LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

mancha 10-24-2014 05:37 AM

Quote:

Originally Posted by sanjioh (Post 5258697)
Michal Zalewski fuzzed a sample that crashes the strings command...14.1 (x86_64) seems not vulnerable to me, couldn't test current.

Hi sanjioh.

You should test those PoCs using Slackware's /usr/bin/strings-GNU (from binutils). Slackware's /usr/bin/strings is a different
implementation (based on BSD strings) that used to be bundled with util-linux. By the way, the PoCs exploit different flaws in libbfd.

--mancha

PS sanjioh, your comment made me realize I was too cryptic in my oss-sec post. I just clarified this on the ML. Thanks!

sanjioh 10-24-2014 06:21 AM

Hi mancha,

I absolutely confirm.
binutils' /usr/bin/strings-GNU *is* vulnerable in slackware64 14.1, with both exploits.
Thank you for pointing out I was using the wrong binary.

metaschima 10-24-2014 10:16 AM

Quote:

Originally Posted by mancha (Post 5257958)
[LIST=1][*]glibc 2.17
Code:

  # Patch integer overflows in pvalloc, valloc, and
  # posix_memalign/memalign/aligned_alloc (CVE-2013-4332).
  zcat $CWD/glibc.CVE-2013-4332.diff.gz | patch -p1 --verbose || exit 1
  # Security patches
  patch -p1 --verbose < $CWD/glibc-2.17_strcoll-change.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2012-4424.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2012-4412.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4237.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4788.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4458.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-4043.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-0475.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-5119.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-6040.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_hardening.diff || exit 1
  # Bugfix patch
  patch -p1 --verbose < $CWD/glibc-2.17_gcc48-unsafe-optim.diff || exit 1

}


I'm trying to build my own glibc for optimization reasons. So where would this go in the Slackbuild ? Do they have to be in order of date ? In the Slackbuild there are some patches already from 2013, so do I put the 2012 ones before that and 2014 ones after that ? Thanks.

EDIT: Nevermind, I put it at the end of the patch function and it works.

BrZ 10-24-2014 02:11 PM

Binutils developers released version 2.24.51.0.4 (official), but unfortunately without a tarball. Some packagers are claiming it need some fix to gasp. With v2.24.51.0.4 my output was:
Quote:

[brz@ssj4] tmp$ strings-GNU stringme
BFD: stringme:1: byte count 3 too small

S303
S303
[brz@ssj4] tmp$ strings-GNU stringmetoo
BFD: stringmetoo:1: byte count 0 too small

S100
[brz@ssj4] tmp$
@mancha, if you can backport this commit we can stay with 2.24.51.0.3 and don't mess further with the chain.

metaschima 10-25-2014 10:37 AM

When glibc stabilizes, could someone post what patches went into the stable glibc ?

I hope everyone realizes now that stability and security need to be carefully weighed.

mancha 10-25-2014 12:51 PM

Quote:

Originally Posted by metaschima (Post 5259411)
I hope everyone realizes now that stability and security need to be carefully weighed.

Yesterday's glibc issue on Slackware-current had nothing to do with security vs. stability.

As was clearly mentioned in the Slackware-current changelog and by Pat in this post, it was caused by a bug in gcc 4.8 that gets triggered
by glibc 2.20.

Also, Slackware-current's purpose isn't stability. It's the development branch made public to allow Pat to receive feedback from Slackers
about bugs and usability concerns as he progresses to the next stable version. In other words, the process worked as intended: glibc 2.20
and gcc 4.8 don't inter-operate well; people reported it; Pat fixed it; we move on.

If you seek stability, use 14.1.

Quote:

Originally Posted by metaschima (Post 5259411)
When glibc stabilizes, could someone post what patches went into the stable glibc ?

Are you serious? The list of glibc security issues has been posted in this thread numerous times. I even posted relevant sections of
glibc.SlackBuild for 2.17 and 2.19 so all someone has to do is cut & paste it into their own slackbuild and run it. It can't get any simpler
than that.

--mancha

metaschima 10-25-2014 03:00 PM

Quote:

Originally Posted by mancha (Post 5259467)
Are you serious? The list of glibc security issues has been posted in this thread numerous times. I even posted relevant sections of
glibc.SlackBuild for 2.17 and 2.19 so all someone has to do is cut & paste it into their own slackbuild and run it. It can't get any simpler
than that.

--mancha

Yeah, I'm serious, not sure what there is to doubt.

Anyway, yesterday I installed glibc-2.17-x86_64-8_slack14.1 and then I built my own with the above patches to replace it. Today there is glibc-2.17-x86_64-9_slack14.1, and I can't seem to find out what has changed and what patches were added or removed. This one is for yesterday:
http://www.slackware.com/security/vi...ecurity.647059

T3slider 10-25-2014 03:12 PM

From ChangeLog.txt:
Code:

Fri Oct 24 21:11:15 UTC 2014
patches/packages/glibc-2.17-x86_64-9_slack14.1.txz:  Rebuilt.
  Rebuilt using --enable-kernel=2.6.32 for better compatibility with
  host kernels when running Slackware in a VM or container.
  Thanks to Vincent Batts and Eric Hameleers.
patches/packages/glibc-i18n-2.17-x86_64-9_slack14.1.txz:  Rebuilt.
patches/packages/glibc-profile-2.17-x86_64-9_slack14.1.txz:  Rebuilt.
patches/packages/glibc-solibs-2.17-x86_64-9_slack14.1.txz:  Rebuilt.

The ChangeLog knows all...

sanjioh 10-27-2014 06:25 PM

wget 1.16 is released.
http://lists.gnu.org/archive/html/bu.../msg00150.html

this release closes CVE-2014-4877 (wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP).

number22 10-28-2014 01:47 AM

Quote:

Originally Posted by sanjioh (Post 5260519)

I had troubles building this release, need apply some 1.16 patches from gentoo and autoreconf.

mancha 10-30-2014 10:35 AM

Halloween Update

  1. Firefox

    Firefox ESR 24.8.1, as shipped by Slackware 14.1, is vulnerable to several critical issues:

    A use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code
    execution. (CVE-2014-1581)

    Various memory-related bugs that can result in memory corruption and presumably, with enough effort, could be exploited to run
    arbitrary code. (CVE-2014-1574 and CVE-2014-1575)

    Other vulnerabilities rated by Mozilla with an impact level of "high" and lower also exist.

    Recommendation: Upgrade to Firefox ESR 31.2 or Firefox 33.0.2

  2. Thunderbird

    The above referenced Firefox vulnerabilities in general can't be exploited via email because Thunderbird has disabled scripting in
    email. However, the flaws are present in the Thunderbird 24.8.1 codebase and can theoretically be exploited in browser-like contexts.

    Recommendation: Upgrade to Thunderbird 31.2

  3. php

    Various issued have been identified in php before 5.4.34:

    Integer overflow in unserialize(). Note: this only affects 32-bit platforms. (CVE-2014-3669)

    PoC:
    Code:

    $ php -n -r 'unserialize( "C:3:\"GMP\":18446744075857035259:{}" );'
    Heap corruption in exif_thumbnail(). (CVE-2014-3670)

    PoC:
    Code:

    $ php -n -r 'dl("exif.so"); exif_thumbnail("CVE-2014-3670.jpg");'
    Global buffer overflow in mkgmtime() function. Note: Slackware is unaffected because it doesn't build php with xmlrpc support.
    (CVE-2014-3668)

    Recommendation: Upgrade to php 5.4.34 (sig)

  4. Perl (Data-Dumper)

    Data::Dumper before 2.154 allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an
    Array-Reference with many nested Array-References.

    You can test if your Perl install is vulnerable by running:
    Code:

    $ perl CVE-2014-4330_test.pl
    Recommendation: Rebuild Perl 5.18.1 after applying Data-Dumper-2.145_CVE-2014-4330.diff

  5. util-linux (bsdstrings)

    During a recent code review I discovered BSD strings, as packaged by Slackware in its util-linux package, contains a heap-based
    overflow.

    Recommendation: Rebuild util-linux after applying bsdstrings-util-linux_overflow.diff

  6. binutils

    Various vulnerabilities have been discovered in libbfd's handling of S-records, ELF objects, and PE objects. The extent is still being
    analyzed and fixes are getting finalized. In the meantime, I recommend not running strings-GNU, objdump, nm (or gdb) on untrusted
    input. BSD strings (i.e. /usr/bin/strings) is unaffected though do take note of the util-linux report above. As soon as the situation
    stabilizes I'll provide a consolidated fix.
--mancha

P.S. In case you missed it, sanjioh reports a serious issue with wpa-supplicant before 2.3 in post #257. Slackware's wpa-supplicant is
vulnerable because it's built with CONFIG_P2P and CONFIG_WPS. Consider upgrading to wpa-supplicant 2.3 (if you happen to use hostapd,
it is also vulnerable to the same issue and you should consider upgrading to hostapd 2.3).

Also, kfritz reports in post #262 that libxml2 before 2.9.2 is vulnerable to a variant of the billion laughs DoS and also vulnerable to remote
attackers who, through specially-crafted XML files, can cause CPU/memory/fd exhaustion. Consider upgrading to libxml2 2.9.2. If you prefer
staying on libxml2 2.9.1, you can apply: libxml2-2.9.1_CVE-2014-0191.diff and libxml2-2.9.1_CVE-2014-3660.diff.

sanjioh 11-01-2014 03:01 PM

ImageMagick
version 6.8.9-9 fixes 4 CVEs (3 out-of-bounds + 1 DoS)
http://seclists.org/fulldisclosure/2014/Nov/1

mariadb
version 5.5.40 fixes 9 CVEs
https://mariadb.com/kb/en/mariadb/de...release-notes/

cowlitzron 11-04-2014 04:47 AM

Quote:

Originally Posted by mancha (Post 5261916)

P.S. In case you missed it, sanjioh reports a serious issue with wpa-supplicant before 2.3 in post #257. Slackware's wpa-supplicant is
vulnerable because it's built with CONFIG_P2P and CONFIG_WPS. Consider upgrading to wpa-supplicant 2.3 (and hostapd 2.3).

I did upgrade to wpa-supplicant 2.3 on my laptop. When I tried reconnecting to my wireless connection, I got the message "Connection failed: unable to get IP address". I downgraded to the wpa-supplicant 2.0 in the Slackware repository. My wireless works fine with that version. I don't have hostapd installed. Would that have something to do with the failure to get wpa-supplicant 2.3 working?

mancha 11-04-2014 05:09 AM

Quote:

Originally Posted by cowlitzron (Post 5264257)
I did upgrade to wpa-supplicant 2.3 on my laptop. When I tried reconnecting to my wireless connection, I got the message "Connection failed: unable to get IP address". I downgraded to the wpa-supplicant 2.0 in the Slackware repository. My wireless works fine with that version. I don't have hostapd installed. Would that have something to do with the failure to get wpa-supplicant 2.3 working?

Sorry for my confusing post. Hostapd is unrelated to wpa-supplicant and I only mentioned it there because it is also vulnerable to the
same issue and is offered by SBo. I've made it more clear now.

Slackware applies several patches to wpa-supplicant so building a new version might require some tweaking. I'll try to reproduce your
issue and find a fix (if needed) when I get some free time.

--mancha

moisespedro 11-04-2014 05:43 PM

mancha, what would be better: openssl-1.0.1j provided by Pat or building it with your openssl SlackBuild?


All times are GMT -5. The time now is 07:15 PM.