Vulnerability Roundup 14

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup

This roundup is different from previous' due to Christmas: http://lists.science.uu.nl/pipermail/nix-dev/2016-December/022367.html

I will update this issue tomorrow and Wednesday with new issues.

cc: @NeQuissimus @bachp @domenkozar @makefu.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
If you would like to be CC'd on all roundups, leave a comment and
tell @grahamc so.

Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple
   packages. For example, there are sometimes problems that impact
   thunderbird, and firefox. LWN might report in one vulnerability
   "thunderbird firefox". These names have been split to make sure
   both packages get addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Run the issue through reformat one last time
• Review commits since last roundup for backport candidates
• Send an update e-mail to nix-security-announce@googlegroups.com
• Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (18 issues)

• #709844 (search, files) ceph: denial of service
• #709839 (search, files) gstreamer-plugins-good: denial of service
• #709841 (search, files) flightgear: file overwrites
• #709146 (search, files) python-html5lib: cross-site scripting
• #709843 (search, files) dcmtk: buffer overflows/underflows
• #709842 (search, files) python-bottle: CRLF attacks
• #709847 (search, files) zlib: multiple vulnerabilities
• #709745 (search, files) openjpeg2: two vulnerabilities
• #709743 (search, files) freeipa: two vulnerabilities
• #709664 (search, files) most: command execution
• #709666 (search, files) nagios: two vulnerabilities
• #709742 (search, files) tor: denial of service
• #709363 (search, files) apport: three vulnerabilities
• #709149 (search, files) apt: code execution
• #709669 (search, files) kernel: out of bounds stack read
• #709466 (search, files) libupnp: code execution
• #709661 (search, files) samba: three vulnerabilities
• #709162 (search, files) w3m: multiple vulnerabilities

firefox (3 issues)

• #709468 (search, files) firefox: denial of service
• #709140 (search, files) mozilla: multiple vulnerabilities
• #709141 (search, files) mozilla: multiple vulnerabilities

game-music-emu (2 issues)

• #709663 (search, files) game-music-emu: multiple vulnerabilities
• #709341 (search, files) game-music-emu: code execution

kernel (2 issues)

• #709853 (search, files) kernel: code execution
• #709851 (search, files) kernel: two vulnerabilities

tomcat (2 issues)

• #709662 (search, files) tomcat: two vulnerabilities
• #709342 (search, files) tomcat: denial of service

xen (2 issues)

• #709746 (search, files) xen: information leak
• #709670 (search, files) xen: multiple vulnerabilities

[joachifm]

A fix for #709669 was included in 4.8.14

[phanimahesh]

Commit 86cf682 fixes #709468 firefox: denial of service. Can be marked as done.

[grahamc]

libupnp is actually pupnp and can be found here: http://pupnp.sourceforge.net/ where it says 1.6.21 is out, but the downloads are all for 1.6.20. If anyone wants to investigate that, please!

[grahamc]

most needs updating to 5.0.0a and application of patches from debian, I think: https://security-tracker.debian.org/tracker/source-package/most

[grahamc]

Looks like Xen needs more patches. Also, our Xen is running out of time. @michalpalka -- you seem to open issues about Xen, would you like to try upgrading Xen?

[michalpalka]

@grahamc My schedule is full for the next 2 days, but will look at it on Friday

[grahamc]

That will be really helpful. Thank you so much, @michalpalka!

[grahamc]

We should quite likely drop samba3.

[grahamc]

../auth/kerberos/kerberos_pac.c: In function 'check_pac_checksum':
../auth/kerberos/kerberos_pac.c:46:7: error: 'CKSUMTYPE_HMAC_SHA1_96_AES_256' undeclared (first use in this function)
  case CKSUMTYPE_HMAC_SHA1_96_AES_256:
       ^
../auth/kerberos/kerberos_pac.c:46:7: note: each undeclared identifier is reported only once for each function it appears in
../auth/kerberos/kerberos_pac.c:52:7: error: 'CKSUMTYPE_HMAC_SHA1_96_AES_128' undeclared (first use in this function)
  case CKSUMTYPE_HMAC_SHA1_96_AES_128:
       ^
Waf: Leaving directory `/tmp/nix-build-samba-4.4.8.drv-0/samba-4.4.8/bin'
Build failed:  -> task failed (err #1): 
	{task: cc kerberos_pac.c -> kerberos_pac_1.o}
make: *** [Makefile:8: all] Error 1

@abbradar, @wkennington any ideas on what is wrong with samba here?

[abbradar]

@grahamc I've tried to update libkrb5 and Cyrus-SASL -- no luck so far. I'll spend more time on this later since this is a security issue but have no idea what happens. I left Samba 4.5.3 to build in the background but this is not an option for the release, isn't it?...

[grahamc]

Thank you for looking, @abbradar. Unfortunately backporting an update to 4.5.x wouldn't be good. I definitely wouldn't mind seeing unstable updated though, especially before 17.03 goes stable ( @michalpalka -- that is when I'd like Xen to be upgraded at the latest, hopefully)

[abbradar]

Samba, libkrb5 and Cyrus-SASL updates are in staging, because Cyrus-SASL is a systemd dependency. We now need to determine how to build new 4.4.* -- I'm on it but with no ideas currently.

[bachp]

I did some investigation on libupnp. There is a 1.6.21 tag available but no tarball.

[grahamc]

@abbradar can you link each of those commits here to make it easier to keep track / ensure they get backported?

[abbradar]

b0a1028 covers Samba in staging. Others don't have a security issue assigned IIUC. I want to avoid having it backported as is now -- instead I'll try to have a maintenance release building.

[abbradar]

16.09 is covered by b2e80a5

[LnL7]

This might work for libupnp #21317.

[grahamc]

Just updated the list with more vulnerabilities.

[grahamc]

I suspect we need to apply patches to xen, see: https://xenbits.xen.org/xsa/advisory-200.html and: an enterprising contributor may go back through old advisories and see if we missed anything :)

[grahamc]

We don't run debian's version of most, so we don't need patches.

[grahamc]

I just push my roundup branch which contains fixes for everything but the html5lib, will merge shortly.

[grahamc]

Merged and backported the branch. Just updated this issue with new vulnerabilities. :)

(this issue is like the gift that keeps giving!)

[grahamc]

@the-kenny can you update flightgear?

[grahamc]

Just pushed patches for zlib to staging, will push to 16.09 shortly.

[grahamc]

@wkennington can you patch ceph? We're pretty old, I might mark it as broken otherwise.

[bachp]

@grahamc The libupnp tarball would be available now: https://sourceforge.net/projects/pupnp/files/

[grahamc]

Thank you, @bachp I already switched to their github mirror since it already had a good tag.

[the-kenny]

Graham Christensen <notifications@github.com> writes:

@the-kenny can you update flightgear?

will do!

[phanimahesh]

Sorry, I couldn't get around to finishing the html5lib update, got busy with work-related issues.
It requires a few dependencies (webencodings, and others I don't recollect) that have to be added to nixpkgs. My schedule for today and tomorrow is chaotic, not sure if I'll be able to clean it up. If anyone can, please comment on the issue and pitch in. I'll get to it as soon as I can make some time for it.

[the-kenny]

Sorry it took so long. Holidays. Just pushed bdc880e to master. I'm not sure if this should be backported to our current stable release as we skipped quite a few major releases. Any other comments on this? Cheers Moritz Moritz Ulrich <moritz@tarn-vedra.de> writes:

…

Graham Christensen ***@***.***> writes: > @the-kenny can you update flightgear? will do!

--

[Mic92]

@the-kenny does neither not look like a critical network-facing service to me nor a serious security issue (I would not expect that malicious Nasal scripts are sent as email attachments any time soon). On the other hand it does not look the typical application, where people would expect the version to be stable all the time. I think both approaches (upgrading or not upgrading) are fine.

[grahamc]

The PR from f3287b0 needs to be backported.

[grahamc]

Also, the html5lib changes would be good to backport.

@FRidh -- thank you for merging that!

@bjornfor -- I agree, I try really hard to test all my changes. Even still, a few mistakes come through. I always feel bad about it.

[FRidh]

@grahamc the new html5lib has quite some extra dependencies. I'll have a look at it.

[bjornfor]

@bjornfor -- I agree, I try really hard to test all my changes. Even still, a few mistakes come through. I always feel bad about it.

It's frustrating when breakage happens, but I do appreciate the work you and everyone else put into keeping NixOS updated and secure :-)

[FRidh]

We now have the latest html5lib in stable as well.

[vcunat]

It seems like openssh has fallen through the cracks. I didn't manage to fully fix it (yet) 661b5a9.

[grahamc]

@vcunat openssh hasn't fallen through the cracks, it hadn't been released yet when this was created. I just checked, it'll appear on next week's.

[vcunat]

Oh, now I see the tarball timestamp is Dec.19; I originally misread it as ~week earlier.

[grahamc]

I'm going to close out what we have and let the remainders come back next run.

[grahamc]

Good work, everyone - thank you all!