gmane.comp.security.oss.general

CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher

Jan Lieskovsky — 2012-05-22T13:53:30

Hello Kurt, Steve, vendors,

   based on:
   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871
   [2] https://github.com/keithw/mosh/issues/271

A) Mosh issue:
==============
A denial of service flaw was found in the way mosh, a remote terminal application, performed 
processing of parameters that have been passed to the terminal in the terminal dispatcher class 
(previously there was no limit for the count of parameters, which were allowed to be passed to the 
dispatcher). A remote atttacker could use this flaw to cause a denial of service (mosh server to 
enter long for loop when trying to process the paramaters) via specially-crafted escape sequence string.

Upstream ticket:
[3] https://github.com/keithw/mosh/issues/271

Relevant upstream patch:
[4] https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e

References:
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871
[6] https://bugzilla.redhat.com/show_bug.cgi?id=823943

Could you allocate a CVE id for this? (iss

Re: CVE request: Serendipity before 1.6.2 SQL Injection

Hanno Böck — 2012-05-22T12:05:13

On Tue, 22 May 2012 12:43:59 +0300
Henri Salo <henri-k++t0c9yR9I< at >public.gmane.org> wrote:


Yep, you're probably right. Damn, why didn't I see this...?

Re: [klibc] [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options

maximilian attems — 2012-05-22T09:18:49


As klibc main target is initramfs usage this use case hasn't come up much,
so wasn't top priority. Just got reminded today by checking ipconfig
backlog patches.
 
 
ipconfig in latest klibc git uses /run as you suggested.
http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary

thank you.

Re: CVE request: Serendipity before 1.6.2 SQL Injection

Henri Salo — 2012-05-22T09:43:59

Is this same as: http://seclists.org/oss-sec/2012/q2/352

It looks to me as a same issue.

- Henri Salo

Re: CVE-2011-3102 / libxml2

Jan Lieskovsky — 2012-05-22T09:13:53

Hi Moritz,

On 05/21/2012 10:22 PM, Moritz Muehlenhoff wrote:

Yes, we have previously checked with Daniel and he confirmed this one -^ would be
the correct one.

(have updated our bugzilla entry to state it in more exact way:
https://bugzilla.redhat.com/show_bug.cgi?id=822109#c2)


Without not to leak too much, Daniel also clarified this problem would be
of higher impact / security relevance for Google Chrome instances due the
way they use XPointer functionality. On common Linux libxml2 instances
additional functionality to be involved is needed this to be exploited
in that way as it has been for Google Chrome case.

Hope this helps. Let us know if we can be of any further advice.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

CVE request: Serendipity before 1.6.2 SQL Injection

Hanno Böck — 2012-05-22T09:05:02

Upstream:
http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html
Advisory:
https://www.htbridge.com/advisory/HTB23092

Upstream description of the issue:
"The error here is that input is not properly validated and can be used
(when magic_quotes_gpc is off) to inject SQL code to a SQL query; since
our DB layer does not execute multiple statements, and the involved SQL
query is not used to produce output code, we regard the impact as low.
Nevertheless, please upgrade your installation."

Please assign CVE.

CVE-2011-3102 / libxml2

Moritz Muehlenhoff — 2012-05-21T20:22:42

Hi,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 points to
http://code.google.com/p/chromium/issues/detail?id=125462, which is
a 404.

http://googlechromereleases.blogspot.de/2012/05/stable-channel-update.html
references Jueri Aedla for the credits. I suppose this is related to this
libxml2 upstream commit:
http://git.gnome.org/browse/libxml2/commit/?id=d8e1faeaa99c7a7c07af01c1c72de352eb590a3e

Can anyone of the involved parties at Chrome and Red Hat please confirm?

Cheers,
        Moritz

Re: CVE id request: devotee (debian vote engine) cryptographically weak random numbers permit discovery of secret ballot submissions

Michael Gilbert — 2012-05-21T18:49:51

Yes, the publicly available source repo is out of date right now, but
that won't always be the case.  Debian had a change in secretary, so
workflows have changed, and ideally a more public mode of operation
should be gotten back to.


Yes, it is indeed an issue in the software implementation itself.  See
original report for exact code lines that are flawed.

I can neither confirm nor not confirm that devotee is used outside of
debian, but it does seem like an obvious choice for online election
management.  It is however planned to be package for debian [0], and
ubuntu automatically syncs debian, so eventually they will also get
the package.  it is important that an id be assigned so that they are
aware that they will need to check the package when they do that sync.

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470995

CVE Request: some drm overflow checks

Marcus Meissner — 2012-05-21T06:38:31

Hi,

spotted in xorls blog, who spotted it in the kernel stable changelog:
https://xorl.wordpress.com/2012/05/17/linux-kernel-drm-intel-i915-multiple-ioctl-integer-overflows/

It has two issues:

1. overflow of cliprect kmalloc as args->num_cliprects is not bounded
  and passed in via a user ioctl.

  Fixed via ed8cd3b2cd61004cab85380c52b1817aca1ca49b in mainline:
  commit ed8cd3b2cd61004cab85380c52b1817aca1ca49b
  Author: Xi Wang <xi.wang-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
  Date:   Mon Apr 23 04:06:41 2012 -0400

    drm/i915: fix integer overflow in i915_gem_execbuffer2()

    On 32-bit systems, a large args->buffer_count from userspace via ioctl
    may overflow the allocation size, leading to out-of-bounds access.

    This vulnerability was introduced in commit 8408c282 ("drm/i915:
    First try a normal large kmalloc for the temporary exec buffers").


  8408c282 was added Feb 21 2011, and seemingly added during 2.6.38 development.


2. same file, overflow in args->buffer_count.

   Fix is in ma

CVE request: PHP Phar - arbitrary code execution

Felipe Pena — 2012-05-20T18:09:06

Hi,
Can anyone assing a CVE id for the following PHP's phar extension
integer overflow vulnerability? (Secunia SA44335)

Private report: https://bugs.php.net/bug.php?id=61065

Discovered by: Alexander Gavrun

Original Advisory:
http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html

Acuity CMS 2.6.x <= Arbitrary File Upload

YGN Ethical Hacker Group — 2012-05-20T09:48:55

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.


2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.


3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
'file1', 'file2', 'file3', 'fileX' parameters.


4. VERSIONS AFFECTED

Tested with version 2.6.2.


5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
----------------

Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access

YGN Ethical Hacker Group — 2012-05-20T09:47:35

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal.


2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.


3. VULNERABILITY DESCRIPTION

The issue is due to the script, /admin/file_manager/browse.asp, not
properly sanitizing user input, specifically directory traversal style
attacks (e.g., ../../) supplied via the 'path' parameter. It would
allow the attacker to access arbitrary files outside of web root
directory.


4. VERSIONS AFFECTED

Tested with version 2.6.2.


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../


6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.


7. VENDOR

The Collective
http://www.thecollective.com.au/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSUR

Re: CVE Request: PHP 5.4.3 on Windows com_print_typeinfo() Buffer Overflow (?)

Kurt Seifried — 2012-05-20T04:25:02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/19/2012 10:23 PM, Kurt Seifried wrote:
http://packetstormsecurity.org/files/112851/php54-exec.txt

Please use CVE-2012-2376 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPuHIeAAoJEBYNRVNeJnmTQXoP/3OD9gIBD2mC8aHtktZeSVHt
4lWz1ONf6cMazdiOZjHGF7OK/ZIIFoocAVpwxKUjCoTWRPoboQOnrenY/ff0kD/x
MqIm84i51Yqzjbh+3MM9muzjJ2PmvahNmlV7hjEcyJWHww8NiEs1kxtGGrGcb0dU
caJSkCaauXrlbBOpwOpx56WiKebuV5v0kxPTs6fQSapmyAiBL82k+194VYJ6GKHS
vU8vf9XF3XGV+Z/wojRaETN5nBRtcssKJCUHquin+PRmyZoljyQFpj7QKm1uNXAX
A14kYz0XjwqgkJxjVWaGF5Y7tcWsAIUcxNby6WyBK1ewzQpiyVPt5/W9/OyWzs31
Dxi78nm5MlCq0xVkTUpvg9bVvnEyg+ZkA2FKVnwJl+AWAP0p3QEDrn7ocyEJl7PU
6FpTQ+JYN13p1bJrGJsP1SXhh8/pyA0BsYUEyREQmgo6CA6p6vTvRHxIXdpEf1dt
T0P/iBXPLb7+kK5m8UMlXQ7cGfRusO2qJFt9ratT+K/cEoKDutvNCmS

CVE Request: PHP 5.4.3 on Windows com_print_typeinfo() Buffer Overflow (?)

Kurt Seifried — 2012-05-20T04:23:14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Original sources:
https://isc.sans.edu/diary/PHP+5+4+Remote+Exploit+PoC+in+the+wild/13255
http://packetstormsecurity.org/files/112851/php54-exec.txt
http://www.exploit-db.com/exploits/18861/
http://www.reddit.com/r/netsec/comments/tuyp3/isc_diary_php_54_remote_exploit_poc_in_the_wild/

- From the exploit:

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)

There appears to be a buffer overflow in com_print_typeinfo(), it
appears to only affect PHP on Windows (COM object related).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPuHGyAAoJEB

RE: libupnp buffer overflows

2012-05-19T19:20:36

You can find the list of source code commits for the 1.6.16 here: http://pupnp.git.sourceforge.net/git/gitweb.cgi?p=pupnp/pupnp;a=log;h=01d7c05fb882bb1904f5022a33eef8a68d8b8bdc.

Moreover, the most important bug fixes have been added in the tracker: http://sourceforge.net/tracker/?atid=841026&group_id=166957&func=browse.

To sum up, most of the issues were about memory leaks (http://sourceforge.net/tracker/?func=detail&aid=3497009&group_id=166957&atid=841026), a few of them were about security like an out of bound access (http://sourceforge.net/tracker/?func=detail&aid=3496933&group_id=166957&atid=841026, classified as CWE-119 by Coverity). However, most of the other "security" changes have been made to:
- replace strcpy or sprint by strncpy or snprintf as using sprintf is seen as a defect by coverity (CWE-676)
 - remove implicit integer conversion between unsigned and signed (seen as CWE-681 by Coverity)

Best Regards,

Fabrice

-----Message d'origine-----
De : Henri Salo [mailto:henri-k++t0c9yR9I< at >public

Re: libupnp buffer overflows

Henri Salo — 2012-05-19T18:47:07

Fabrice replied: 
"""
Those issues were found by Coverity (http://www.coverity.com). Coverity affects CWE identifiers like CWE-170 but I haven't kept the CWE identifiers of all the fixed bugs.
"""

Did you Fabrice verify if these had security impact? I can try to help if needed.

- Henri Salo

Re: CVE id request: devotee (debian vote engine) cryptographically weak random numbers permit discovery of secret ballot submissions

Kurt Seifried — 2012-05-18T22:39:42

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 03:48 PM, Michael Gilbert wrote:
[2]
http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html

This appears to be a service more than software, and although the
source is available (see git link) it appears to be out of date?

http://lists.debian.org/debian-www/2012/04/msg00200.html

Can you confirm the vulnerability is in the software you linked to,
and that this has actually been downloaded/used outside of Debian?


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPts+tAAoJEBYNRVNeJnmTVx8P/RNy2jG+q0d45MN4rOQAnpdw
JURbgmjCvAXXJrAyAmt4pybI9LdKKUax18AnWpk8juo0uTr8B1MmG0CliRUDqS9d
3XobCqSNcxbTi0UIITZCSsxqEv3wR/BqjsC1t9NVIS4vo6q7CzbaBCl2PBZo3iXJ
szJ9yXQPp9xxxAnduAk78oFm1PJ5DBj1hQuEUezb5u3wIalUcXtljlN/Cqwu3n

CVE id request: devotee (debian vote engine) cryptographically weak random numbers permit discovery of secret ballot submissions

Michael Gilbert — 2012-05-18T21:48:22

Hi,

It has been disclosed [0] that the debian vote engine (devotee) [1]
uses cryptographically weak pseudo-random numbers (intended to be
48-bit, but really only 32-bit due to the use of a 32-bit seed feeding
the 48-bit number generator) to generate ballot secret monikers.  This
allows unprivileged persons to brute force the contents of presumably
secret election ballots, and makes it possible to calculate the
contents of secret voter ballots in all past debian elections.

Ideally, devotee should use a random secret moniker with fully 64 (or
preferably 128) bits that would require years rather than minutes or
days to brute force [2].

The source also uses /dev/urandom, which has less entropy than /dev/random.

Please assign an id for this issue.

Thanks,
Mike

[0] https://lists.debian.org/debian-devel/2012/04/msg00528.html
[1] http://anonscm.debian.org/gitweb/?p=users/srivasta/debian/devotee.git
[2] http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html

CVE-2012-2762 Serendipity include/functions_trackbacks.inc.php SQL injection

2012-05-18T20:28:36

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://github.com/s9y/Serendipity/commit/87153991d06bc18fe4af05f97810487c4a340a92
http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html
CVE-2012-2762

(different affected versions than CVE-2012-2332)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S S145
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/obtain_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJPtrB3AAoJEGvefgSNfHMd840H/i+ReLRXmlQRN4sqkhzEqkj5
bgJfdSd2l9eU50wCdZtqOeV2Os8mLpDeO1KR4IFIQNcXGVJsh4z3wbTHF4WkNHaF
8CqrzReerujVmhSABl2U4mz7m1/KoQCBdzKcF1dGbFMlUSGuUZpYi8+mFvHFieig
54zhO5kiQJyAJJMb8xjcxkmvhxC2OD2rTULmw+zqswRGVVKpOPIxiB6m8d9zYLnD
JFT31MtfNLmT9YwvTYctaU/Q9y2kP6yRdmYyPB0tojhXfURNCd5O5XRpf3L2Fqx3
p01iJBap3unzTEcN9MnkK03vm0cvzpNRycbqfaPcoyf0e7TP6Vv44qFJ83NX1HE=
=6lp5
-----END PGP SIGNATURE-----

Re: CVE Request -- kernel: incomplete fix for CVE-2011-4131

Kurt Seifried — 2012-05-18T17:41:48

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 05:30 AM, Petr Matousek wrote:

Please use CVE-2012-2375 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtoncAAoJEBYNRVNeJnmTEn4P/ivawBkc6pRsnsqOot1eIm0h
J4CP3vC5yEu4qUZloUt/hOqw6XUiKOsfbEozClJ4txn8YJc62Wl6xee9BjQl+dOB
BIAKfkhEns3MIgoc+L4ODE76Vyamn1jtABX6DhLShREEY2HCXArO1IHMhfW8u9FQ
AFowP05JPBasVb4w6Xzb+MMvbREgyO40q0Zs10Uk5IxHbeDX0jqqRJsgXOmIk6KZ
UIZN4s9e2dGWQ0N1j/l8WQa+08Cg6DEaHIj8zybU86b2mzblPRx3Jh98YNruam0f
JFgU9/dIBWMrZXg1iX1xMzLGkY3p4fW+k33RR6dzuL0gu7QvP0yj3MGFr2CFmvHI
r+yz8bVXMpWd5Evn2B8SCgc7SqpfwK1GHbGqg5k6v0SZbxIlaut8znEFoqpCEkAj
My/4S2AfDNRcSbzlRjyvNQroyBXt51P4lCsRZ86OYgEmB+FsCTJzj/F2U3cnIz41
KP2nA4+tJZOoUKjLanwrBxLlCgZGX5TEl1Rj/1PO2tWNqiLXQjO1Owa9wsfLAFwJ
b3MSjcaDJQmeXp2Ya6l18Zsh21pmsDrPQavR98YrsO4BOhajs

Re: CVE Request -- Tornado (python-tornado): Tornado v2.2.1 tornado.web.RequestHandler.set_header() fix to prevent header injection

Kurt Seifried — 2012-05-18T17:40:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 04:40 AM, Jan Lieskovsky wrote:

Please use CVE-2012-2374 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtomnAAoJEBYNRVNeJnmTt6QQAM5JUGGwQxV8LmGuKsFAUmN5
yfcDxNhY9b1a8lMFBfnNuFG9dSf+DbuAYgbe3hqPiFlj6fWMofIXcsUxPoUEuTLf
5dkdypWOqun1BRLr72vyGxvO7KPoSijAvm8K2q7N3sPhB0D1bj914xhw1XCHorj5
zJ7/6krCefJY2bCGt90zqzjN/pAVXYYoi5i0czZAaiVDjcj87udgXVgzk3MjX7zh
+UFxL5tJaWE9jZsXD61JkFhq/ZvKhfSjGbj1gmcNQxf7FFWoXoKLttHrb3gXHQxX
BHEnUgs2zUzrm66Z4hLvztUMw5iJWawJh5s0UtIQaWagrSUY9QeTzeiDej5ppRfC
h+41F8n0R1C94e598vCoOEQUXHBDrvJBRSws/ihJyojtOMjQ839X2zKDtcdM/+Nn
9q/eL/qrGpCpPfZsKLrT/66glDcbW0ENUaB6EYvn5d3Wx38MkX+KTccqz9v9OKV5
arbFvYr+32AE7AHyxG8UKzSlN/3yz8QlO+6E3ajvAAbndlF+2LbOPtN8X2k0/pUI
iPWI3yrtF84GMb9MUmfC3SEnHKZe/K3n3WPCFkyj2VpPv7IF