Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Roundup 22 #22826

Closed
27 tasks done
grahamc opened this issue Feb 15, 2017 · 40 comments
Closed
27 tasks done

Vulnerability Roundup 22 #22826

grahamc opened this issue Feb 15, 2017 · 40 comments

Comments

@grahamc
Copy link
Member

@grahamc grahamc commented Feb 15, 2017

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @peterhoeg @NeQuissimus @nlewo @vcunat @7c6f434c @LnL7 @fpletz @joachifm .

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. Some issues will be duplicated, because it affects multiple
    packages. For example, there are sometimes problems that impact
    thunderbird, and firefox. LWN might report in one vulnerability
    "thunderbird firefox". These names have been split to make sure
    both packages get addressed.
  3. By each issue is a link to code search for the package name, and
    a Github search by filename. These are to help, but may not return
    results when we do in fact package the software. If a search
    doesn't turn up, please try altering the search criteria or
    looking in nixpkgs manually before asserting we don't have it.
  4. This issue is created by https://github.com/NixOS/security

Instructions:

  1. Triage a report: If we don't have the software or our version isn't
    vulnerable, tick the box or add a comment with the report number,
    stating it isn't vulnerable.
  2. Fix the issue: If we do have the software and it is vulnerable,
    either leave a comment on this issue saying so, even open a pull
    request with the fix. If you open a PR, make sure to tag this
    issue so we can coordinate.
  3. When an entire section is completed, move the section to the
    "Triaged and Resolved Issues" details block below.

Upon Completion ...

Without further ado...

Assorted (23 issues)

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

calibre is OK in master, but 16.09 is vulnerable. Upstream moves quite quickly so I think it's unlikely that they would provide any backports. Fedora and Mageia handle it by upgrading.

Loading

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

The blank line above is gtk-vnc, just FYI.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

I just added gtk-vnc to it :)

Loading

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

regd gtk-vnc, master is vulnerable - I'm upgrading now. As for stable, according to upstream, the API is not stable due to being < 1.0. Debian has the same version as us in their "stable", so maybe with a bit of luck somebody will do the hard work.

Loading

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

webkitgtk2 is (naturally) vulnerable both in master and 16.09.

Loading

@grahamc grahamc mentioned this issue Feb 15, 2017
7 tasks
@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

kopete - we don't carry that in the kf5 flavour, only the kde4 version which was just ripped out.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

Unfortunately we have not removed KDE4 yet.

Loading

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

graphviz: our version is newer in both master and 16.09. However, we carry an older version for compatibility which is only used by monotone-viz which had its most recent release in 2009. I suggest we simply mark graphviz_2_0 as broken.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

cc @7c6f434c on marking graphviz_2_0 broken, which will break monotone_viz.

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

That would be annoying: I still use monotone-viz.

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

I guess I could make the old graphviz an implementation detail of monotone-viz not exposed on the top-level, though

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

It looks like ubuntu ships monotone-viz with a newer graphviz. maybe they have a patch fixing it. Could you check in to that, @7c6f434c?

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

I've got a patch for gnome-boxes. I can't commit right now, but will push them soon.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

The kopete issue is masking many vulnerable clients:

  • CVE-2017-5589: yaxim and Bruno (0.8.6 - 0.8.8; Android)
  • CVE-2017-5590: ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all
    versions up to 1.0.11; only iOS)
  • CVE-2017-5591: poezio (0.8 - 0.10)
  • CVE-2017-5592: profanity (0.4.7 - 0.5.0)
  • CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627)
  • CVE-2017-5602: jappix (1.0.0 to 1.1.6)
  • CVE-2017-5603: Jitsi (2.5.5061 - 2.9.5544)
  • CVE-2017-5604: mcabber (1.0.0 - 1.0.4)
  • CVE-2017-5605: Movim (0.8 - 0.10)
  • CVE-2017-5606: Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP,
    beta 1.0.3 - 1.0.74; Android)
  • CVE-2017-5858: Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4)

(we may not have all these, but just in case.)

Loading

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Feb 15, 2017

Regd calibre, if we upgrade stable to the version in unstable, it is at least something that has gotten some testing.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

That sounds fine, esp. if other distros are backporting these updates.

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

I cannot see where Ubuntu actually patches the dot format parsing

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

And I think it is impossible to trigger graphviz vulnerabilities via monotone-viz

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

I'll consider graphviz fixed.

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 15, 2017

Thank you!

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

bind: we have the patched version

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

bitlbee: 3.5.1 seems to be the upstream fix for all the mentioned problems, we have it

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

irssi: 1.0.0 has the problem, 1.0.1 is the fixed version, 0.8.x didn't get any mention so I guess it is fine as it is (in stable)

Loading

@bendlas
Copy link
Contributor

@bendlas bendlas commented Feb 15, 2017

webkit2gtk: the links should be search, files. otherwise only haskell packages show up.

Loading

@LnL7
Copy link
Member

@LnL7 LnL7 commented Feb 15, 2017

vim is up to date on master, working on a patch for 16.09

Loading

@LnL7 LnL7 mentioned this issue Feb 15, 2017
7 tasks
@LnL7
Copy link
Member

@LnL7 LnL7 commented Feb 15, 2017

I misread the version, updated on master and patched for 16.09 in 538e642

Loading

@phanimahesh
Copy link
Contributor

@phanimahesh phanimahesh commented Feb 15, 2017

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

@7c6f434c Can you also mention links to commits or PRs?

It'll help for people like me to quickly checkout how it has been done, without wading through commit logs

Loading

@LnL7 LnL7 mentioned this issue Feb 15, 2017
7 tasks
@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 15, 2017

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 16, 2017

It also helps me when I make send notes, thank you!

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 16, 2017

@tavyc can you look in to the Quagga update, and if we can go to 1.2 for unstable (which will become stable in 15 days)?

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 16, 2017

@vcunat you seem to have some history with libxml2. Can you look in to this one?

Loading

@vcunat
Copy link
Member

@vcunat vcunat commented Feb 16, 2017

OK, in ~12 hours; feel free to do it first. Upstream's git and releases are untouched for months, so we'll have to take the patches.

Loading

@7c6f434c
Copy link
Member

@7c6f434c 7c6f434c commented Feb 16, 2017

Oh, by the way, irssi update in master is 13a1d38, stable doesn't need it

Loading

vcunat added a commit that referenced this issue Feb 16, 2017
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".

CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/

/cc #22826.
@tavyc
Copy link
Contributor

@tavyc tavyc commented Feb 17, 2017

@grahamc PR #22901 opened for quagga 1.2.0

Loading

@joachifm
Copy link
Contributor

@joachifm joachifm commented Feb 17, 2017

Opened a PR that addresses the first kernel cve. Note that for the other cve, the lwn page says

At this time we understand no trust barrier has been crossed and there is no security implications in this flaw.

(emphasis mine)

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 18, 2017

Thank you, @tavyc!

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 18, 2017

Thank you, @joachifm!

Loading

@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 18, 2017

@peterhoeg can you backport calibre?

Loading

grahamc added a commit that referenced this issue Feb 18, 2017
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".

CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/

/cc #22826.

(cherry picked from commit 5ad81ab)
@grahamc
Copy link
Member Author

@grahamc grahamc commented Feb 18, 2017

Done! Great work, thank you all!

This most recent sec-announce email I sent includes a long-overdue component, where I thank everyone who authored and committed changes. Unfortunately this doesn't include other important help: PR reviewers, triagers, commenters, patch hunters, etc... I'll continue trying to make this better. This is truly a group effort, and I could never do these without the fabulous help from fellow community members. I enjoy working with you all.

Loading

@grahamc grahamc closed this Feb 18, 2017
@grahamc grahamc mentioned this issue Feb 22, 2017
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
9 participants