https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.imperialviolet.org/2014/10/14/poodle.html

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-4] zeromq: Man-in-the-middle downgrade and replay attack
by Levente Polyak 15 Oct '14

15 Oct '14

Arch Linux Security Advisory ASA-201410-4 ========================================= Severity: Medium Date : 2014-10-15 CVE-ID : CVE-2014-7202 CVE-2014-7203 Package : zeromq Type : Man-in-the-middle downgrade and replay attack Remote : yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package zeromq before version 4.0.5-1 is vulnerable to man-in-the-middle downgrade and replay attacks. Resolution ========== Upgrade to 4.0.5-1. # pacman -Syu "zeromq>=4.0.5-1" The problem has been fixed upstream in version 4.0.5. Workaround ========== None. Description =========== - CVE-2014-7202 (downgrade attack) A bug in stream_engine.cpp allows man-in-the-middle attackers to conduct downgrade attacks via a crafted connection request. - CVE-2014-7203 (replay attack) libzmq did not ensure that nonces are unique, which allows man-in-the-middle attackers to conduct replay attacks via unspecified vectors. Impact ====== A remote attacker is able to perform unauthorized modifications by using a downgrade attack to target vulnerable protocol versions or by performing a replay attack of a recorded communication. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7202 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7203 https://github.com/zeromq/libzmq/issues/1190 https://github.com/zeromq/libzmq/issues/1191 https://bugs.archlinux.org/task/42381 http://seclists.org/oss-sec/2014/q3/776

1 0