LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-20-2015, 04:06 PM   #376
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,469

Rep: Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832
CVE-2015-3306 - ProFTPD 1.3.5


CVE-2015-3306

Original release date: 05/18/2015

Quote:
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Slackware64 14.1 is running proftpd version:

Code:
proftpd-1.3.4e-x86_64-1_slack14.1
I am not sure how to go about auditing for this vulnerability to be sure its actually a problem. Maybe it isn't considered a big issue, but all the same I thought I would notify.

Last edited by mralk3; 05-20-2015 at 04:08 PM.
 
Old 05-21-2015, 12:00 AM   #377
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,469

Rep: Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832
Quote:
Originally Posted by mralk3 View Post
CVE-2015-3306

Original release date: 05/18/2015



Slackware64 14.1 is running proftpd version:

Code:
proftpd-1.3.4e-x86_64-1_slack14.1
I am not sure how to go about auditing for this vulnerability to be sure its actually a problem. Maybe it isn't considered a big issue, but all the same I thought I would notify.
ProFTPD 1.3.5 mod_copy Exploitdb
 
1 members found this post helpful.
Old 05-21-2015, 11:17 AM   #378
BrZ
Member
 
Registered: Apr 2009
Distribution: Slackware
Posts: 543

Rep: Reputation: 121Reputation: 121
CVE-2015-0797
GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.

Mozilla Foundation Security Advisory 2015-47
Buffer overflow parsing H.264 video with Linux Gstreamer

Fix?
Quote:
Description: Fix buffer overflow in mp4 parsing
Author: Ralph Giles <giles@mozilla.com>

--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c
+++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c
@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse *

GST_DEBUG_OBJECT (h264parse, "nal length %d", size);

+ if (size > G_MAXUINT32 - nl) {
+ GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL),
+ ("overflow in nal size"));
+ return NULL;
+ }
buf = gst_buffer_new_and_alloc (size + nl + 4);
if (format == GST_H264_PARSE_FORMAT_AVC) {
GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl));
@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse
GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size);
return;
}
+ if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) {
+ GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)",
+ nalu->size);
+ return;
+ }

/* we have a peek as well */
nal_type = nalu->type;
 
1 members found this post helpful.
Old 05-22-2015, 02:02 PM   #379
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 896

Rep: Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582
Quote:
Originally Posted by BrZ View Post
CVE-2015-0797
GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.

Mozilla Foundation Security Advisory 2015-47
Buffer overflow parsing H.264 video with Linux Gstreamer

Fix?
I just compiled GStreamer, gst-plugins-base and gst-plugins-good versions 1.4.5 under -current. I wonder if you need to recompile Firefox and Thunderbird against the new libraries as well?

Mats
 
Old 05-22-2015, 03:10 PM   #380
BrZ
Member
 
Registered: Apr 2009
Distribution: Slackware
Posts: 543

Rep: Reputation: 121Reputation: 121
Debian is marking 'gst-plugins-bad0.10', 'icedove' and 'iceweasel' as vulnerable, but wait a bit for the fix to 'logjam' as FF take some time and lots of resource to build...
 
Old 05-22-2015, 04:34 PM   #381
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 896

Rep: Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582
Okay, I guess I'll wait until there is a patch against Logjam for Firefox.
 
Old 05-27-2015, 03:28 AM   #382
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Hi.

Here's a bit more info on the topics of the last few posts...
  1. proftpd

    Quote:
    Originally Posted by mralk3 View Post
    CVE-2015-3306
    Original release date: 05/18/2015

    Slackware64 14.1 is running proftpd version: proftpd-1.3.4e-x86_64-1_slack14.1

    I am not sure how to go about auditing for this vulnerability to be sure its actually a problem. Maybe it isn't considered a big issue, but all the same I thought I would notify.
    Slackware doesn't build proftpd with mod_copy so the version it ships isn't vulnerable to CVE-2015-3306. It seems Slackware
    current patched its proftpd anyways though given the build configuration it wasn't necessary.

    Recommendation: Nothing needed unless you've built a customized copy of proftpd with mod_copy support.

  2. Firefox+GStreamer

    Quote:
    Originally Posted by BrZ View Post
    CVE-2015-0797
    GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.

    Mozilla Foundation Security Advisory 2015-47
    Buffer overflow parsing H.264 video with Linux Gstreamer

    Fix?
    Quote:
    Originally Posted by mats_b_tegner View Post
    I just compiled GStreamer, gst-plugins-base and gst-plugins-good versions 1.4.5 under -current. I wonder if you need to recompile Firefox and Thunderbird against the new libraries as well?

    Mats
    This bug is a bit confusing in terms of which versions are affected. The bottom line is the bug is in h264parse from gst-plugins-bad
    (which Slackware doesn't ship). However, it's available from SBo and if you install it, Slackware's FF will automatically detect it and
    use it if necessary.

    Recommendation: Mozilla has patched their products (FF 38, FF ESR 31.8, and Thunderbird 31.7) so they now blacklist h264parse.
    Make sure you have at least these versions (for this issue and others). Also, if you've installed gst-plugins-bad apply Debian's patch
    (posted by BrZ in post #378) because other applications that use h264parse are potentially vulnerable as well.

    Note1: If you want to use GStreamer 1.x+ with FF you'll have to re-compile FF with --enable-gstreamer=1.0 or so. You might have
    valid reasons to want to transition Firefox to the new GStreamer API but keep in mind upgrading won't affect how FF deals with
    CVE-2015-0797 because at least for the time being, Mozilla's blacklisting of h264parse isn't version dependent.

    Note2: I don't believe GStreamer 1.x has fixed this bug yet (contrary to security reports).

  3. Firefox+Logjam

    Quote:
    Originally Posted by mats_b_tegner View Post
    Okay, I guess I'll wait until there is a patch against Logjam for Firefox.
    Mozilla will be releasing a new NSS library that rejects FF DH groups smaller than 1024 bits. Currently the minimum is 512 bits (actually
    because of a bug in length calculations the minimum is effectively 505 bits) which means it'll accept Logjammable DHE groups. The
    fix is planned for inclusion in FF 39 (and the next ESRs).

    Recommendation: Until FF releases new versions with the new NSS bundled in, you can avoid Logjam by disabling all DHE cipher
    suites. Search for them by putting security.ssl3.dhe in the about:config search bar (see attached pic). Your FF might be newer
    and have less than the nine ciphers shown in the pic; just set whichever ones you do have to false.

--mancha
Attached Thumbnails
Click image for larger version

Name:	ff-dhe.jpg
Views:	59
Size:	48.8 KB
ID:	18575  

Last edited by mancha; 05-28-2015 at 11:41 AM. Reason: fix gstreamer stuff
 
4 members found this post helpful.
Old 05-27-2015, 01:55 PM   #383
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,469

Rep: Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832Reputation: 832
Quote:
Originally Posted by mancha View Post
Slackware doesn't build proftpd with mod_copy so the version it ships isn't vulnerable to CVE-2015-3306. It seems Slackware current patched its proftpd anyways though given the build configuration it wasn't necessary.

Recommendation: Nothing needed unless you've built a customized copy of proftpd with mod_copy support.
I will check the source directory of my mirror first for build criteria for now on to see how packages are built. Thanks for the insight.
 
Old 06-11-2015, 12:40 PM   #384
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20150611

  1. OpenSSL

    OpenSSL today released a security advisory with details on 5 new vulnerabilities (4 moderate, 1 low) and a Logjam hardening measure.

    R̶e̶c̶o̶m̶m̶e̶n̶d̶a̶t̶i̶o̶n̶:̶ ̶U̶p̶g̶r̶a̶d̶e̶ ̶t̶o̶ ̶O̶p̶e̶n̶S̶S̶L̶ ̶1̶.̶0̶.̶1̶n̶ ̶(s̶i̶g̶) ̶a̶n̶d̶/̶o̶r̶ ̶O̶p̶e̶n̶S̶S̶L̶ ̶0̶.̶9̶.̶8̶z̶g̶ ̶(̶s̶i̶g̶)̶,̶ ̶a̶s̶ ̶a̶p̶p̶l̶i̶c̶a̶b̶l̶e̶.̶

    New Recommendation: I've been made aware there might be ABI breakage from OpenSSL 1.0.1m -> OpenSSL 1.0.1n. Postponing
    upgrades until that is sorted out is probably prudent.


  2. libwmf

    ReadBMPImage in libwmf is vulnerable to an overflow that can be exploited using crafted input to cause a DoS or potentially execute
    arbitrary code. (CVE-2015-0848)

    To test:

    Code:
    $ wmf2svg --wmf-fontdir=/tmp/seggyfault bmpoverflow.wmf
    Recommendation: Apply libwmf-0.2.8.4_CVE-2015-0848.diff and rebuild.


  3. Ruby

    Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames. (CVE-2015-1855)

    Recommendation: 14.1 users apply ruby-1.9.3-p484_CVE-2015-1855.diff; current users apply ruby-1.9.3-p551_CVE-2015-1855.diff.

--mancha

"Fama refert nostros te, Fidentine, libellos non aliter populo quam recitare tuos."
--Martial, Epigrammata

Last edited by mancha; 06-11-2015 at 09:30 PM. Reason: Mention ABI issue
 
Old 06-12-2015, 11:56 AM   #385
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20150612

  1. OpenSSL

    OpenSSL released new versions (1.0.1o & 1.0.2c) to address the HMAC_CTX ABI breakage I allude to in the previous post.

    Recommendation: Upgrade to OpenSSL 1.0.1o (sig) and/or OpenSSL 0.9.8zg (sig), as applicable.
--mancha

Last edited by mancha; 06-12-2015 at 12:06 PM.
 
Old 06-12-2015, 05:58 PM   #386
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 896

Rep: Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582
Quote:
Originally Posted by mancha View Post
Update 20150612

  1. OpenSSL

    OpenSSL released new versions (1.0.1o & 1.0.2c) to address the HMAC_CTX ABI breakage I allude to in the previous post.

    Recommendation: Upgrade to OpenSSL 1.0.1o (sig) and/or OpenSSL 0.9.8zg (sig), as applicable.
--mancha
Fixed according to the latest ChangeLog for -current:
"Fri Jun 12 17:58:45 UTC 2015
a/openssl-solibs-1.0.1o-x86_64-1.txz: Upgraded.
n/openssl-1.0.1o-x86_64-1.txz: Upgraded.
New release to resolve 1.0.1n HMAC ABI incompatibility."
 
1 members found this post helpful.
Old 06-25-2015, 02:04 PM   #387
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20150625
  1. Python(*)

    Python 2.7.5, as shipped by Slackware 14.1, is vulnerable to potential exploitation of numerous security issues (e.g. see posts #78
    and #249).

    In addition, Python 2.7.9 fixes DoS issues in smptlib and poplib and XMLRPC (CVE-2013-1752, CVE-2013-1753) and introduces
    hardening features (i.e. disabling SSLv3 in httplib and enabling HTTPS certificate validation by default). Python 2.7.10 fixes a potential
    buffer overflow in PyUnicode_FromFormatV.

    Recommendation: Slackware 14.1 & current users should upgrade to Python 2.7.10.
--mancha

(*)Though non-venomous, it's capable of deadly constriction
 
1 members found this post helpful.
Old 06-26-2015, 11:28 AM   #388
1337_powerslacker
Member
 
Registered: Nov 2009
Distribution: Slackware64-current,Ubuntu,openSuSE,Manjaro
Posts: 823
Blog Entries: 9

Rep: Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553
Attempts to build the latest Python, 2.7.10, using the -current SlackBuild, results in the following error:

Code:
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -uar Python-2.7.2.orig/setup.py Python-2.7.2/setup.py
|--- Python-2.7.2.orig/setup.py 2011-06-11 18:46:28.000000000 +0300
|+++ Python-2.7.2/setup.py      2011-06-13 12:29:32.241106466 +0300
--------------------------
patching file setup.py
Using Plan A...
Hunk #1 FAILED at 369.
Hunk #2 succeeded at 762 (offset 85 lines).
Hunk #3 succeeded at 801 (offset 86 lines).
1 out of 3 hunks FAILED -- saving rejects to file setup.py.rej
done
When I disabled the x86_64 patch, the package built without errors; however, the stated purpose is to place the files in /usr/lib64 instead of /usr/lib, and so this solution, at least to me, is unacceptable. Is there anyone who can provide an updated version of python.x86_64.diff.gz to successfully patch against 2.7.10? Thanks.
 
Old 06-26-2015, 12:08 PM   #389
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by mattallmill View Post
Is there anyone who can provide an updated version of python.x86_64.diff.gz to successfully patch against 2.7.10? Thanks.
Hi.

You should be able to use python.x86_64.diff.gz from Slackware-current used to patch 2.7.9. Let me know if that also gives you problems.

--mancha
 
Old 06-26-2015, 02:07 PM   #390
1337_powerslacker
Member
 
Registered: Nov 2009
Distribution: Slackware64-current,Ubuntu,openSuSE,Manjaro
Posts: 823
Blog Entries: 9

Rep: Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553
Quote:
Originally Posted by mancha View Post
Hi.

You should be able to use python.x86_64.diff.gz from Slackware-current used to patch 2.7.9. Let me know if that also gives you problems.

--mancha
Thanks mancha. For some reason, I thought I had the updated patches. I used a script to download all of -current, and I thought, from the date of the updated file, that I had downloaded it after the date. Apparently, I had not. Thanks for the file. It's compiling now.
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 10:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration