Vulnerability Roundup 21

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @nlewo @7c6f434c @bachp @vcunat @peterhoeg @fpletz @Szczyp @NeQuissimus @obadz @joachifm @shlevy.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple
   packages. For example, there are sometimes problems that impact
   thunderbird, and firefox. LWN might report in one vulnerability
   "thunderbird firefox". These names have been split to make sure
   both packages get addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Run the issue through reformat one last time
• Review commits since last roundup for backport candidates
• Send an update e-mail to nix-security-announce@googlegroups.com
• Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (27 issues)

• #713779 (search, files) epiphany: multiple vulnerabilities
• #713883 (search, files) irssi-otr: information leak
• #713270 (search, files) libgd2: two vulnerabilities
• #713272 (search, files) libplist: two vulnerabilities
• #713565 (search, files) mupdf: three vulnerabilities
• #713426 (search, files) bzrtp: man-in-the-middle vulnerability
• #713420 (search, files) ntfs-3g: privilege escalation
• #665254 (search, files) openldap: unintended cipher usage
• #713274 (search, files) openssh: denial of service
• #713569 (search, files) phpmyadmin: multiple vulnerabilities
• #713269 (search, files) salt: two vulnerabilities
• #713771 (search, files) spice: two vulnerabilities
• #713563 (search, files) svgsalamander: server-side request forgery
• #713564 (search, files) wavpack: multiple vulnerabilities
• #713772 (search, files) gst-plugins-bad: two vulnerabilities
• #713773 (search, files) gst-plugins-base-libs: multiple vulnerabilities
• #713774 (search, files) gst-plugins-good: multiple vulnerabilities
• #713775 (search, files) gst-plugins-ugly: two vulnerabilities
• #713776 (search, files) gstreamer: denial of service
• #713782 (search, files) iio-sensor-proxy: unspecified
• #713428 (search, files) iucode-tool: code execution
• #713423 (search, files) jasper: code execution
• #713424 (search, files) moodle: multiple vulnerabilities
• #713785 (search, files) php: multiple vulnerabilities
• #713409 (search, files) rabbitmq-server: denial of service
• #713425 (search, files) wireshark: two denial of service flaws
• #713271 (search, files) wordpress: multiple vulnerabilities

GraphicsMagick (2 issues)

• #713787 (search, files) GraphicsMagick: multiple vulnerabilities
• #713786 (search, files) GraphicsMagick: multiple vulnerabilities

kernel (3 issues)

• #713884 (search, files) kernel: information leak
• #713881 (search, files) kernel: denial of service
• #713570 (search, files) kernel: two vulnerabilities

libtiff (2 issues)

• #713880 (search, files) tiff: can't write files
• #713268 (search, files) libtiff: information leak

rtmpdump (2 issues)

• #713784 (search, files) rtmpdump: multiple vulnerabilities
• #670061 (search, files) rtmpdump: code execution

[peterhoeg]

wordpress in master is already on 4.7.2 - only earlier versions are affected.

Also ok on 16.09

[peterhoeg]

iio-sensor-proxy is not packaged yet. I have a branch with the software and a nixos module, but it's not merged.

[grahamc]

Thank you! I ticked them off. Remember 17.03's branch-off is coming up, if you want to get that in to stable :)

[grahamc]

I'm plodding through the gstreamer updates :)

[grahamc]

gstreamer fixed in afd5981 and 504d394.

[grahamc]

w00t we had already patched jasper.

[grahamc]

deleted moodle in 7db1f72

[NeQuissimus]

Kernels are good

[peterhoeg]

wireshark is already on version 2.2.4 which fixes to the 2 vulnerabilities.

Also ok on 16.09

[peterhoeg]

Currently building the derivations depending on wavpack, so don't waste your time on this.

wavpack is good with #22555

[peterhoeg]

tiff is just a regular bug, not a vulnerability.
libtiff is not vulnerable (we are never).

Also ok on 16.09

[peterhoeg]

php is ok in master and 16.09

[peterhoeg]

mupdf is ok in master but not OK in 16.09. I'll handle this.

[grahamc]

@peterhoeg can you verify against stable (16.09) as well?

[peterhoeg]

can you verify against stable (16.09) as well?

@grahamc - only mupdf is not ok (of the ones I looked at).

[peterhoeg]

uicode-tool - we don't have it.

[peterhoeg]

The fixes have been backported (not to nixpkgs), but don't we consider pdf readers (and especially those that can run javascript) critical like browsers, so they need the latest version?

[nlewo]

Our RabbitMQ version is impacted while it is not the case for the latest one. I upgrade our rabbitmq version in #22573.

[grahamc]

@peterhoeg For now, I'd rather apply the backported patches to 16.09 for mupdf, especially if they're being so kind as to backport patches for us :)

[grahamc]

@codyopel, @viric, @spwhitt, @rbvermaa, would any of you like to update rtmpdump? Otherwise I'll probably mark it broken due to https://lwn.net/Vulnerabilities/713784/

[peterhoeg]

@grahamc, we have another issue. webkitgtk24x is badly outdated with lots of vulnerabilities and yet is still in use by a number of packages:
https://search.nix.gsc.io/?q=webkitgtk24x&i=fosho&files=&repos=

Here are details:
https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/

Specifically:

but this old version of WebKit is affected by over 200 known vulnerabilities and really has to go sooner rather than later

For emacs, if we simply only build the proper gtk UI, we should be fine and get rid of xwidgets.

I don't know about the others though.

[vcunat]

webkitgtk24x: we still have #18312 open for outdated webkit. For the liferea case: upstream now has a new -rc2 version that does build against newer libwebkit, but it didn't work well for me.

[7c6f434c]

Ah, rtmpdump is an easy bump. Done

[7c6f434c]

irssi_otr fix is upstream, we have the correct version already.

[fpletz]

libgd2 (gd) was already fixed.

[fpletz]

The graphicsmagick CVEs are weird. They seem to rather apply to imagemagick. As OpenSUSE is generally lagging behind on security updates a bit compared to other distros and graphicsmagick has a revamped codebase, I don't think all those issues also apply to graphicsmagick and OpenSUSE made some kind of error here. In the Debian security tracker those CVEs were assigned to imagemagick and not to graphicsmagick.

[fpletz]

epiphany was fixed on master. The only relevant issue (https://bugzilla.gnome.org/show_bug.cgi?id=752738) seems to be present in 3.22.x only according to the bugtracker while we have 3.20 on 16.03. No CVE was assigned yet.

[grahamc]

What a treat to wake up to!

@peterhoeg if we drop xwidgets, will that break emacs on darwin? ( @LnL7, @copumpkin ) After 17.03 releases, we should be in much closer shape to drop 24. I don't know that there is anything we can do about this for now :( maybe either: Debian has patches in this area?

@fpletz:

GraphicsMagick / ImageMagick is always weird. The only way I can tell the difference is via version numbers being very different. I'll try and figure it out, but frequently I just go back and try and find out if we're behind in versions.

epiphany: "Thanks to Hussam for reporting this bug so quickly after it was introduced" seems to suggest it might not, indeed, be present in 3.20.

[LnL7]

Not sure about emacs. I did add wxmac to nixpkgs for erlang, perhaps emacs could also use that?

[joachifm]

It seems unlikely that removing xwidgets would break emacs on darwin. xwidgets is for embedding other windows inside emacs, surely darwin emacs does not rely on that to function?

[grahamc]

You're right, @joachifm -- it is an extra add-on, usually disabled by distributions.

[LnL7]

Yes it's optional, but I don't use emacs so I'm not sure what it's used for. We also have the emacs macport I assume that's what darwin people would prefer to use if they want a graphical version.

[grahamc]

I'm marking libplist as "fixed" for now ,assuming they'll release a new version soon.

[grahamc]

Done: So fast this time :D Thank you all, again!

[vcunat]

Hmm, new glibc claims to fix two CVEs and I can't see any reference to those around nixpkgs, so they might be new.