LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-20-2013, 09:56 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
[Slackware Security]: Some pending vulnerabilities...


In preparation for the upcoming release going beta, I thought I'd share/re-cap a few outstanding vulnerabilities of varying severity in Slackware-current:
  1. xlockmore: CVE-2013-4143; fixed in xlockmore 5.43 (see: thread)

  2. subversion: CVE-2013-4131; fixed in subversion 1.7.11

  3. libtiff:
    • CVE-2012-2088, CVE-2012-2113; fixed in libtiff 3.9.7
    • CVE-2012-4447, CVE-2012-4564, CVE-2013-1960, CVE-2013-1961; fixed in my CVS20130502 patch against 3.9.7 based on upstream commits.
    • CVE-2013-4231; fixed in my backport patch1 against tiff 3.9.7.
    • CVE-2013-4232; fixed in my backport patch2 against tiff 3.9.7.
    • CVE-2013-4244; fixed in my backport patch3 against tiff 3.9.7.

  4. poppler: CVE-2012-2142; fixed in commit 71bad47ed6.

  5. xpdf: CVE-2012-2142; fixed in my adapted patch from the Poppler project against xpdf 3.03.

  6. gnutls: Multiple CVEs; solutions outlined here.

--mancha
 
Old 08-21-2013, 04:39 AM   #2
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,873

Rep: Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982
If gllbc isn't going to be bumped again before release, this one might need looking at.

The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
Quote:
* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
has been fixed by disabling the use of pt_chown (Bugzilla #15755).
Distributions can re-enable building and using pt_chown via the new configure
option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
considerable security risks and should only be used if the distribution
understands and accepts the risks.
 
Old 08-21-2013, 03:28 PM   #3
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 2,454

Rep: Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347
Quote:
Originally Posted by GazL View Post
If gllbc isn't going to be bumped again before release, this one might need looking at.

The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
IMO, CVE-2013-2207 isn't much of a problem, since it requires the system to be configured in a non-default and documented as insecure fashion. One of the requirements for exploiting this is creating a fuse.conf containing "user_allow_other". Let's have a look at what the documentation says on that option, and the related "allow_other" option:

Quote:
user_allow_other

Allow non-root users to specify the 'allow_other' or 'allow_root'
mount options.

allow_other

This option overrides the security measure restricting file access
to the user mounting the filesystem. So all users (including root)
can access the files. This option is by default only allowed to
root, but this restriction can be removed with a configuration
option described in the previous section.
I can't imagine anyone who is concerned with security enabling that. This can't be the only possible problem with it.

I looked into backporting the patch, but parts of it fail, and given the insecure system requirement I'm not convinced that it really matters much. I've given a bit of consideration to bumping glibc in -current, but who knows what new bugs might be lurking there (it took some work to iron out all the difficulties with 2.17).
 
3 members found this post helpful.
Old 08-21-2013, 03:50 PM   #4
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,873

Rep: Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982Reputation: 4982
Fair enough Pat. if the patch went on cleanly it might have been worth doing anyway (if only to get rid of an unnecessary suid root executable), but since it doesn't apply cleanly I agree with you that it's not worth the trouble.
 
Old 08-22-2013, 01:25 AM   #5
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
I looked into backporting the patch, but parts of it fail
If you decide to apply the CVE-2013-2207 fix to Slackware's glibc, I've backported it to glibc 2.17 and placed it here.

You can still get pre-patch behavior by using the "--enable-pt_chown" configure flag.

--mancha
 
1 members found this post helpful.
Old 08-22-2013, 04:34 AM   #6
yilez
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 127

Rep: Reputation: Disabled
The poppler update wouldn't install for me today. Missing the .asc file. So, I just installed it manually.

I don't know if this is just a problem on my mirror, or a problem elsewhere but thought I would say.
 
Old 08-22-2013, 07:18 AM   #7
turtleli
Member
 
Registered: Aug 2012
Location: UK
Posts: 206

Rep: Reputation: Disabled
Quote:
Originally Posted by yilez View Post
The poppler update wouldn't install for me today. Missing the .asc file. So, I just installed it manually.

I don't know if this is just a problem on my mirror, or a problem elsewhere but thought I would say.
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.
 
1 members found this post helpful.
Old 08-22-2013, 09:08 AM   #8
yilez
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 127

Rep: Reputation: Disabled
Quote:
Originally Posted by turtleli View Post
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.
Ok thanks. I realised I didn't mention I was on 64-14.0, but this all makes sense anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware security] GnuTLS multiple vulnerabilities + (un)lucky-13 mancha Slackware 1 06-20-2013 12:40 PM
LXer: WordPress 3.4 update fixes security vulnerabilities LXer Syndicated Linux News 0 09-07-2012 09:30 AM
Security Advisories and the 64-bit Kernel vulnerabilities njb Slackware 1 11-17-2010 08:27 PM
Has Centos 4.3 Security Vulnerabilities? Seregwethrin Linux - Server 3 02-29-2008 09:48 AM
LXer: Top FOSS security vulnerabilities LXer Syndicated Linux News 0 12-13-2007 07:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration