New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Roundup 22 #22826

Closed
grahamc opened this Issue Feb 15, 2017 · 40 comments

Comments

Projects
None yet
9 participants
@grahamc
Member

grahamc commented Feb 15, 2017

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @peterhoeg @NeQuissimus @nlewo @vcunat @7c6f434c @LnL7 @fpletz @joachifm .

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. Some issues will be duplicated, because it affects multiple
    packages. For example, there are sometimes problems that impact
    thunderbird, and firefox. LWN might report in one vulnerability
    "thunderbird firefox". These names have been split to make sure
    both packages get addressed.
  3. By each issue is a link to code search for the package name, and
    a Github search by filename. These are to help, but may not return
    results when we do in fact package the software. If a search
    doesn't turn up, please try altering the search criteria or
    looking in nixpkgs manually before asserting we don't have it.
  4. This issue is created by https://github.com/NixOS/security

Instructions:

  1. Triage a report: If we don't have the software or our version isn't
    vulnerable, tick the box or add a comment with the report number,
    stating it isn't vulnerable.
  2. Fix the issue: If we do have the software and it is vulnerable,
    either leave a comment on this issue saying so, even open a pull
    request with the fix. If you open a PR, make sure to tag this
    issue so we can coordinate.
  3. When an entire section is completed, move the section to the
    "Triaged and Resolved Issues" details block below.

Upon Completion ...

Without further ado...

Assorted (23 issues)

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

calibre is OK in master, but 16.09 is vulnerable. Upstream moves quite quickly so I think it's unlikely that they would provide any backports. Fedora and Mageia handle it by upgrading.

Member

peterhoeg commented Feb 15, 2017

calibre is OK in master, but 16.09 is vulnerable. Upstream moves quite quickly so I think it's unlikely that they would provide any backports. Fedora and Mageia handle it by upgrading.

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

The blank line above is gtk-vnc, just FYI.

Member

peterhoeg commented Feb 15, 2017

The blank line above is gtk-vnc, just FYI.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

I just added gtk-vnc to it :)

Member

grahamc commented Feb 15, 2017

I just added gtk-vnc to it :)

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

regd gtk-vnc, master is vulnerable - I'm upgrading now. As for stable, according to upstream, the API is not stable due to being < 1.0. Debian has the same version as us in their "stable", so maybe with a bit of luck somebody will do the hard work.

Member

peterhoeg commented Feb 15, 2017

regd gtk-vnc, master is vulnerable - I'm upgrading now. As for stable, according to upstream, the API is not stable due to being < 1.0. Debian has the same version as us in their "stable", so maybe with a bit of luck somebody will do the hard work.

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

webkitgtk2 is (naturally) vulnerable both in master and 16.09.

Member

peterhoeg commented Feb 15, 2017

webkitgtk2 is (naturally) vulnerable both in master and 16.09.

@grahamc grahamc referenced this issue Feb 15, 2017

Merged

gtk-vnc: 0.6.0 -> 0.7.0 #22827

5 of 7 tasks complete
@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

kopete - we don't carry that in the kf5 flavour, only the kde4 version which was just ripped out.

Member

peterhoeg commented Feb 15, 2017

kopete - we don't carry that in the kf5 flavour, only the kde4 version which was just ripped out.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

Unfortunately we have not removed KDE4 yet.

Member

grahamc commented Feb 15, 2017

Unfortunately we have not removed KDE4 yet.

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

graphviz: our version is newer in both master and 16.09. However, we carry an older version for compatibility which is only used by monotone-viz which had its most recent release in 2009. I suggest we simply mark graphviz_2_0 as broken.

Member

peterhoeg commented Feb 15, 2017

graphviz: our version is newer in both master and 16.09. However, we carry an older version for compatibility which is only used by monotone-viz which had its most recent release in 2009. I suggest we simply mark graphviz_2_0 as broken.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

cc @7c6f434c on marking graphviz_2_0 broken, which will break monotone_viz.

Member

grahamc commented Feb 15, 2017

cc @7c6f434c on marking graphviz_2_0 broken, which will break monotone_viz.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

That would be annoying: I still use monotone-viz.

Member

7c6f434c commented Feb 15, 2017

That would be annoying: I still use monotone-viz.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

I guess I could make the old graphviz an implementation detail of monotone-viz not exposed on the top-level, though

Member

7c6f434c commented Feb 15, 2017

I guess I could make the old graphviz an implementation detail of monotone-viz not exposed on the top-level, though

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

It looks like ubuntu ships monotone-viz with a newer graphviz. maybe they have a patch fixing it. Could you check in to that, @7c6f434c?

Member

grahamc commented Feb 15, 2017

It looks like ubuntu ships monotone-viz with a newer graphviz. maybe they have a patch fixing it. Could you check in to that, @7c6f434c?

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

I've got a patch for gnome-boxes. I can't commit right now, but will push them soon.

Member

grahamc commented Feb 15, 2017

I've got a patch for gnome-boxes. I can't commit right now, but will push them soon.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

The kopete issue is masking many vulnerable clients:

  • CVE-2017-5589: yaxim and Bruno (0.8.6 - 0.8.8; Android)
  • CVE-2017-5590: ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all
    versions up to 1.0.11; only iOS)
  • CVE-2017-5591: poezio (0.8 - 0.10)
  • CVE-2017-5592: profanity (0.4.7 - 0.5.0)
  • CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627)
  • CVE-2017-5602: jappix (1.0.0 to 1.1.6)
  • CVE-2017-5603: Jitsi (2.5.5061 - 2.9.5544)
  • CVE-2017-5604: mcabber (1.0.0 - 1.0.4)
  • CVE-2017-5605: Movim (0.8 - 0.10)
  • CVE-2017-5606: Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP,
    beta 1.0.3 - 1.0.74; Android)
  • CVE-2017-5858: Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4)

(we may not have all these, but just in case.)

Member

grahamc commented Feb 15, 2017

The kopete issue is masking many vulnerable clients:

  • CVE-2017-5589: yaxim and Bruno (0.8.6 - 0.8.8; Android)
  • CVE-2017-5590: ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all
    versions up to 1.0.11; only iOS)
  • CVE-2017-5591: poezio (0.8 - 0.10)
  • CVE-2017-5592: profanity (0.4.7 - 0.5.0)
  • CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627)
  • CVE-2017-5602: jappix (1.0.0 to 1.1.6)
  • CVE-2017-5603: Jitsi (2.5.5061 - 2.9.5544)
  • CVE-2017-5604: mcabber (1.0.0 - 1.0.4)
  • CVE-2017-5605: Movim (0.8 - 0.10)
  • CVE-2017-5606: Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP,
    beta 1.0.3 - 1.0.74; Android)
  • CVE-2017-5858: Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4)

(we may not have all these, but just in case.)

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 15, 2017

Member

Regd calibre, if we upgrade stable to the version in unstable, it is at least something that has gotten some testing.

Member

peterhoeg commented Feb 15, 2017

Regd calibre, if we upgrade stable to the version in unstable, it is at least something that has gotten some testing.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

That sounds fine, esp. if other distros are backporting these updates.

Member

grahamc commented Feb 15, 2017

That sounds fine, esp. if other distros are backporting these updates.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

I cannot see where Ubuntu actually patches the dot format parsing

Member

7c6f434c commented Feb 15, 2017

I cannot see where Ubuntu actually patches the dot format parsing

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

And I think it is impossible to trigger graphviz vulnerabilities via monotone-viz

Member

7c6f434c commented Feb 15, 2017

And I think it is impossible to trigger graphviz vulnerabilities via monotone-viz

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

I'll consider graphviz fixed.

Member

grahamc commented Feb 15, 2017

I'll consider graphviz fixed.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

Member

7c6f434c commented Feb 15, 2017

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 15, 2017

Member

Thank you!

Member

grahamc commented Feb 15, 2017

Thank you!

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

bind: we have the patched version

Member

7c6f434c commented Feb 15, 2017

bind: we have the patched version

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

bitlbee: 3.5.1 seems to be the upstream fix for all the mentioned problems, we have it

Member

7c6f434c commented Feb 15, 2017

bitlbee: 3.5.1 seems to be the upstream fix for all the mentioned problems, we have it

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member

irssi: 1.0.0 has the problem, 1.0.1 is the fixed version, 0.8.x didn't get any mention so I guess it is fine as it is (in stable)

Member

7c6f434c commented Feb 15, 2017

irssi: 1.0.0 has the problem, 1.0.1 is the fixed version, 0.8.x didn't get any mention so I guess it is fine as it is (in stable)

@bendlas bendlas referenced this issue Feb 15, 2017

Merged

webkitgtk: 2.14.4 -> 2.14.5 #22842

2 of 4 tasks complete
@bendlas

This comment has been minimized.

Show comment
Hide comment
@bendlas

bendlas Feb 15, 2017

Contributor

webkit2gtk: the links should be search, files. otherwise only haskell packages show up.

Contributor

bendlas commented Feb 15, 2017

webkit2gtk: the links should be search, files. otherwise only haskell packages show up.

@LnL7

This comment has been minimized.

Show comment
Hide comment
@LnL7

LnL7 Feb 15, 2017

Contributor

vim is up to date on master, working on a patch for 16.09

Contributor

LnL7 commented Feb 15, 2017

vim is up to date on master, working on a patch for 16.09

@LnL7 LnL7 referenced this issue Feb 15, 2017

Merged

vim: 8.0.0075 -> 8.0.0329 #22844

5 of 7 tasks complete
@LnL7

This comment has been minimized.

Show comment
Hide comment
@LnL7

LnL7 Feb 15, 2017

Contributor

I misread the version, updated on master and patched for 16.09 in 538e642

Contributor

LnL7 commented Feb 15, 2017

I misread the version, updated on master and patched for 16.09 in 538e642

@phanimahesh

This comment has been minimized.

Show comment
Hide comment
@phanimahesh

phanimahesh Feb 15, 2017

Contributor

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

@7c6f434c Can you also mention links to commits or PRs?

It'll help for people like me to quickly checkout how it has been done, without wading through commit logs

Contributor

phanimahesh commented Feb 15, 2017

I guess it is a good idea to hide the vulnerable graphviz_2_0 inside monotoneViz expression, though. Done.

@7c6f434c Can you also mention links to commits or PRs?

It'll help for people like me to quickly checkout how it has been done, without wading through commit logs

@LnL7 LnL7 referenced this issue Feb 15, 2017

Closed

redis: 3.2.5 -> 3.2.8 #22845

5 of 7 tasks complete
@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 15, 2017

Member
Member

7c6f434c commented Feb 15, 2017

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 16, 2017

Member

It also helps me when I make send notes, thank you!

Member

grahamc commented Feb 16, 2017

It also helps me when I make send notes, thank you!

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 16, 2017

Member

@tavyc can you look in to the Quagga update, and if we can go to 1.2 for unstable (which will become stable in 15 days)?

Member

grahamc commented Feb 16, 2017

@tavyc can you look in to the Quagga update, and if we can go to 1.2 for unstable (which will become stable in 15 days)?

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 16, 2017

Member

@vcunat you seem to have some history with libxml2. Can you look in to this one?

Member

grahamc commented Feb 16, 2017

@vcunat you seem to have some history with libxml2. Can you look in to this one?

@vcunat

This comment has been minimized.

Show comment
Hide comment
@vcunat

vcunat Feb 16, 2017

Member

OK, in ~12 hours; feel free to do it first. Upstream's git and releases are untouched for months, so we'll have to take the patches.

Member

vcunat commented Feb 16, 2017

OK, in ~12 hours; feel free to do it first. Upstream's git and releases are untouched for months, so we'll have to take the patches.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 16, 2017

Member

Oh, by the way, irssi update in master is 13a1d38, stable doesn't need it

Member

7c6f434c commented Feb 16, 2017

Oh, by the way, irssi update in master is 13a1d38, stable doesn't need it

vcunat added a commit that referenced this issue Feb 16, 2017

libxml2: bugfix updates from git upstream
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".

CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/

/cc #22826.
@tavyc

This comment has been minimized.

Show comment
Hide comment
@tavyc

tavyc Feb 17, 2017

Contributor

@grahamc PR #22901 opened for quagga 1.2.0

Contributor

tavyc commented Feb 17, 2017

@grahamc PR #22901 opened for quagga 1.2.0

@joachifm

This comment has been minimized.

Show comment
Hide comment
@joachifm

joachifm Feb 17, 2017

Contributor

Opened a PR that addresses the first kernel cve. Note that for the other cve, the lwn page says

At this time we understand no trust barrier has been crossed and there is no security implications in this flaw.

(emphasis mine)

Contributor

joachifm commented Feb 17, 2017

Opened a PR that addresses the first kernel cve. Note that for the other cve, the lwn page says

At this time we understand no trust barrier has been crossed and there is no security implications in this flaw.

(emphasis mine)

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 18, 2017

Member

Thank you, @tavyc!

Member

grahamc commented Feb 18, 2017

Thank you, @tavyc!

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 18, 2017

Member

Thank you, @joachifm!

Member

grahamc commented Feb 18, 2017

Thank you, @joachifm!

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 18, 2017

Member

@peterhoeg can you backport calibre?

Member

grahamc commented Feb 18, 2017

@peterhoeg can you backport calibre?

grahamc added a commit that referenced this issue Feb 18, 2017

libxml2: bugfix updates from git upstream
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".

CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/

/cc #22826.

(cherry picked from commit 5ad81ab)
@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 18, 2017

Member

Done! Great work, thank you all!

This most recent sec-announce email I sent includes a long-overdue component, where I thank everyone who authored and committed changes. Unfortunately this doesn't include other important help: PR reviewers, triagers, commenters, patch hunters, etc... I'll continue trying to make this better. This is truly a group effort, and I could never do these without the fabulous help from fellow community members. I enjoy working with you all.

Member

grahamc commented Feb 18, 2017

Done! Great work, thank you all!

This most recent sec-announce email I sent includes a long-overdue component, where I thank everyone who authored and committed changes. Unfortunately this doesn't include other important help: PR reviewers, triagers, commenters, patch hunters, etc... I'll continue trying to make this better. This is truly a group effort, and I could never do these without the fabulous help from fellow community members. I enjoy working with you all.

@grahamc grahamc closed this Feb 18, 2017

@grahamc grahamc referenced this issue Feb 22, 2017

Closed

Vulnerability Roundup 23 #23072

33 of 33 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment