LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-02-2017, 06:34 AM   #616
K-Wizzz
LQ Newbie
 
Registered: Jan 2014
Distribution: OpenBSD, Slackware
Posts: 16

Rep: Reputation: Disabled

Perl's `File::Path` has race conditions in `mtree` and `remove_tree` functions for `$VERSION` < 2.13
(Slackware 14.2's version is 2.09)

CVE:
* https://cve.mitre.org/cgi-bin/cvenam...=CVE-2017-6512
* https://nvd.nist.gov/vuln/detail/CVE-2017-6512

CPAN's RT:
* https://rt.cpan.org/Public/Bug/Display.html?id=121951

Solution: use CPAN's 2.13 version of `File::Path`
 
Old 07-05-2017, 04:33 PM   #617
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 414

Rep: Reputation: 190Reputation: 190
Quote:
Originally Posted by K-Wizzz View Post
Perl's `File::Path` has race conditions in `mtree` and `remove_tree` functions for `$VERSION` < 2.13
(Slackware 14.2's version is 2.09)

CVE:
* https://cve.mitre.org/cgi-bin/cvenam...=CVE-2017-6512
* https://nvd.nist.gov/vuln/detail/CVE-2017-6512

CPAN's RT:
* https://rt.cpan.org/Public/Bug/Display.html?id=121951

Solution: use CPAN's 2.13 version of `File::Path`
File::Path 2.13 has been superseded by 2.14:
https://metacpan.org/source/JKEENAN/...h-2.14/Changes
 
Old 07-06-2017, 11:34 PM   #618
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 167

Rep: Reputation: 112Reputation: 112
php-5.6.31

php-5.6.31 is released with many security fixes :

Quote:
Core:
Fixed bug #73807 (Performance problem with processing post request over 2000000 chars).
Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize).
Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability).
Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()).
GD:
Fixed bug #74435 (Buffer over-read into uninitialized memory).
mbstring:
Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA)
OpenSSL:
Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()).
PCRE:
Fixed bug #74087 (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).
WDDX:
Fixed bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV).
 
2 members found this post helpful.
Old 07-22-2017, 10:23 AM   #619
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 414

Rep: Reputation: 190Reputation: 190
Kernels 4.4.78 and 4.9.39

These kernels fixes the following CVEs:
CVE-2016-6213
CVE-2017-1000370
CVE-2017-1000371
4.4.78
ChangeLog 4.4.78
4.9.39
ChangeLog 4.9.39

Last edited by mats_b_tegner; 07-24-2017 at 09:18 AM. Reason: added CVE
 
3 members found this post helpful.
Old 07-26-2017, 12:44 AM   #620
bormant
Member
 
Registered: Jan 2008
Posts: 268

Rep: Reputation: 149Reputation: 149
https://slackbuilds.org/repository/1...ve-check-tool/
It has no special filter for Slackware packages but still can be useful "as is" for potential CVEs detection by software name and version.
 
3 members found this post helpful.
Old 08-09-2017, 01:29 AM   #621
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 167

Rep: Reputation: 112Reputation: 112
curl-7.55.0

curl-7.55.0 is released with 3 security fixes.

Quote:
VULNERABILITY
-------------

curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.

In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
of crashing.

An example of a URL that triggers the flaw would be
`http://ur%20[0-60000000000000000000`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
[5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August
2013. curl 7.34.0.

For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1
Quote:
VULNERABILITY
-------------

When doing a TFTP transfer and curl/libcurl is given a URL that contains a
very long file name (longer than about 515 bytes), the file name is truncated
to fit within the buffer boundaries, but the buffer size is still wrongly
updated to use the untruncated length. This too large value is then used in
the `sendto()` call, making curl attempt to send more data than what is
actually put into the buffer. The `sendto()` function will then read beyond
the end of the heap based buffer.

A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to
a crafted TFTP URL (if the client hasn't restricted which protocols it allows
redirects to) and trick it to send private memory contents to a remote server
over UDP. Limit curl's redirect protocols with `--proto-redir` and libcurl's
with `CURLOPT_REDIR_PROTOCOLS`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000100 to this issue.

AFFECTED VERSIONS
-----------------

This bug has been present in curl since TFTP support was added, in September
2005 (commit [56d9624b566](https://github.com/curl/curl/commit/56d9624b566)).

- Affected versions: libcurl 7.15.0 to and including 7.54.1
- Not affected versions: libcurl < 7.15.0 and >= 7.55.0
Quote:
VULNERABILITY
-------------

When asking to get a file from a file:// URL, libcurl provides a feature that
outputs meta-data about the file using HTTP-like headers.

The code doing this would send the wrong buffer to the user (stdout or the
application's provide callback), which could lead to other private data from
the heap to get inadvertently displayed.

The wrong buffer was an uninitialized memory area allocated on the heap and if
it turned out to not contain any zero byte, it would continue and display the
data following that buffer in memory.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000099 to this issue.

AFFECTED VERSIONS
-----------------

This bug has been was pushed to curl in commit
[7c312f84ea930d8](https://github.com/curl/curl/commit/7c312f84ea930d8), April
2017.

- Affected versions: libcurl 7.54.1
- Not affected versions: libcurl < 7.54.1 and >= 7.55.0
The last CVE is not affected by slackware 14.2.
 
3 members found this post helpful.
Old 08-11-2017, 07:57 AM   #622
PRNG
LQ Newbie
 
Registered: Jul 2016
Distribution: Slackware
Posts: 10

Rep: Reputation: Disabled
New Git maintenance release fixes CVE-2017-1000117.

https://marc.info/?l=git&m=150238802328673&w=2
 
1 members found this post helpful.
Old 08-13-2017, 08:53 PM   #623
USUARIONUEVO
Member
 
Registered: Apr 2015
Posts: 585

Rep: Reputation: 176Reputation: 176
xorg-server in problems :=)

CVE-2017-10971 --> http://www.cvedetails.com/cve/CVE-2017-10971/
CVE-2017-10972 --> http://www.cvedetails.com/cve/CVE-2017-10972/
 
2 members found this post helpful.
Old 09-01-2017, 07:14 AM   #624
Z5T1
Cucumber Benevolent Dictator for Life
 
Registered: Aug 2017
Distribution: Cucumber Linux
Posts: 19

Rep: Reputation: 24
CVE-2016-1248 arbitrary code execution in Vim via a specially crafted text file.
CVE-2016-9273 and several vulnerabilities in libtiff that were fixed in libtiff 4.0.8 (Slackware is still on 4.0.7).
CVE-2017-3636, CVE-2017-3641 and CVE-2017-3653 all in MariaDB that allow unauthorized access of information and unauthorized inserts, deletes and updates.
CVE-2016-0634 arbitrary shell command execution as any user in Bash via a specially crafted hostname.
CVE-2017-10663 in the Linux kernel allows for arbitrary code execution in the kernel space when mounting a maliciously crafted F2FS filesystem.
CVE-2017-12424 a buffer overflow vulnerability in shadow that could result in a crash and other unspecified impacts, possible privilege escalation.

I have posted more details on my security mailing list: https://sourceforge.net/p/cucumber-l...inux-security/.
 
3 members found this post helpful.
Old 09-01-2017, 11:40 AM   #625
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,600

Rep: Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508Reputation: 1508
Hi Scott,
Thanks for the input!
Welcome to the dilemmas of a distro maintainer, trying to balance the demands of security against the need for intrusive updates.
My comments:
CVE-2016-1248 - Requires upstream support and has been adopted in -current. (vim is a PITA)
CVE-2016-9273 - Has been adopted in -current.
CVE-2017-3636, CVE-2017-3641 and CVE-2017-3653 - Requires upstream support and has 10.2.8 in -current.
CVE-2016-0634 - "The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine." If you cannot trust remote authenticated users, then why are they trusted?
CVE-2017-10663 - In Slackware, root controls mounts.
CVE-2017-12424 - Seems like a fix is in the pipeline. https://bugs.debian.org/cgi-bin/bugr...cgi?bug=756630
 
3 members found this post helpful.
Old 09-01-2017, 01:32 PM   #626
Z5T1
Cucumber Benevolent Dictator for Life
 
