LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware Security]: Some pending vulnerabilities... (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-some-pending-vulnerabilities-4175474084/)

mancha 08-20-2013 09:56 PM
[Slackware Security]: Some pending vulnerabilities...
 
In preparation for the upcoming release going beta, I thought I'd share/re-cap a few outstanding vulnerabilities of varying severity in Slackware-current:
  1. xlockmore: CVE-2013-4143; fixed in xlockmore 5.43 (see: thread)

  2. subversion: CVE-2013-4131; fixed in subversion 1.7.11

  3. libtiff:
    • CVE-2012-2088, CVE-2012-2113; fixed in libtiff 3.9.7
    • CVE-2012-4447, CVE-2012-4564, CVE-2013-1960, CVE-2013-1961; fixed in my CVS20130502 patch against 3.9.7 based on upstream commits.
    • CVE-2013-4231; fixed in my backport patch1 against tiff 3.9.7.
    • CVE-2013-4232; fixed in my backport patch2 against tiff 3.9.7.
    • CVE-2013-4244; fixed in my backport patch3 against tiff 3.9.7.

  4. poppler: CVE-2012-2142; fixed in commit 71bad47ed6.

  5. xpdf: CVE-2012-2142; fixed in my adapted patch from the Poppler project against xpdf 3.03.

  6. gnutls: Multiple CVEs; solutions outlined here.

--mancha

GazL 08-21-2013 04:39 AM
If gllbc isn't going to be bumped again before release, this one might need looking at.

The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
Quote:
* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
has been fixed by disabling the use of pt_chown (Bugzilla #15755).
Distributions can re-enable building and using pt_chown via the new configure
option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
considerable security risks and should only be used if the distribution
understands and accepts the risks.

volkerdi 08-21-2013 03:28 PM
Quote:
Originally Posted by GazL (Post 5012990)
If gllbc isn't going to be bumped again before release, this one might need looking at.

The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
IMO, CVE-2013-2207 isn't much of a problem, since it requires the system to be configured in a non-default and documented as insecure fashion. One of the requirements for exploiting this is creating a fuse.conf containing "user_allow_other". Let's have a look at what the documentation says on that option, and the related "allow_other" option:

Quote:
user_allow_other

Allow non-root users to specify the 'allow_other' or 'allow_root'
mount options.

allow_other

This option overrides the security measure restricting file access
to the user mounting the filesystem. So all users (including root)
can access the files. This option is by default only allowed to
root, but this restriction can be removed with a configuration
option described in the previous section.
I can't imagine anyone who is concerned with security enabling that. This can't be the only possible problem with it.

I looked into backporting the patch, but parts of it fail, and given the insecure system requirement I'm not convinced that it really matters much. I've given a bit of consideration to bumping glibc in -current, but who knows what new bugs might be lurking there (it took some work to iron out all the difficulties with 2.17).

GazL 08-21-2013 03:50 PM
Fair enough Pat. if the patch went on cleanly it might have been worth doing anyway (if only to get rid of an unnecessary suid root executable), but since it doesn't apply cleanly I agree with you that it's not worth the trouble.

mancha 08-22-2013 01:25 AM
Quote:
I looked into backporting the patch, but parts of it fail
If you decide to apply the CVE-2013-2207 fix to Slackware's glibc, I've backported it to glibc 2.17 and placed it here.

You can still get pre-patch behavior by using the "--enable-pt_chown" configure flag.

--mancha

yilez 08-22-2013 04:34 AM
The poppler update wouldn't install for me today. Missing the .asc file. So, I just installed it manually.

I don't know if this is just a problem on my mirror, or a problem elsewhere but thought I would say.

turtleli 08-22-2013 07:18 AM
Quote:
Originally Posted by yilez (Post 5013689)
The poppler update wouldn't install for me today. Missing the .asc file. So, I just installed it manually.

I don't know if this is just a problem on my mirror, or a problem elsewhere but thought I would say.
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.

yilez 08-22-2013 09:08 AM
Quote:
Originally Posted by turtleli (Post 5013758)
The poppler .asc (and also .txt) file seems to be missing on the main Slackware server only for Slackware64-14.0. I don't think it is a mirror problem.
Ok thanks. I realised I didn't mention I was on 64-14.0, but this all makes sense anyway.


All times are GMT -5. The time now is 01:43 AM.