LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

thirdm 10-01-2014 01:55 PM

Quote:

Even after patching, the old bash binary can still be "ressurrected" from memory
But can you add to the environment of a running bash and have it reparse its environment variables?
[sorry, reread the article and saw how it runs from /proc. Can I delete this message?]

mancha 10-01-2014 04:02 PM

Update 20141001
  1. bash (ɥsɐq)

    So, the vulnerabilities Michal Zalewski, of Google, discovered and that I hinted at in post #225 have been made public. Here's a brief
    summary for you:

    • CVE-2014-6277

      By traversing a certain code-path, an uninitialized part of memory can end up getting treated as a valid pointer.

      Code:

      $ bash -c "myfunc(){ x(){ _;};x(){ _;}<<foo;}"
      Segmentation fault

      The good news is Slackware's Bash uses Bash's malloc version and scrambles memory contents on calls to malloc and free. This
      makes things much more difficult to exploit on Slackware because the pointer will always resolve to 0xdfdfdfdf. In other words,
      an adversary must find a way to overlap with this particular memory region. On systems where these Bash features are disabled
      (and I understand such exist), the pointer can easily be within an attacker's control. Score one for Bob.

    • CVE-2014-6278

      There's a way to trick the Bash parser with what appears to be nested empty command substitutions The reason this tricks the
      parser into executing arbitrary code is not clear and seems to only affect versions 4.2 and 4.3 (at least in this form). Pretty much,
      the vulnerability allows injection of code through a crafted "functional definition" of an environment variable (much like
      CVE-2014-6271 which you can read about in Unshocking the shell).

      Code:

      $ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
      evil code here

      The good news is the prefix/suffix hardening affords protection against external attackers because untrusted external input should
      never be able to set arbitrary environment variables. If they can due to buggy CGI scripts, or otherwise, they could exploit it.
      However, if that's true then all bets are off and there's a lot more to worry about than just shellshock and its ugly spawn. Take,
      for example, the ability to set SHELLOPTS and LD_PRELOAD to name just a couple.

    Stay tuned for upstream patches that fix these two issues (already coming down the pike).
--mancha

colweb 10-03-2014 06:21 AM

@mancha,

I did use your script (Bash security upgrades for Slackware 12.0, 12.1, and 12.2 [HOWTO]) to update an old server still running Slack 12.1 and that works perfectly. Many thanks for this script.

After the last update (patch level 22), bash on Slack 12.1 now gives this:

Code:

$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
bash: myfunc: line 0: syntax error near unexpected token `{'
bash: myfunc: line 0: `myfunc () { _;}>_[$($())] { echo "evil code here";}'
bash: error importing function definition for `myfunc'

In order to use this same script to update my server with Slack 14.1 I changes it and it seems to work as it does create a new bash-4.2.052-x86_64-1.txz in /tmp. And upgradepkg does work as well.
However, somehow something is going wrong. Bash --version shows that the latest patch is applied but..

Code:

$ bash --version
GNU bash, version 4.2.52(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$
$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
evil code here

It still gives 'evil code here'.

Seems I'm doing something wrong, but I have no idea what?

mancha 10-03-2014 06:47 AM

Quote:

Originally Posted by colweb (Post 5248399)
@mancha,

I did use your script (Bash security upgrades for Slackware 12.0, 12.1, and 12.2 [HOWTO]) to update an old server still running Slack 12.1 and that works perfectly. Many thanks for this script.

Hi colweb. Glad the script worked for both your Slackware 12.x and 14.1 systems.

Quote:

Originally Posted by colweb (Post 5248399)
However, somehow something is going wrong. Bash --version shows that the latest patch is applied but..
Code:

$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
evil code here

It still gives 'evil code here'.

Seems I'm doing something wrong, but I have no idea what?

You're doing nothing wrong. The fixes for that issue (CVE-2014-6278) are not yet available. But, as I explain in my report on post #242,
the offending line only works on Bash 4.2 and 4.3 (not 3.1). It is unclear if Bash 3.1 is not vulnerable or simply not vulnerable to that
particular syntax construction.

--mancha

kfritz 10-03-2014 07:03 AM

ksyslogd
 
http://seclists.org/oss-sec/2014/q4/79

I saw that post and immediately tried it against the Slackware source, and it seems to patch and build cleanly. Then I realized mancha == mancha. Of course it works!

I expect we'll be seeing a patch from Pat soon?

colweb 10-03-2014 09:23 AM

Quote:

Originally Posted by mancha (Post 5248403)
the offending line only works on Bash 4.2 and 4.3 (not 3.1). It is unclear if Bash 3.1 is not vulnerable or simply not vulnerable to that
particular syntax construction.
--mancha

Ah, I see. Should have read your postings better.

Thanks.

mancha 10-03-2014 12:10 PM

Update 20141003

To follow up on a report by sanjioh in post #237, there was an issue identified in rsyslog and sysklogd where some invalid priority values
are allowed to propagate through the code. Rainer Gerhards, rsyslog project lead, has prepared two very detailed and well-written advisories
on this: CVE-2014-3634 and CVE-2014-3683.

  1. sysklogd

    In the case of sysklogd, this flaw results in out-of-bounds access to an element of the logging daemon's 'filed' structure. So far,
    my analysis reveals the amount of over/under read is insufficient to go beyond the limits of the structure so a daemon crash doesn't
    seem likely. The effect appears limited to improper message handling (or loss) of the message carrying the mal-formed priority value.
    However, the rsyslog team has been able to crash rsyslog v3 and its codebase is very similar to sysklogd's. So, I recommend being safe
    rather than sorry. (CVE-2014-3634)

    Recommendation: Upgrade to sysklogd 1.5.1

    Note: This is of more concern for those logging remote messages.

  2. rsyslog

    In the case of rsyslog, the impact appears significantly more severe because it's been confirmed the issue can trigger daemon crashes
    or possibly code execution. This is complicated by the fact that rsyslog's fix for CVE-2014-3634 was incomplete and introduced the
    possibility for large negative out-of-bounds access due to integer overflows. This has since been corrected and assigned CVE-2014-3683.

    I don't normally address applications that aren't part of Slackware proper in this thread. But in this particular case, because it was
    brought up in sanjioh's original comment, is offered by SBo, shares the root cause with sysklogd, and I'm particularly familiar with the
    issue, I'm making an exception. (CVE-2014-3634 and CVE-2014-3683)

    Recommendation: If you use rsyslog, upgrade to rsyslog 8.4.2 or rsyslog 7.6.7

    Note: This is of more concern for those logging remote messages.
Quote:

Originally Posted by kfritz (Post 5248409)
http://seclists.org/oss-sec/2014/q4/79

I saw that post and immediately tried it against the Slackware source, and it seems to patch and build cleanly. Then I realized mancha == mancha. Of course it works!

I expect we'll be seeing a patch from Pat soon?

kfritz, we've had a few more back & forths in that thread since my 1st post in case you're interested. Also, yesterday I sent Pat an advance
copy of my patch so there might be an update coming - but I don't know.

--mancha

RickKnight 10-03-2014 08:33 PM

Thanks again guys, I was able to patch my Slackware 12.0 to the latest patch (022) successfully.

Rick

mancha 10-13-2014 06:00 PM

Update 20141013

  1. Python

    • Directory traversal attack of CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server
      was started. Fixed in Python 2.7.6. (CVE N/A)

    • Unbound readline() resulting in denial of service in ftplib and nntplib. Fixed in Python 2.7.6 (CVE-2013-1752)

    • Unbound readline() resulting in denial of service in imaplib. Fixed in Python 2.7.7 (CVE-2013-1752)

    • Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c allows remote attackers to execute arbitrary code
      via a crafted string. Fixed in Python 2.7.7. (CVE-2014-1912) [see also: 20140212 report]

    • Insufficient bounds checking in the _json module allows an attacker to read arbitrary process memory. Fixed in Python 2.7.8.
      (CVE-2014-4616)

    • The CGIHTTPServer module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose
      a CGI script's source code or execute arbitrary CGI scripts in the server's document root. Fixed in Python 2.7.8. (CVE-2014-4650)

    • Integer overflow in bufferobject.c allows context-dependent attackers to obtain sensitive information from process memory via a
      large size and offset in a "buffer" function. Fixed in Python 2.7.8 (CVE-2014-7185)

    Recommendation: Upgrade to Python 2.7.8 (sig)

  2. LibVNCServer

    • A malicious VNC server could advertise a very large screen size resulting in heap corruption, and possibly remote code execution
      on client-side. (CVE-2014-6501)

    • A malicious VNC server that advertises a large enough screen size could potentially inject code anywhere in client-side process
      memory through FramebufferUpdate messages. (CVE-2014-6052)

    • A malicious client could advertise a very large ClientCutText message size potentially causing a server crash. (CVE-2014-6053)

    • A malicious client could set the scaling factor to 0, which will result in a server crash. (CVE-2014-6054)

    • Multiple server-side stack overflows in File Transfer feature. (CVE-2014-6055)

    Recommendation: Rebuild LibVNCServer 0.9.9 after applying the following patches:
    LibVNCServer-0.9.9_CVE-2014-6051.diff
    LibVNCServer-0.9.9_CVE-2014-6052.diff
    LibVNCServer-0.9.9_CVE-2014-6053.diff
    LibVNCServer-0.9.9_CVE-2014-6054.diff
    LibVNCServer-0.9.9_CVE-2014-6055.diff
    Note: TigerVNC (provided in "extra") might be vulnerable to issues similar to some of the above. I'll provide updates as I learn more.

  3. getmail4

    • Getmail 4.0.0 through 4.43.0 allows IMAP MITM with arbitrary certificates. (CVE-2014-7273)

    • Getmail 4.44.0 allows IMAP MITM with valid/recognized certificates for an arbitrary hostname. (CVE-2014-7274)

    • Getmail 4.0.0 through 4.44.0 allows POP MITM with arbitrary certificates. (CVE-2014-7275)

    Recommendation: Upgrade to Getmail 4.46.0

  4. Exuberant Ctags (vim)

    Exuberant Ctags 5.8, as bundled by Slackware's vim, allows attackers to cause a denial of service (infinite loop and CPU and disk
    consumption) via a crafted JavaScript file. (CVE-2014-7204)

    Make sure you have a way to kill the process (i.e. other terminal ready to killall -9 ctags) before trying out the PoC because it will
    CPU/disk DoS the box. You've been warned, hic sunt dracones:

    Code:

    $ ctags CVE-2014-7204_poc.js
    Recommendation: Rebuild vim after editing vim.SlackBuild so it applies ctags-5.8_CVE-2014-7204.diff to the bundled exuberant-ctags.

--mancha

mancha 10-14-2014 02:20 AM

Status Report 20141014

Back in June, GaZL pointed out the thread was getting difficult to follow. He suggested a state-of-play would help (i.e. summary of which
security issues had been patched and which remained outstanding).

I agree.

So, to mark the 250th post, I bit the bullet and put together the following thread status report (current through 20141014). Mozilla products
are excluded from the list; They usually get Slackware upgrades soon after Mozilla security announcements.

I hope this helps those having trouble sorting all the information out.

--mancha

Code:

                        LQ Slackware Vulnerability Thread Status Report (20141014)                               
                               
Package                CVE ID(s)        Posted                Reference        Status                Slackware Advisory

glibc                CVE-2012-4424        20131026        LQ Post                Vulnerable       
                CVE-2012-4412        20140620        2nd Post
                CVE-2013-4237
                CVE-2013-4788
                CVE-2013-4458

curl                CVE-2013-4545        20140101        LQ Post                Fixed                Advisory
                CVE-2013-6422

php                CVE-2013-6420        20140101        LQ Post                Fixed                Advisory

libgcrypt(gpg2)        CVE-2013-4576        20140101        LQ Post                Vulnerable
                                20140909        Update

samba                CVE-2013-4408        20140101        LQ Post                Fixed                Advisory
                CVE-2012-6150

xorg-server        CVE-2013-6424        20140101        LQ Post                Vulnerable

pixman                CVE-2013-6425        20140101        LQ Post                Vulnerable

openssl                CVE-2013-6449        20140106        LQ Post                Fixed                Advisory
                CVE-2013-6450
                CVE-2013-4353

libxfont        CVE-2013-6462        20140107        LQ Post                Fixed                Advisory

bind                CVE-2014-0591        20140114        LQ Post                Fixed                Advisory

curl                CVE-2014-0015        20140131        LQ Post                Fixed                Advisory
                CVE-2013-6422
                CVE-2013-4545

kernel                CVE-2014-0038        20140131        LQ Post                Fixed                Advisory

stunnel                CVE-2013-1762        20140207        LQ Post                Vulnerable

poppler                CVE-2013-7296        20140209        LQ Post                Vulnerable

icu4c                CVE-2013-2924        20131019        LQ Post                Vulnerable
                                20140211        2nd Post

mariadb                CVE-2014-0001        20140211        LQ Post                Fixed                Advisory

python                CVE-2014-1912        20140212        LQ Post                Vulnerable

gnutls                CVE-2014-1959        20140214        LQ Post                Fixed                Advisory

file                CVE-2014-1943        20140218        LQ Post                Vulnerable

imagemagick        CVE-2014-1958        20140222        LQ Post                Vulnerable
                CVE-2014-2030

gnutls                CVE-2014-0092        20140304        LQ Post                Fixed                Advisory

libssh                CVE-2014-0017        20140314        LQ Post                Vulnerable

file                CVE-2014-2270        20140314        LQ Post                Vulnerable

php                CVE-2014-1943        20140314        LQ Post                Fixed                Advisory
                CVE-2014-2270

freetype        CVE-2014-2240        20140314        LQ Post                Vulnerable
                CVE-2014-2241

udisks                CVE-2014-0004        20140314        LQ Post                Fixed                Advisory

udisks2                CVE-2014-0004        20140314        LQ Post                Fixed                Advisory

mutt                CVE-2014-0467        20140314        LQ Post                Fixed                Advisory

samba                CVE-2013-4496        20140314        LQ Post                Fixed                Advisory
                CVE-2013-6442

httpd                CVE-2014-0098        20140319        LQ Post                Fixed                Advisory
                CVE-2013-6438

curl                CVE-2014-0138        20140327        LQ Post                Fixed                Advisory
                CVE-2014-0139

openssh                CVE-2014-2653        20140407        LQ Post                Vulnerable

kernel                CVE-2014-2523        20140407        LQ Post                Vulnerable

openssl                CVE-2014-0160        20140407        LQ Post                Fixed                Advisory
                CVE-2014-0076

rsync                CVE-2014-2855        20140414        LQ Post                Vulnerable

kernel                CVE-2014-2706        20140421        LQ Post                Vulnerable

php                CVE-2014-0185        20140429        LQ Post                Fixed                Advisory

libxfont        CVE-2014-0209        20140515        LQ Post                Vulnerable
                CVE-2014-0210
                CVE-2014-0211

kernel                CVE-2014-0196        20140515        LQ Post                Vulnerable

mariadb                CVE-2014-0384        20140521        LQ Post                Fixed                Advisory
                CVE-2014-2419
                CVE-2014-2430
                CVE-2014-2431
                CVE-2014-2432
                CVE-2014-2436
                CVE-2014-2438
                CVE-2014-2440

gnutls                CVE-2014-3466        20140530        LQ Post                Fixed                Advisory

libtasn1        CVE-2014-3467        20140530        LQ Post                Fixed                Advisory
                CVE-2014-3468
                CVE-2014-3469

sendmail        CVE-2014-3956        20140602        LQ Post                Fixed                Advisory

php                CVE-2014-0237        20140604        LQ Post                Fixed                Advisory
                CVE-2014-0238

openssl                CVE-2014-0224        20140605        LQ Post                Fixed                Advisory
                CVE-2014-0221
                CVE-2014-0195
                CVE-2014-0198
                CVE-2010-5298
                CVE-2014-3470

kernel                CVE-2014-3153        20140606        LQ Post                Vulnerable

bind                CVE-2014-0591        20140612        LQ Post                Fixed                Advisory

glibc                CVE-2014-4043        20140620        LQ Post                Vulnerable

samba                CVE-2014-0239        20140621        LQ Post                Fixed                Advisory
                CVE-2014-0178

samba                CVE-2014-0244        20140623        LQ Post                Fixed                Advisory
                CVE-2014-3493

gnupg1                CVE-2014-4617        20140624        LQ Post                Fixed                Advisory

gnupg2                CVE-2014-4617        20140624        LQ Post                Fixed                Advisory

php                CVE-2014-0207        20140626        LQ Post                Fixed                Advisory
                CVE-2014-3478
                CVE-2014-3479
                CVE-2014-3480
                CVE-2014-3487
                CVE-2014-3515
                CVE-2014-3981
                CVE-2014-4049

httpd                CVE-2014-0231        20140720        LQ Post                Fixed                Advisory
                CVE-2014-0117
                CVE-2014-0118
                CVE-2014-0226

samba                CVE-2014-3560        20140801        LQ Post                Fixed                Advisory

openssl                CVE-2014-3508        20140807        LQ Post                Fixed                Advisory
                CVE-2014-5139
                CVE-2014-3509
                CVE-2014-3505
                CVE-2014-3506
                CVE-2014-3507
                CVE-2014-3510
                CVE-2014-3511
                CVE-2014-3512

glibc                CVE-2014-0475        20140906        LQ Post                Vulnerable
                CVE-2014-5119

procmail        CVE-2014-3618        20140906        LQ Post                Vulnerable

gpgme                CVE-2014-3564        20140906        LQ Post                Vulnerable

dbus                CVE-2014-3532        20140906        LQ Post                Vulnerable
                CVE-2014-3533
                CVE-2014-3477

lzo                CVE-2014-4607        20140906        LQ Post                Vulnerable

file                CVE-2014-3587        20140906        LQ Post                Vulnerable

subversion        CVE-2014-3522        20140906        LQ Post                Vulnerable
                CVE-2014-3528

ppp                CVE-2014-3158        20140909        LQ Post                Vulnerable

curl                CVE-2014-3613        20140913        LQ Post                Vulnerable
                CVE-2014-3620

dbus                CVE-2014-3635        20140916        LQ Post                Vulnerable
                CVE-2014-3636
                CVE-2014-3637
                CVE-2014-3638
                CVE-2014-3639

net-snmp        CVE-2014-2284        20140922        LQ Post                Vulnerable
                CVE-2014-3565

bash                CVE-2014-6271        20140924        LQ Post                Fixed                Advisory

bash                CVE-2014-7169        20140924        LQ Post                Fixed                Advisory

bash                CVE-2014-7186        20140926        LQ Post                Vulnerable (a)
                CVE-2014-7187

sysklogd        CVE-2014-3634        20140930        LQ Post                Vulnerable
                                20141003        2nd Post

bash                CVE-2014-6277        20141001        LQ Post                Vulnerable (a)
                CVE-2014-6278

python                CVE-2013-1752        20141013        LQ Post                Vulnerable
                CVE-2014-4616
                CVE-2014-4650
                CVE-2014-7185

getmail4        CVE-2014-7273        20141013        LQ Post                Vulnerable
                CVE-2014-7274
                CVE-2014-7275

libvncserver        CVE-2014-6501        20141013        LQ Post                Vulnerable
                CVE-2014-6502
                CVE-2014-6503
                CVE-2014-6504
                CVE-2014-6505

vim (ctags)        CVE-2014-7204        20141013        LQ Post                Vulnerable

----
(a) The Bash affix hardening patch Slackware deployed on 20140929 largely mitigates.


sanjioh 10-14-2014 02:25 AM

hello mancha, and thanks for your amazing work. the recap is wonderful. if I may suggest a further improvement, maybe it would be nice to have it on the first post, to give it more visibility.
what do you think?

GazL 10-14-2014 07:31 AM

Quote:

Originally Posted by mancha (Post 5253488)
So, to mark the 250th post, I bit the bullet and put together the following thread status report (current through 20141014).

You sir, are an absolute Star!
Thankyou. I'm sure many people will appreciate this.

moisespedro 10-14-2014 10:17 AM

Mancha, do you have more information on this?
http://www.theregister.co.uk/2014/10...drop_tomorrow/

55020 10-14-2014 03:53 PM

http://securityreactions.tumblr.com/...-released-soon

mancha 10-14-2014 06:54 PM

Quote:

Originally Posted by moisespedro (Post 5253626)
Mancha, do you have more information on this?
http://www.theregister.co.uk/2014/10...drop_tomorrow/

moisespedro:

You can read details here.

I plan to add instructions on disabling SSLv3 to my disabling-SSLv2-on-OpenSSL thread. This might present some compatibility issues but
one would hope POODLE is incentive enough for clients/servers to abandon the 18-year-old protocol.

Meantime, those wanting to disable SSLv3 on Firefox: type about:config in the address bar and change security.tls.version.min from
the default of 0 (SSL 3.0) to 1 (TLS 1.0):

Code:

security.tls.version.min    1
--mancha


All times are GMT -5. The time now is 03:44 AM.