[Slackware Security]: Some pending vulnerabilities...
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[Slackware Security]: Some pending vulnerabilities...
In preparation for the upcoming release going beta, I thought I'd share/re-cap a few outstanding vulnerabilities of varying severity in Slackware-current:
xlockmore: CVE-2013-4143; fixed in xlockmore 5.43 (see: thread)
subversion: CVE-2013-4131; fixed in subversion 1.7.11
libtiff:
CVE-2012-2088, CVE-2012-2113; fixed in libtiff 3.9.7
CVE-2012-4447, CVE-2012-4564, CVE-2013-1960, CVE-2013-1961; fixed in my CVS20130502 patch against 3.9.7 based on upstream commits.
CVE-2013-4231; fixed in my backport patch1 against tiff 3.9.7.
CVE-2013-4232; fixed in my backport patch2 against tiff 3.9.7.
CVE-2013-4244; fixed in my backport patch3 against tiff 3.9.7.
poppler: CVE-2012-2142; fixed in commit 71bad47ed6.
xpdf: CVE-2012-2142; fixed in my adapted patch from the Poppler project against xpdf 3.03.
If gllbc isn't going to be bumped again before release, this one might need looking at.
The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
Quote:
* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
has been fixed by disabling the use of pt_chown (Bugzilla #15755).
Distributions can re-enable building and using pt_chown via the new configure
option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
considerable security risks and should only be used if the distribution
understands and accepts the risks.
If gllbc isn't going to be bumped again before release, this one might need looking at.
The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
IMO, CVE-2013-2207 isn't much of a problem, since it requires the system to be configured in a non-default and documented as insecure fashion. One of the requirements for exploiting this is creating a fuse.conf containing "user_allow_other". Let's have a look at what the documentation says on that option, and the related "allow_other" option:
Quote:
user_allow_other
Allow non-root users to specify the 'allow_other' or 'allow_root'
mount options.
allow_other
This option overrides the security measure restricting file access
to the user mounting the filesystem. So all users (including root)
can access the files. This option is by default only allowed to
root, but this restriction can be removed with a configuration
option described in the previous section.
I can't imagine anyone who is concerned with security enabling that. This can't be the only possible problem with it.
I looked into backporting the patch, but parts of it fail, and given the insecure system requirement I'm not convinced that it really matters much. I've given a bit of consideration to bumping glibc in -current, but who knows what new bugs might be lurking there (it took some work to iron out all the difficulties with 2.17).
Fair enough Pat. if the patch went on cleanly it might have been worth doing anyway (if only to get rid of an unnecessary suid root executable), but since it doesn't apply cleanly I agree with you that it's not worth the trouble.
The poppler update wouldn't install for me today. Missing the .asc file. So, I just installed it manually.
I don't know if this is just a problem on my mirror, or a problem elsewhere but thought I would say.
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.
Ok thanks. I realised I didn't mention I was on 64-14.0, but this all makes sense anyway.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.