LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-05-2014, 12:45 AM   #91
comet.berkeley
Member
 
Registered: Dec 2009
Location: California
Distribution: Slackware current
Posts: 149

Rep: Reputation: Disabled

Quote:
Originally Posted by mancha View Post
Update 20140304
  1. GnuTLS

    A security audit of GnuTLS, carried out by one of its primary developers, has identified serious flaws in its certificate validation
    code (CVE-2014-0092). The vulnerabilities can be exploited via specially-crafted certificates to effectively circumvent certificate
    validation checks.

    Solution: Slackware deployed security fixes for Slackware 13.0 through current the day the issue became public (20140303).
    I encourage those who've not yet applied these updates to do so as soon as possible.

    Note: Slackware 12.1 and 12.2 systems can address this issue by rebuilding GnuTLS after applying Slackware 13.0's fix.
--mancha

So what slackware code is actually using GnuTLS?

I did a search of the current slackware64-current/source and found very little.

It looks like two packages use it as they are built with "gnutls"
  1. l/loudmouth a library for the Jabber instant messenger protocol.
  2. xap/pan a usenet news reader.
Since I don't use Jabber and I don't use pan this appears to be an extremely low impact "security risk".
 
Old 03-05-2014, 01:08 AM   #92
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 181
Blog Entries: 1

Rep: Reputation: 38
Gnome and CUPS, http://en.wikipedia.org/wiki/GnuTLS some of KDE, Apache and Wine may using it, GnuTLS project is very "precarious suspicious". It should drop Gnu from its name.

Last edited by number22; 03-05-2014 at 03:09 AM.
 
Old 03-06-2014, 02:13 PM   #93
comet.berkeley
Member
 
Registered: Dec 2009
Location: California
Distribution: Slackware current
Posts: 149

Rep: Reputation: Disabled
Quote:
Originally Posted by number22 View Post
Gnome and CUPS, http://en.wikipedia.org/wiki/GnuTLS some of KDE, Apache and Wine may using it...
Most of the Slackware packages seem to use OpenSSL instead of GnuTLS.

Gnome is not included in the standard release of Slackware.

CUPS specifically ignores GnuTLS as the build script contains this parameter:
"--enable-gnutls=no"

I didn't see GnuTLS in the Slackware KDE or Apache packages.

Wine, like Gnome is not included in the standard release.
 
Old 03-06-2014, 04:31 PM   #94
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 146Reputation: 146
Quote:
Originally Posted by comet.berkeley View Post
So what slackware code is actually using GnuTLS?
This may find some but maybe not all if the library is loaded with dlopen:
Code:
for dir in /bin /sbin /usr; do
    find "$dir" -type f -exec sh -c "file '{}' | (grep ELF >/dev/null && (ldd '{}' | (grep libgnutls.so >/dev/null && echo '{}')))" \;
done

Last edited by guanx; 03-07-2014 at 01:01 AM.
 
1 members found this post helpful.
Old 03-06-2014, 05:53 PM   #95
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 181
Blog Entries: 1

Rep: Reputation: 38
guanx, thanks, you beat me to it. yeah, simple bash script can easy tell:
another example code
Code:
for file in /usr/bin ; do
ldd $file |grep libgnutls >/dev/null && echo $file >> $HOME/result.out;
done
apparently samba uses libgnutls too, didn't know it before.

Last edited by number22; 03-06-2014 at 05:55 PM.
 
Old 03-14-2014, 02:06 AM   #96
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 20140314

  1. libssh

    A problem with how libssh handles prng states for forked sshd's (CVE-2014-0017) has been fixed upstream.

    Solution: Rebuild libssh 0.5.4 (or 0.5.5) after applying upstream fix.

  2. file

    Two security issues were identified with libmagic (file package):

    CVE-2014-1943 (infinite recursion flaw)
    CVE-2014-2270 (improper bounds checking)

    Solution: Rebuild file 5.14 after applying my backport fixes:

    file-5.14_CVE-2014-1943.diff
    file-5.14_CVE-2014-2270.diff
    Note: should be applied in above order.

    PoC for CVE-2014-1943:
    Code:
    $ echo -n "4552000000" | xxd -r -p | file -
  3. php

    The above libmagic security issues affect Slackware's PHP package because PHP bundles libmagic for its fileinfo extension.

    Solution: Rebuild PHP 5.4.24 (or PHP 5.4.25) after applying my backport fixes:

    php-5.4.24_CVE-2014-1943.diff
    php-5.4.24_CVE-2014-2270.diff
    Note: should be applied in above order.

    PoC for CVE-2014-1943:
    Code:
    <?php
    /* CVE-2014-1943 */
    $finfo = new finfo(FILEINFO_MIME);
    $hex = hex2bin("4552000000");
    return $finfo->buffer($hex);
    ?>
  4. FreeType

    Two security issues have been identified in FreeType's CFF driver:

    CVE-2014-2240 (out-of-bounds stack read/write)
    CVE-2014-2241 (denial of service via triggerable assertion)

    Solution: Upgrade to FreeType 2.5.3.

  5. udisks & udisks2

    A flaw in the way udisks/udisks2 processes path names (CVE-2014-0004) can be exploited by malicious local users, via
    specially-crafted directory structures, to execute arbitrary code as the udisks daemon (i.e. root).

    Solution: Apply Slackware's security update from 20140311.

  6. mutt

    A buffer overflow vulnerability (CVE-2014-0467) was discovered in mutt's parsing of RFC2049 headers. A remote attacker
    can exploit this via an email with specially-crafted headers to cause a DoS and potentially execute arbitrary code.

    Solution: Apply Slackware's security update from 20140312.

  7. samba

    An internal samba audit has identified two security issues:

    CVE-2013-4496 (flaw allows bypass of password lock-out and unlimited password attempts via the samr interface).
    CVE-2013-6442 (flaw in smbacls potentially clears an object's existing ACLs leaving it unprotected).

    Solution: Apply Slackware's security update from 20140313.
--mancha

Last edited by mancha; 03-14-2014 at 03:18 AM. Reason: Add samba alert
 
7 members found this post helpful.
Old 03-14-2014, 09:59 AM   #97
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,146
Blog Entries: 3

Rep: Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406Reputation: 1406
Thumbs up Member Response

Hi,

I want too commend 'Mancha' along with other Slackers for contributing helpful information to the Slackware community here at LQ.

I'm sure PV & team appreciates the endeavors of all for providing additional security assistance.

Read the entire thread and found a lot of useful information.

Thanks to all!

Last edited by onebuck; 03-14-2014 at 10:06 AM. Reason: changes to format
 
3 members found this post helpful.
Old 03-14-2014, 11:58 AM   #98
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,408

Rep: Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835
My Slackware deployments do not require a tin foil hat the size of a sombrero, but I also am very grateful to mancha for the investigation and fixes to security issues. It shows an ability beyond my ken.
On the file issue, it just goes to show the degree of difficulty that our BDFL faces in balancing usability with security. An upstream change made the basic nano utility segfault without a change to file to use a compiled magic file. http://www.linuxquestions.org/questi...le-4175455374/ Now a security issue has been uncovered.
 
1 members found this post helpful.
Old 03-14-2014, 12:16 PM   #99
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,102

Rep: Reputation: Disabled
Yeah, stability and security have to be juggled carefully as they can affect one another. I'm only concerned about critical exploits, like privilege escalation / remotely rooting the system, etc. Lesser exploits are more of a concern on multi-user systems or for sysadmins, not me.
 
Old 03-14-2014, 04:24 PM   #100
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by onebuck View Post
I want too commend 'Mancha' along with other Slackers for contributing helpful information to the Slackware community here at LQ.
Thanks for your post and thanks to other slackers who have encouraged me in this thread and privately. It makes the effort worthwhile
knowing folks are appreciative and finding the information valuable.

To slackers contributing alerts or solutions here, keep up the good work.

--mancha

Last edited by mancha; 03-14-2014 at 07:01 PM.
 
6 members found this post helpful.
Old 03-14-2014, 11:30 PM   #101
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,550

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by mancha View Post
Update 20140314

  1. php

    The above libmagic security issues affect Slackware's PHP package because PHP bundles libmagic for its fileinfo extension.

    Solution: Rebuild PHP 5.4.24 (or PHP 5.4.25) after applying my backport fixes:

    php-5.4.24_CVE-2014-1943.diff
    php-5.4.24_CVE-2014-2270.diff
    Note: should be applied in above order.
--mancha
This has been fixed in 5.4.26 which has just been released
http://www.php.net/ChangeLog-5.php#5.4.26
 
Old 03-15-2014, 12:09 AM   #102
moisespedro
Member
 
Registered: Nov 2013
Distribution: Slackware
Posts: 771

Rep: Reputation: 80
This thread is great, I think OP is doing a job for a team by himself
 
1 members found this post helpful.
Old 03-16-2014, 04:53 AM   #103
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 141

Rep: Reputation: 47
FreeType

Two security issues have been identified in FreeType's CFF driver:

CVE-2014-2240 (out-of-bounds stack read/write)
CVE-2014-2241 (denial of service via triggerable assertion)

Solution: Upgrade to FreeType 2.5.3.

In order to compile FreeType 2.5.3 Harfbuzz needs to be updated as well.

Mats
 
1 members found this post helpful.
Old 03-16-2014, 10:02 AM   #104
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 20140316

Quote:
Originally Posted by mats_b_tegner View Post
In order to compile FreeType 2.5.3 Harfbuzz needs to be updated as well.
  1. FreeType

    Mats, thanks for bringing this up. Actually, HarfBuzz is a new and optional dependency of FreeType as of 2.5.3.
    FreeType 2.5.3 will build on stock Slackware 14.1 but automatically disables HarfBuzz support when it doesn't
    detect a new enough version.

    However, building FreeType 2.5.3 requires a modified illadvisederror patch (see note at end), so I've amended my
    recommendation for most slackers:

    Solution: Rebuild Slackware 14.1 FreeType 2.5.0.1 after applying my CVE-2014-2240+CVE-2014-2241 backport fix (sig).
--mancha

Note: For those wishing to upgrade to FreeType 2.5.3:
  • Get my FreeType 2.5.3 illadvisederror patch (gzip it or edit the Slackbuild so it applies uncompressed)
  • Build FreeType 2.5.3 (1st pass with no HarfBuzz support)
  • Upgrade to HarfBuzz 0.9.26 [OPTIONAL STEP]
  • Rebuild FreeType 2.5.3 (2nd pass with HarfBuzz support) [OPTIONAL STEP]

    Keep in mind lots of things depend on HarfBuzz and FreeType so upgrading these two libs is done at your own risk.

Last edited by mancha; 03-16-2014 at 10:27 AM. Reason: Don't use small print for warning at end
 
3 members found this post helpful.
Old 03-19-2014, 03:17 PM   #105
Phorize
Member
 
Registered: Sep 2005
Location: UK
Distribution: Slackware
Posts: 217

Rep: Reputation: 23
https://www.mozilla.org/security/kno...irefoxESR.html

Firefox ESR 24.4.0 fixes some critical vulnerabilities. I'm trying to debug a failed build as I write.
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM
[Slackware security] GnuTLS multiple vulnerabilities + (un)lucky-13 mancha Slackware 1 06-20-2013 12:40 PM
Security Advisories and the 64-bit Kernel vulnerabilities njb Slackware 1 11-17-2010 08:27 PM
Has Centos 4.3 Security Vulnerabilities? Seregwethrin Linux - Server 3 02-29-2008 09:48 AM
LXer: Top FOSS security vulnerabilities LXer Syndicated Linux News 0 12-13-2007 07:41 PM


All times are GMT -5. The time now is 01:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration