Vulnerability Roundup 18

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @fpletz @FRidh @Mic92 @7c6f434c @LnL7 @bachp .

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny,
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple
   packages. For example, there are sometimes problems that impact
   thunderbird, and firefox. LWN might report in one vulnerability
   "thunderbird firefox". These names have been split to make sure
   both packages get addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Run the issue through reformat one last time
• Review commits since last roundup for backport candidates
• Send an update e-mail to nix-security-announce@googlegroups.com
• Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (32 issues)

• #711581 (search, files) ark: code execution
• #711782 (search, files) qemu: multiple vulnerabilities
• #645632 (search, files) fuse: privilege escalation
• #711858 (search, files) icinga: cross-site scripting
• #711775 (search, files) icoutils: three vulnerabilities
• #711459 (search, files) python-psaml2: XML external entity attacks
• #711583 (search, files) rabbitmq-server: authentication bypass
• #711774 (search, files) wordpress: multiple vulnerabilities
• #711780 (search, files) apache: denial of service
• #711463 (search, files) bind: denial of service
• #711457 (search, files) bind: three denial of service flaws
• #652803 (search, files) freeradius: insufficient certificate verification
• #710286 (search, files) openjpeg2: multiple vulnerabilities
• #711464 (search, files) gnutls: multiple vulnerabilities
• #711458 (search, files) ikiwiki: three vulnerabilities
• #711329 (search, files) kernel: denial of service
• #711777 (search, files) tiff: three vulnerabilities
• #598449 (search, files) miniupnpc: denial of service
• #711779 (search, files) onionshare: file injection
• #711776 (search, files) pdns: multiple vulnerabilities
• #711461 (search, files) qpid-java: information disclosure
• #711462 (search, files) springframework-security: security constraint bypass
• #711330 (search, files) webkit2gtk: multiple vulnerabilities
• #711856 (search, files) SimGear: file overwrites
• #711582 (search, files) docker: privilege escalation
• #711781 (search, files) irssi: out of bounds read
• #711586 (search, files) libgit2: multiple vulnerabilities
• #711778 (search, files) libx11: denial of service
• #711324 (search, files) phpBB: two vulnerabilities
• #711325 (search, files) phpmyadmin: two vulnerabilities
• #657322 (search, files) vzctl: insecure ploop-based containers
• #711587 (search, files) webmin: largely unspecified

pgbouncer (2 issues)

• #711323 (search, files) pgbouncer: authentication bypass
• #645925 (search, files) pgbouncer: denial of service

[vcunat]

Our libX11 is not vulnerable. According to the Debian commit the problem was introduced after 1.6.4 release as an incorrect attempt to fix a memory leak. So, our version may only leak memory. I'd personally wait for a release for this one.

[the-kenny]

Our simgear doesn't seem to be vulnerable either: The Fedora alert is about 2016.3.1 and we're on 2016.4.3.

I'll push an update to 2016.4.4 in a few hours.

[7c6f434c]

libgit2: we have a fresh enough version

[globin]

libupnp: 3be6e9f (not related to this roundup)

[NeQuissimus]

We have Docker 1.12.6, which closes the vulnerability mentioned

[vcunat]

gnutls: their advisories possibly imply that 3.4 branch is no longer maintained at this point, though I see no explicit saying of that. In any case, master and 16.09 have 3.4 as the default which was last updated on Dec 08 upstream.

[bachp]

Does someone have an idea how to handle the ark issues? Do we need to update all of KDE?

[bachp]

Actually I think the ark issue is already fixed in 7d01fff

[grahamc]

Thanks for the research and looking y'all did today. I wasn't able to do very much due to working on secret side projects, but am carving out some time now.

[grahamc]

• Ikiwiki needs patching to 3.20170111 with backport

[7c6f434c]

ikiwiki: done

[vcunat]

libtiff: took all patches from Debian, on both active branches.

[grahamc]

pdns: fixed in 1fe5134 (for notes later)

[grahamc]

Bind addressed in 2fd0a9f and 7b34209 (thank you, @peti)

[grahamc]

@bachp I suspect we need to fix ark on 16.09. Can you check in to that?

[7c6f434c]

php security update ported to stable, except the php71 part which is not relevant there.

[nlewo]

#22001 fixes all qemu CVEs mentionned above excepted CVE-2016-9908 because vulnerable code is not present in our qemu version.

We should definitely upgrade our qemu version as initiated by @7c6f434c with the 2.8 version.

[7c6f434c]

@nlewo thanks

@grahamc I cherry-picked to stable, but I used the merge commit; not sure if I should have picked one-by-one

Re: qemu_28: NixPkgs-wise it is a no-brainer; NixOS tests need to be re-checked by people actually using NixOS and its tests, I guess.

[grahamc]

Amazing, @nlewo, thank you so much! How did you find the patches?

@7c6f434c Nice! Extremely timely on those, thank you! Usually I pick one by one, but this should be fine :)

I'll see about running tests with qemu_28.

[nlewo]

@7c6f434c There are some tests that are declared in nixos/release.nix but I don't know if the CI executes them. I'm responsible of two of them and I'll try to run them with qemu 2.8.

@grahamc By reading mails associated to the CVE desc on http://cve.mitre.org. I also get some information from https://security-tracker.debian.org (which is really nice).

[grahamc]

@nlewo if you submit a PR changing the default to 2.8, I can easily run the tests.

[bachp]

@grahamc I will try if I can backport the patch. I think it is this one here: KDE/ark@82fdfd2

[grahamc]

Special thank you to @nlewo and @bachp for getting those more annoying ones (IMO...) done, @7c6f434c for merging and cherry-picking commits, @vcunat for finding like a million patches that we were missing on debian ...! @the-kenny for so quickly triaging the flight package, @globin for tagging his libupnp patch despite being in this issue (very useful for making sure it gets in the notices) and @NeQuissimus, and any other anonymous triagers out there!

[fpletz]

@grahamc Last minute fix for libopus: 140d135