Registered: Aug 2017
Distribution: Cucumber Linux
Posts: 19

Rep: Reputation: 24
Hi allend,

I completely understand the difficulty of balancing security updates with being unintrusive to the end users' systems. This is something I have struggled with as well. I just have a couple of thoughts on your comments:

CVE-2016-1248 - There has been a patch released upstream for this: patch 8.0.0056. It can easily be applied to vim 7.4 without causing any disruption (this is what I did on Cucumber Linux).
CVE-2016-9273 - Why not backport it to 14.2 as well then? This is what happened when libtiff 4.0.7 was released.
CVE-2017-3636, CVE-2017-3641 and CVE-2017-3653 - MariaDB 10.0.32 has been released upstream and fixes these problems.
CVE-2016-0634 - I agree; in the real world this vulnerability should be very difficult to exploit. However, if the hostname is ever set via DHCP, this becomes much more exploitable. I know this doesn't usually happen, but I've always thought better safe than sorry when it comes to security.
CVE-2017-10663 - Consider the following scenario: I have a micro SD card in my phone formatted with F2FS. I want to transfer some files off it, so I put it in my laptop and mount the filesystem. Now say my phone was infected with malware and the SD card's filesystem was maliciously altered. Now that malware just managed to execute code in the kernel space on my laptop.
CVE-2017-12424 - There is a patch (commit 954e3d2e7113e9ac06632aee3c69b8d818cc8952) that fixes this. Being CVSS ranked this vulnerability as critical (a 9.8/10 severity, which is extraordinarily high), I applied the patch immediately on shadow 4.2.1 and it didn't cause any issues.
 
Old 09-01-2017, 02:09 PM   #627
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,095
Blog Entries: 4

Rep: Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446
Quote:
Originally Posted by Z5T1 View Post
Being CVSS ranked this vulnerability as critical (a 9.8/10 severity, which is extraordinarily high)
Well, for starters, it's actually 6.0..

I'm having a hard time imagining how someone on stock Slackware who isn't root could go anywhere with this one.
 
2 members found this post helpful.
Old 09-01-2017, 02:23 PM   #628
Z5T1
Cucumber Benevolent Dictator for Life
 
Registered: Aug 2017
Distribution: Cucumber Linux
Posts: 19

Rep: Reputation: 24
Quote:
Originally Posted by 55020 View Post
Well, for starters, it's actually 6.0..

I'm having a hard time imagining how someone on stock Slackware who isn't root could go anywhere with this one.
It's listed as 9.8 on nist.gov (https://nvd.nist.gov/vuln/detail/CVE-2017-12424). Sorry, I don't always have time to check all the other databases. Also from the nist.gov entry: "This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts."
 
Old 09-01-2017, 02:26 PM   #629
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,095
Blog Entries: 4

Rep: Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446Reputation: 1446
Quote:
Originally Posted by Z5T1 View Post
certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts."
... none of which are shipped in Slackware, and all of which are a lousy idea, particularly if they don't sanitize their inputs. I don't see why Patrick shouldn't have an extra hour in bed tomorrow.
 
6 members found this post helpful.
Old 09-01-2017, 04:49 PM   #630
TracyTiger
Member
 
Registered: Apr 2011
Location: California, USA
Distribution: Slackware
Posts: 447

Rep: Reputation: 179Reputation: 179
Quote:
Originally Posted by allend View Post
My comments:
...
CVE-2017-10663 - In Slackware, root controls mounts.
Quote:
CVE-2017-10663: The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.
Thanks to both Scott and allend for raising and replying to these items.

@allend - Is Slackware 14.2 protected from this vulnerability if /etc/fstab options include "user" or "users"? I ask because on several systems I use this fstab configuration in a limited way for convenience of mounting storage devices as a local user. I understand that this vulnerability applies only to one file system.

Perhaps one can argue that the use of user/users in fstab invites weak security or that since root controls /etc/fstab that therefore "root controls mounts".

Up to this point I've not been concerned about the use of fstab options user/users and depended upon the associated implied options of noexec, nosuid, & nodev when using user/users options. But perhaps I've misunderstood the security characteristics of user/users options.

This is a genuine question (in bold above) not a comment.

Last edited by TracyTiger; 09-01-2017 at 04:53 PM. Reason: Added Paragraph Break
 
1 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration