LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

slalik 09-01-2015 08:13 AM

Quote:

Originally Posted by mats_b_tegner (Post 5414140)
libvdpau has been updated to version 1.1.1 which fixes three CVEs:
http://lists.x.org/archives/xorg-ann...st/002630.html

Thank you! The SBo SlackBuild (for 14.1) works after simple change of the version number.

bamunds 09-04-2015 10:58 PM

The WNA1100 USB wireless adapter (driver htc_9271.fw) in a Slackware 64 14.1 with multilib is having intermittent hangs after upgrading to gnutls to 3.3.17.1 through patches!

Specifically after receiving notice from the security email broadcast of a gnutls patch advisory I used slackpkg upgrade-all to retrieve and install gnutls in mid August. Since that time the USB wireless adapter is hanging two or three time a day regardless of the DE/WM. The WNA1100 was rock solid prior to the gnutls patch upgrade.

After reading this thread today it appears that gmp and nettles should also have been upgraded, along with the compat32 version. The upgrade in patches was to 3.3.17.1, which mancha now recommends only for -current not for 14.1. However, searching slackpkg nettle results with only 2.7.1 and gmp is 5.1.3 available and installed. Why would the official patch program not upgrade the other two dependencies? Tonight trying to upgrade nettle and gmp the system message is that no upgrades are available! Additionally, if I remove 3.3.17.1 the only other version available is 3.1.16, which is lower than the multilib gnutls is 3.1.25. Was there something more than using slackpkg update/slackpkg install-new/slackpkg upgrade-all, that I missed? Where is the 3.1.28 upgrade for 14.1? Or if upgraded gnutls do I need to compile myself and not use patches? I hope AlienBob is reading this thread to shed light on the compat32 status of gnutls also?

Thanks for advice and help.

elcore 12-16-2015 12:30 AM

mozilla-firefox 38.5 ESR released

source

known-vulnerabilities

mats_b_tegner 12-16-2015 12:31 PM

Quote:

Originally Posted by elcore (Post 5464925)
mozilla-firefox 38.5 ESR released
source
known-vulnerabilities

It's available according to the latest Changelog:
ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt
ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt

elcore 12-17-2015 01:23 AM

Quote:

Originally Posted by mats_b_tegner (Post 5465155)

I know there's a new changelog, thanks. It was not there 24 hours ago so I posted this while it was compiling.

elcore 12-22-2015 02:53 AM

There is now 38.5.1 source.
It is listed on mozilla site, but there are no release notes at this time.

Edit:
Thanks for update, I see there's a note from mozilla now, and a new 38.5.2 release.
Just thought it might be undisclosed security flaw because the notes weren't there.

elcore 01-15-2016 03:16 AM

A zero-day vulnerability in the FFmpeg open-source multimedia framework

I'll temporarily rebuild this with --disable-network (but many other packages may be affected)

ponce 01-15-2016 04:20 AM

thanks for the heads up, elcore, reading local files (like /etc/passwd) opening a remote video is a little scary: here, following what Arch has done with their ffmpeg, I rebuilt it passing these options to the configure
Code:

--disable-demuxer='hls' --disable-protocol='concat,hls'
while I was there, I rebuilt also Slackware's MPlayer as its internal ffmpeg is also affected (like everything else shipping an internal ffmpeg): luckily I had just to pass the same exact options to the MPlayer's configure (as it passes them as they are to its internal ffmpeg).

_gin 01-15-2016 05:12 AM

Hope ffmpeg will be upgraded, because in addition to the zero day vulnerability reported here by elcore,

ffmepg 2.7.2 is also vulnerable to CVE-2015-8363, CVE-2015-8364, CVE-2015-8365
http://lwn.net/Articles/669116/

and some others vulnerabilities were patched between ffmpeg-2.7.2 and ffmpeg-2.7.3, namely:

CVE-2015-8216
http://git.videolan.org/?p=ffmpeg.gi...c17f4b323f92b1

CVE-2015-8217
http://git.videolan.org/?p=ffmpeg.gi...eee36a91127f8c

CVE-2015-8219
http://git.videolan.org/?p=ffmpeg.gi...5747e1752d8da2

GazL 01-15-2016 07:20 AM

Quote:

Originally Posted by elcore (Post 5478523)
A zero-day vulnerability in the FFmpeg open-source multimedia framework

I'll temporarily rebuild this with --disable-network (but many other packages may be affected)

Looking at the output from configure, --disable-network appears to leave the hls protocol enabled. I guess they forgot to update the list when they added hls support.

Is 'concat' really that dangerous without the network protocols enabled? It looks like it might actually have some uses!


I usually rebuild ffmpeg from git-master once a week or so. Vulnerabilities are not uncommon due to the nature and number of supported protocols/formats that ffmpeg has. mplayer has a built in copy of ffmpeg, which is why I switched to mpv.

elcore 01-15-2016 07:56 AM

Well, the shipped ffmpeg in mplayer src is optional - just include a patched version with a slackBuild, and one could also make with --disable-ffmpeg_a
Code:

  --disable-ffmpeg_a        disable static FFmpeg [autodetect]
About hls I am not sure, but I've built with --disable-demuxer='hls,applehttp' just in case.

GazL 01-16-2016 05:29 AM

The FFmpeg folk have just tagged 2.8.5, including fixes for: CVE-2016-1897, CVE-2016-1898
New minor versions of the older releases have also been tagged.

elcore 01-19-2016 09:14 AM

Hate to bring the bad news, but there's this CVE-2016-0728 local exploit.

gmgf 01-19-2016 12:50 PM

Again a new cups-filters-1.7.0:

https://www.openprinting.org/downloa...s-1.7.0.tar.xz

volkerdi 01-19-2016 03:37 PM

Quote:

Originally Posted by elcore (Post 5480887)
Hate to bring the bad news, but there's this CVE-2016-0728 local exploit.

Tried it here on x86_64 -current (twice), and here's what I get:

Code:

bash-4.3$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
bash-4.3$ ./cve_2016_0728 PP_KEY
uid=3321, euid=3321
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=3321, euid=3321
sh-4.3$

I'll be testing 32-bit and 14.1 as well. Earlier versions than 14.1 won't be vulnerable.


All times are GMT -5. The time now is 11:40 AM.