Vulnerability Roundup 17 #21803

Open
grahamc opened this Issue Jan 11, 2017 · 26 comments

Projects

None yet

7 participants

@grahamc
Member
grahamc commented Jan 11, 2017 edited

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @7c6f434c @FRidh @fpletz @vcunat.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny,
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. Some issues will be duplicated, because it affects multiple
    packages. For example, there are sometimes problems that impact
    thunderbird, and firefox. LWN might report in one vulnerability
    "thunderbird firefox". These names have been split to make sure
    both packages get addressed.
  3. By each issue is a link to code search for the package name, and
    a Github search by filename. These are to help, but may not return
    results when we do in fact package the software. If a search
    doesn't turn up, please try altering the search criteria or
    looking in nixpkgs manually before asserting we don't have it.
  4. This issue is created by https://github.com/NixOS/security

Instructions:

  1. Triage a report: If we don't have the software or our version isn't
    vulnerable, tick the box or add a comment with the report number,
    stating it isn't vulnerable.
  2. Fix the issue: If we do have the software and it is vulnerable,
    either leave a comment on this issue saying so, even open a pull
    request with the fix. If you open a PR, make sure to tag this
    issue so we can coordinate.
  3. When an entire section is completed, move the section to the
    "Triaged and Resolved Issues" details block below.

Upon Completion ...

Without further ado...

Assorted (22 issues)

@fpletz
Member
fpletz commented Jan 11, 2017

Already fixed irssi in the last roundup. Borgbackup was also fixed a while ago. 😃

Additionally:

  • docker & runc (CVE-2016-9962)
  • libgit2 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339)
  • gnutls (CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)

Those have already been backported to 16.09.

@grahamc
Member
grahamc commented Jan 11, 2017

Wow, alright! Nice staying ahead of the game :D!

Also:

@grahamc
Member
grahamc commented Jan 11, 2017

I've started a branch which fixes jasper

@grahamc
Member
grahamc commented Jan 11, 2017

Nice work, @fpletz, you fixed the php7 issue a month ago :)

@grahamc
Member
grahamc commented Jan 11, 2017

@ttuegel how can I find changelogs for something like Kopete?

When updating OTR GUI icon properly set OTR instance tag Without configured instance tag libotr library does not encrypt sent messages and moreover it even does not report any error that message was not encrypted.

This should fix a bug when OTR "encrypted" icon is shown in GUI and libotr itself does not want to encrypt messages. It happened when Kopete window with active OTR session was closed and after that again opened.

@grahamc
Member
grahamc commented Jan 11, 2017

@7c6f434c can you check out libvncserver? I'm having issues with it building my update. Latest release from https://github.com/LibVNC/libvncserver/releases

@Mic92
Contributor
Mic92 commented Jan 11, 2017

backported flac from unstable to stable: cd27f9d

@Mic92
Contributor
Mic92 commented Jan 11, 2017

I will just make a regular upgrade on nixpkgs unstable for sway because there is no indication of a concrete security incidence.

@grahamc
Member
grahamc commented Jan 11, 2017

Perfect, thank you! I have patches for the nvidia drivers, and I'll start working on openjpeg.

@7c6f434c
Member

@grahamc and for the maximum fun we have alleged patches submitted as a PR.

@7c6f434c
Member

@grahamc I officially fail to understand what is the problem with 0.9.11 update of libvncserver

@grahamc
Member
grahamc commented Jan 11, 2017

I was seeing syntax errors in the libvncserver's autoconf which seemed beyond my range of expertise.

@grahamc
Member
grahamc commented Jan 11, 2017

Yeah. These PRs really are maximum fun ... it'd be a different story if they were merged PRs!

@7c6f434c
Member

Obviously these were not real syntax error but undefined functions. Adding a pkgconfig dependency fixed them nicely.

@grahamc
Member
grahamc commented Jan 11, 2017

Good to know for next time, thank you :)

@grahamc
Member
grahamc commented Jan 11, 2017

We're in good company with the openjpeg2 issues: https://security-tracker.debian.org/tracker/source-package/openjpeg2

@7c6f434c
Member

libtiff: we already have 4.0.7

@7c6f434c
Member

icoutils: bump done

@grahamc
Member
grahamc commented Jan 11, 2017

Hot dog! Is this a record? Pretty well finished! I think we're not vulnerable to the Kopete thing, but would like ttuegel to chime in. Openjpeg2... well, I'm hoping Debian provides some patches soon or openjpeg2 decides to merge something. Great great work. I'll plan on closing it out and merging my branch this afternoon.

@ttuegel
Member
ttuegel commented Jan 11, 2017

@grahamc I'm not the Kopete maintainer; I don't know anything about that. I do know that KDE 4 is unmaintained upstream for years, so I would guess we are almost certainly vulnerable.

@grahamc
Member
grahamc commented Jan 11, 2017

There isn't a standard place to find KDE changelogs?

@Mic92
Contributor
Mic92 commented Jan 11, 2017
@LnL7
Contributor
LnL7 commented Jan 11, 2017

/participate

@bachp
Contributor
bachp commented Jan 16, 2017

/participate

@7c6f434c
Member

Interesting, that IRC-style and HTML-style interpretations of /participate are both believable — and directly opposite. I know, I know IRC-style is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment