Vulnerability Roundup 22 #22826
Comments
grahamc
added
the
1.severity: security
|
calibre is OK in master, but 16.09 is vulnerable. Upstream moves quite quickly so I think it's unlikely that they would provide any backports. Fedora and Mageia handle it by upgrading. |
|
The blank line above is |
|
I just added gtk-vnc to it :) |
|
regd gtk-vnc, master is vulnerable - I'm upgrading now. As for stable, according to upstream, the API is not stable due to being < 1.0. Debian has the same version as us in their "stable", so maybe with a bit of luck somebody will do the hard work. |
|
webkitgtk2 is (naturally) vulnerable both in master and 16.09. |
|
kopete - we don't carry that in the kf5 flavour, only the kde4 version which was just ripped out. |
|
Unfortunately we have not removed KDE4 yet. |
|
graphviz: our version is newer in both master and 16.09. However, we carry an older version for compatibility which is only used by |
|
cc @7c6f434c on marking graphviz_2_0 broken, which will break monotone_viz. |
|
That would be annoying: I still use monotone-viz. |
|
I guess I could make the old graphviz an implementation detail of monotone-viz not exposed on the top-level, though |
|
It looks like ubuntu ships monotone-viz with a newer graphviz. maybe they have a patch fixing it. Could you check in to that, @7c6f434c? |
|
I've got a patch for gnome-boxes. I can't commit right now, but will push them soon. |
|
The kopete issue is masking many vulnerable clients:
(we may not have all these, but just in case.) |
|
Regd calibre, if we upgrade stable to the version in unstable, it is at least something that has gotten some testing. |
|
That sounds fine, esp. if other distros are backporting these updates. |
|
I cannot see where Ubuntu actually patches the dot format parsing |
|
And I think it is impossible to trigger graphviz vulnerabilities via monotone-viz |
|
I'll consider graphviz fixed. |
|
I guess it is a good idea to hide the vulnerable |
|
Thank you! |
|
|
|
|
|
|
|
|
|
I misread the version, updated on master and patched for 16.09 in 538e642 |
@7c6f434c Can you also mention links to commits or PRs? It'll help for people like me to quickly checkout how it has been done, without wading through commit logs |
|
It also helps me when I make send notes, thank you! |
|
@tavyc can you look in to the Quagga update, and if we can go to 1.2 for unstable (which will become stable in 15 days)? |
|
@vcunat you seem to have some history with libxml2. Can you look in to this one? |
|
OK, in ~12 hours; feel free to do it first. Upstream's git and releases are untouched for months, so we'll have to take the patches. |
|
Oh, by the way, |
This should solve CVE-2016-5131 and some other bugs, but not what Suse calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497 The bugzilla discussion seems to indicate that the CVE is referenced incorrectly and only shows reproducing when using command-line flags that are considered "unsafe". CVE-2016-9318 also remains unfixed, as I consider their reasoning OK: https://lwn.net/Alerts/714411/ /cc #22826.
|
Opened a PR that addresses the first kernel cve. Note that for the other cve, the lwn page says
(emphasis mine) |
|
Thank you, @tavyc! |
|
Thank you, @joachifm! |
|
@peterhoeg can you backport calibre? |
This should solve CVE-2016-5131 and some other bugs, but not what Suse calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497 The bugzilla discussion seems to indicate that the CVE is referenced incorrectly and only shows reproducing when using command-line flags that are considered "unsafe". CVE-2016-9318 also remains unfixed, as I consider their reasoning OK: https://lwn.net/Alerts/714411/ /cc #22826. (cherry picked from commit 5ad81ab)
|
Done! Great work, thank you all! This most recent sec-announce email I sent includes a long-overdue component, where I thank everyone who authored and committed changes. Unfortunately this doesn't include other important help: PR reviewers, triagers, commenters, patch hunters, etc... I'll continue trying to make this better. This is truly a group effort, and I could never do these without the fabulous help from fellow community members. I enjoy working with you all. |
This should solve CVE-2016-5131 and some other bugs, but not what Suse calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497 The bugzilla discussion seems to indicate that the CVE is referenced incorrectly and only shows reproducing when using command-line flags that are considered "unsafe". CVE-2016-9318 also remains unfixed, as I consider their reasoning OK: https://lwn.net/Alerts/714411/ /cc NixOS#22826. (cherry picked from commit 5ad81ab)
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @peterhoeg @NeQuissimus @nlewo @vcunat @7c6f434c @LnL7 @fpletz @joachifm .
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
detailsblock below.Upon Completion ...
reformatone last timeWithout further ado...
Assorted (23 issues)
#713991(search, files) calibre: information leak#714502(search, files) kernel: two vulnerabilities#714430(search, files) libxml2: denial of service#714504(search, files) netpbm: three vulnerabilities#714262(search, files) quagga: denial of service#714500(search, files) tomcat: denial of service#714500(search, files) tomcat: denial of service#714423(search, files) kdenetwork-kopete: social engineering attacks#714257(search, files) mysql: code execution#714127(search, files) redis: two vulnerabilities#714431(search, files) tigervnc: denial of service#714124(search, files) viewvc: cross-site scripting#714424(search, files) webkit2gtk: multiple vulnerabilities#714256(search, files) bind: denial of service#714126(search, files) bitlbee: denial of service#713992(search, files) gnome-boxes: password disclosure#580396(search, files) graphviz: multiple vulnerabilities#714260(search, files) gtk-vnc#713996(search, files) irssi: memory leak#624311(search, files) lsyncd: command injection#714263(search, files) nova-lxd: access restriction bypass#714505(search, files) openssl: information disclosure#714427(search, files) vim: buffer overflowThe text was updated successfully, but these errors were encountered: