LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

mancha 11-06-2014 11:22 PM

Update 20141107
  1. curl (libcurl)

    Several flaws in libcurl's curl_easy_duphandle() function can lead to libcurl eventually sending off sensitive data that was not intended
    for sending. See curl's advisory for more details. (CVE-2014-3707)

    Recommendation: Upgrade to curl 7.39 (sig)
--mancha

mancha 11-10-2014 09:37 AM

Update 20141110
  1. GnuTLS

    It was discovered the encoding of elliptic curves parameters in GnuTLS 3 is vulnerable to a denial of service (heap corruption). The
    vulnerability affects clients and servers that print information about a peer's certificate (e.g. key ID) and can be exploited via specially
    crafted X.509 certificates. (CVE-2014-8564)

    Recommendations:
    Note: Slackware 13.37 and earlier are unaffected (vulnerable code was introduced in GnuTLS 3.0).
--mancha

sanjioh 11-23-2014 09:23 AM

php
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file (CVE-2014-3710).
Fixed in php 5.4.35.

file
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file (CVE-2014-3710).
Fixed upstream (not yet released at the time of writing)

tcpdump
denial of service in verbose mode using malformed OLSR payload (CVE-2014-8767)
denial of service in verbose mode using malformed Geonet payload (CVE-2014-8768) (vulnerability introduced in tcpdump 4.5.0, thus not affecting Slackware 14.1 or -current)
unreliable output using malformed AOVD payload (CVE-2014-8769)
Fixed in tcpdump 4.7.0 (not yet released at the time of writing)

dbus
local users can cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636 (CVE-2014-7824).
Fixed in dbus 1.6.26

kde-workspace
KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions. This is secured with polkit. This helper takes the name of the ntp utility to run as an argument. This allows a hacker to run any arbitrary command as root under the guise of updating the time (CVE-2014-8651).
Fixed in kde-workspace 4.11.14

mancha 11-23-2014 12:16 PM

Based on sanjioh's report in the previous post, I've backported fixes for tcpdump 4.4.0 and file 5.14 (versions shipped with Slackware
14.1 and current). For php, dbus, and kde-workspace, sanjioh provides the versions that fix the identified vulnerabilities.

  1. tcpdump

    Recommendation: Rebuild tcpdump 4.4.0 after applying tcpdump-4.4.0_CVE-2014-8767.diff and tcpdump-4.4.0_CVE-2014-8769.diff.

    Note: CVE-2014-8768 doesn't apply to Slackware because the vulnerable code was introduced in tcpdump 4.5.0.

  2. file

    Recommendation: Rebuild file 5.14 after applying file-5.14_CVE-2014-3710.diff.

    Note: There are several outstanding issues with Slackware's file/libmagic. You can look them up in the 20141014 Status Report.
--mancha

moisespedro 11-24-2014 07:30 AM

It looks like this affects Slackware.

GazL 11-24-2014 08:05 AM

Quote:

Originally Posted by moisespedro (Post 5274225)
It looks like this affects Slackware.

Slackware's lesspipe isn't that expansive, but even if it were, I'm not sure I buy this as being a threat.
If I download a malicious cpio file and view it with less using lesspipe, then that's no more dangerous than me downloading a cpio file and viewing it with cpio -t. If cpio is broken, then cpio is broken and it doesn't matter whether I'm viewing it directly with cpio or indirectly via less/lesspipe, mc, or any other front end.

I don't see how disabling lesspipe buys you anything.

mancha 11-25-2014 08:04 AM

Update 20141125
  1. FLAC

    It was recently disclosed FLAC 1.3.0 and earlier is vulnerable to a stack overflow (CVE-2014-8962) and heap overflow condition
    (CVE-2014-9028) that can be exploited by an attacker via maliciously crafted .flac files to trigger arbitrary code execution.

    Recommendation: Re-build flac 1.2.1 after applying flac-1.2.1_CVE-2014-8962.diff and flac-1.2.1_CVE-2014-9028.diff or upgrade
    to flac 1.3.1 (when it releases).

  2. libksba (GnuPG-2)

    libksba prior to version 1.3.2 is vulnerable to a buffer overflow condition that can be exploited by an attacker via maliciously crafted
    S/MIME messages or ECC-based OpenPGP data to trigger a denial of service or other unspecified impact. GnuPG 2.x users are
    encouraged to upgrade promptly. See announcement for more details. (CVE-2014-9087)

    Recommendation: Upgrade to libksba 1.3.2 (sig)
--mancha

moisespedro 11-25-2014 08:21 AM

Quote:

Originally Posted by GazL (Post 5274236)
Slackware's lesspipe isn't that expansive, but even if it were, I'm not sure I buy this as being a threat.
If I download a malicious cpio file and view it with less using lesspipe, then that's no more dangerous than me downloading a cpio file and viewing it with cpio -t. If cpio is broken, then cpio is broken and it doesn't matter whether I'm viewing it directly with cpio or indirectly via less/lesspipe, mc, or any other front end.

I don't see how disabling lesspipe buys you anything.

Oh, thanks for the clarification. I wasn't sure if it was that harmful.

number22 11-27-2014 12:58 AM

libpng
new releases are fixing out-of-bounds memory read potential problems.

http://www.libpng.org/pub/png/libpng.html

turtleli 11-28-2014 09:19 PM

I believe splitvt has a security bug - misc.c in splitvt 1.6.6 and earlier does not drop group privileges before executing xprop, which allows local users to gain privileges. (CVE-2008-0162, yes, pretty ancient)

I've compared the Slackware version to the Debian version (link, see 1.6.6-4 changelog entry), it hasn't been patched yet.

(Is there anyone that actually uses splitvt?)

GazL 11-29-2014 03:49 AM

Slackware's splitvt is not SUID or SGID so there should be no privilege to drop.

(but as you say, I doubt anyone is using it now we have screen and tmux)

turtleli 11-29-2014 06:39 AM

Ok, guess it's not a problem then.

(Yeah, I remembered the Slackware installer has pretty much said for years now in the splitvt description "use screen", which made me wonder why it's still included with Slackware.)

Jeebizz 12-08-2014 12:28 PM

XScreensaver version
 
1 Attachment(s)
Running Slackware14.1-64bit and I am suddenly presented with this:
Attachment 17055
Looks like that will have to be updated for the next release of Slackware.

cwizardone 12-08-2014 01:03 PM

Quote:

Originally Posted by Jeebizz (Post 5281437)
Running Slackware14.1-64bit and I am suddenly presented with this:
Attachment 17055
Looks like that will have to be updated for the next release of Slackware.

Perhaps this is in the wrong thread? Regardless, the version of xscreensaver in -current is 5.29

volkerdi 12-08-2014 05:54 PM

Quote:

Originally Posted by cwizardone (Post 5281460)
Perhaps this is in the wrong thread? Regardless, the version of xscreensaver in -current is 5.29

That's also the version in Slackware 14.1's patches, precisely because of this nag screen.


All times are GMT -5. The time now is 12:23 PM.