Security fixes from 2017-01-20 03:59 UTC
4 views
Skip to first unread message
Graham Christensen
Jan 19, 2017, 11:01:42 PM1/19/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21967.
The following changes were applied to release-16.09:
4e25b8c wordpress: 4.6.1 -> 4.7.1 for multiple CVEs
> From the Arch Linux advisory:
>
> - CVE-2017-5487 (access restriction bypass): A vulnerability has been
> discovered in wordpress exposing user data for all users who had
> authored a post of a public post type via the REST API. wordpress
> 4.7.1 limits this to only post types which have specified that they
> should be shown within the REST API.
>
> - CVE-2017-5488 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via the plugin name
> or version header on update-core.php.
>
> - CVE-2017-5489 (cross-site request forgery): A cross-site request
> forgery (CSRF) bypass has been discovered in wordpress via uploading
> a Flash file.
>
> - CVE-2017-5490 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via theme name
> fallback.
>
> - CVE-2017-5491 (access restriction bypass): A vulnerability has been
> discovered in wordpress allowing to post via email as it checks for
> mail.example.com if default settings aren't changed.
>
> - CVE-2017-5492 (cross-site request forgery): A cross-site request
> forgery (CSRF) vulnerability has been discovered in wordpress in the
> accessibility mode of widget editing.
>
> - CVE-2017-5493 (insufficient validation): An insufficient validation
> vulnerability has been discovered in wordpress leading to weak
> cryptographic security for multisite activation key.
b4e2d7c pythonPackages.pysaml2: patch against external XML entitie..
> CVE-2016-10127
>
> From the Debian advisory:
>
> Matias P. Brutti discovered that python-pysaml2, a Python
> implementation of the Security Assertion Markup Language 2.0, did not
> correctly sanitize the XML messages it handled. This allowed a remote
> attacker to perform XML External Entity attacks, leading to a wide
> range of exploits.
55516d8 ikiwiki: 3.20160905 -> 3.20170111
> From the Debian advisory:
>
> CVE-2016-9646: Commit metadata forgery via CGI::FormBuilder
> context-dependent APIs
>
> CVE-2016-10026: Editing restriction bypass for git revert
>
> CVE-2017-0356: Authentication bypass via repeated parameters
89c567c libtiff: apply security patches from Debian
> * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
> TIFFReadEncodedStrip() that caused an integer division by zero.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
>
> * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
> can cause various issues, such as buffer overflows in the library.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
>
> * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
> overflow on generation of PixarLog / LUV compressed files, with
> ColorMap, TransferFunction attached and nasty plays with bitspersample.
> The fix for LUV has not been tested, but suffers from the same kind
> of issue of PixarLog.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
>
> * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
> instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
> rowsperstrip), instead of a logic based on the total size of data.
> Which is faulty is the total size of data is not sufficient to fill
> the whole image, and thus results in reading outside of the
> StripByCounts/StripOffsets arrays when using TIFFReadScanline().
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
>
> * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
> for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
> since the above change is a better fix that makes it unnecessary.
>
> * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
> failure in OJPEGPreDecode(). This will avoid a divide by zero, and
> potential other issues.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
>
> * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
> mode so that the output buffer is correctly incremented to avoid write
> outside bounds.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
>
> * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
> readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
> buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
>
> * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
> missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
>
> * tools/tiffinfo.c: fix null pointer dereference in -r mode when the
> image has no StripByteCount tag.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
>
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
>
> * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
> called, limit the return number of inks to SamplesPerPixel, so that
> code that parses ink names doesn't go past the end of the buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
>
> * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
> heap-based buffer overflow.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
>
> * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
> check.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
>
> * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
> Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
> the binary. It happens that the Hylafax software uses the tables that
> follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
> TIFFFaxBlackTable), also they are not in a public libtiff header.
> Raised by Lee Howard.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
>
> * tools/tiff2pdf.c: avoid potential heap-based overflow in
> t2p_readwrite_pdf_image_tile(). Fixes
> http://bugzilla.maptools.org/show_bug.cgi?id=2640
>
> * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
> and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
> overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
> http://bugzilla.maptools.org/show_bug.cgi?id=2657
d7a254a gnutls35: 3.5.5 -> 3.5.8
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
c22274c libtasn1: 4.8 -> 4.10
> - Pass the correct length to _asn1_get_indefinite_length_string in
> asn1_get_length_ber. This addresses reading 1-byte past the end
> of data. Issue found by oss-fuzz project (via gnutls):
3be6e9f libupnp: 1.6.20 -> 1.6.21
> CVE-2016-6255: write files via POST
>
> CVE-2016-8863: Buffer overflow in create_url_list
6be51cd oraclejdk: 8u111, 8u112 -> 8u121
> This Critical Patch Update contains 17 new security fixes for Oracle
> Java SE. 16 of these vulnerabilities may be remotely exploitable
> without authentication, i.e., may be exploited over a network without
> requiring user credentials.
>
> More information:
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
96c1132 linux: 4.4.42 -> 4.4.43
> All kernel patches are considered security-sensitive.
372f157 runc: 2016-06-15 -> 1.0.0-rc2
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
fb78a10 linux: 4.4.41 -> 4.4.42
> All kernel patches are considered security-sensitive.
b83c7ec nix: 1.11.5 -> 1.11.6
> Nix 1.11.5 would under certain circumstances incorrectly executed code
> from stdin.
7b34209 bind: update to 9.10.4-P5 (CVE-2016-9131, CVE-2016-9147, C..
> From the Debian advisory:
>
> CVE-2016-9131: A crafted upstream response to an ANY query could cause
> an assertion failure.
>
> CVE-2016-9147: A crafted upstream response with self-contradicting
> DNSSEC data could cause an assertion failure.
>
> CVE-2016-9444: Specially-crafted upstream responses with a DS record
> could cause an assertion failure.
>
> From the Slackware advisory:
>
> CVE-2016-9778: This update fixes a denial-of-service vulnerability.
> An error in handling certain queries can cause an assertion failure
> when a server is using the nxdomain-redirect feature to cover a zone
> for which it is also providing authoritative service. A vulnerable
> server could be intentionally stopped by an attacker if it was using a
> configuration that met the criteria for the vulnerability and if the
> attacker could cause it to accept a query that possessed the required
> attributes.
======================================================================
The following changes were applied to unstable:
c0f3b8d wordpress: 4.6.1 -> 4.7.1 for multiple CVEs
> From the Arch Linux advisory:
>
> - CVE-2017-5487 (access restriction bypass): A vulnerability has been
> discovered in wordpress exposing user data for all users who had
> authored a post of a public post type via the REST API. wordpress
> 4.7.1 limits this to only post types which have specified that they
> should be shown within the REST API.
>
> - CVE-2017-5488 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via the plugin name
> or version header on update-core.php.
>
> - CVE-2017-5489 (cross-site request forgery): A cross-site request
> forgery (CSRF) bypass has been discovered in wordpress via uploading
> a Flash file.
>
> - CVE-2017-5490 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via theme name
> fallback.
>
> - CVE-2017-5491 (access restriction bypass): A vulnerability has been
> discovered in wordpress allowing to post via email as it checks for
> mail.example.com if default settings aren't changed.
>
> - CVE-2017-5492 (cross-site request forgery): A cross-site request
> forgery (CSRF) vulnerability has been discovered in wordpress in the
> accessibility mode of widget editing.
>
> - CVE-2017-5493 (insufficient validation): An insufficient validation
> vulnerability has been discovered in wordpress leading to weak
> cryptographic security for multisite activation key.
cda11c9 pythonPackages.pysaml2: patch against external XML entitie..
> CVE-2016-10127
>
> From the Debian advisory:
>
> Matias P. Brutti discovered that python-pysaml2, a Python
> implementation of the Security Assertion Markup Language 2.0, did not
> correctly sanitize the XML messages it handled. This allowed a remote
> attacker to perform XML External Entity attacks, leading to a wide
> range of exploits.
03700da ikiwiki: 3.20160905 -> 3.20170111
> From the Debian advisory:
>
> CVE-2016-9646: Commit metadata forgery via CGI::FormBuilder
> context-dependent APIs
>
> CVE-2016-10026: Editing restriction bypass for git revert
>
> CVE-2017-0356: Authentication bypass via repeated parameters
ce0e16f libupnp: 1.6.20 -> 1.6.21
> CVE-2016-6255: write files via POST
>
> CVE-2016-8863: Buffer overflow in create_url_list
4f94657 oraclejdk: 8u111, 8u112 -> 8u121
> This Critical Patch Update contains 17 new security fixes for Oracle
> Java SE. 16 of these vulnerabilities may be remotely exploitable
> without authentication, i.e., may be exploited over a network without
> requiring user credentials.
>
> More information:
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
e9109b1 linux: 4.4.42 -> 4.4.43
> All kernel patches are considered security-sensitive.
9a9be92 linux: 4.9.3 -> 4.9.4
> All kernel patches are considered security-sensitive.
08ddb16 linux_testing: 4.10-rc2 -> 4.10-rc4
> All kernel patches are considered security-sensitive.
1fe5134 powerdns: 4.0.1 -> 4.0.2
> From the Debian advisory:
>
> CVE-2016-2120: Mathieu Lafon discovered that pdns does not properly
> validate records in zones. An authorized user can take advantage of
> this flaw to crash server by inserting a specially crafted record in a
> zone under their control and then sending a DNS query for that record.
>
> CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns
> parses all records present in a query regardless of whether they are
> needed or even legitimate, allowing a remote, unauthenticated attacker
> to cause an abnormal CPU usage load on the pdns server, resulting in a
> partial denial of service if the system becomes overloaded.
>
> CVE-2016-7072: Mongo discovered that the webserver in pdns is
> susceptible to a denial-of-service vulnerability. A remote,
> unauthenticated attacker to cause a denial of service by opening a
> large number of f TCP connections to the web server.
>
> CVE-2016-7073 / CVE-2016-7074: Mongo discovered that pdns does not
> sufficiently validate TSIG signatures, allowing an attacker in
> position of man-in-the-middle to alter the content of an AXFR.
295337e linux: 4.9.2 -> 4.9.3
> All kernel patches are considered security-sensitive.
9158b89 linux: 4.4.41 -> 4.4.42
> All kernel patches are considered security-sensitive.
96b6968 nix: 1.11.5 -> 1.11.6
> Nix 1.11.5 would under certain circumstances incorrectly executed code
> from stdin.
2fd0a9f bind: update to 9.10.4-P5 (CVE-2016-9131, CVE-2016-9147, C..
> From the Debian advisory:
>
> CVE-2016-9131: A crafted upstream response to an ANY query could cause
> an assertion failure.
>
> CVE-2016-9147: A crafted upstream response with self-contradicting
> DNSSEC data could cause an assertion failure.
>
> CVE-2016-9444: Specially-crafted upstream responses with a DS record
> could cause an assertion failure.
>
> From the Slackware advisory:
>
> CVE-2016-9778: This update fixes a denial-of-service vulnerability.
> An error in handling certain queries can cause an assertion failure
> when a server is using the nxdomain-redirect feature to cover a zone
> for which it is also providing authoritative service. A vulnerable
> server could be intentionally stopped by an attacker if it was using a
> configuration that met the criteria for the vulnerability and if the
> attacker could cause it to accept a query that possessed the required
> attributes.
d483a87 linux: Remove 4.8
> All kernel patches are considered security-sensitive.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYgYuZAAoJEAYSHTZv6UNc6pwQAJLORTn0jTzo9gRpl5ceSXCN
FF9bNy6bHXk5Hi2Shvp0TSgpYT8WPEwUP8pDDMqyitFCHomCHJLen/qwiEqiXWt4
pYqRJRX6rjt7PN9qGAMHusJdi4zTqsQedqPev/YA+hRmntZK9kkaKxq1nfXf2rXT
jsGwjBArrkDbD0WHqblBsHTGJwwuATtGM5JM/7mTGV2c2Aber4+8+DaPiSUkpeMC
Pvp75gywZligurz/PdqoXoGOGTP0lGqlkrqsE1uiEWig2gzAshTfak1kpEg867gx
GI5ow648XdjECAdotnpLyRzcIxgVBMlQubb3ln/HCOmexU16h8OjfwMntqKfhsP3
7Y/Cpf6N8DeimJi8HlTUj7ZsPah9uEzvUeOWgWlp6O3VnkD3cmFBc51GmhPnxNgL
WQkBXFP+n7QRDhSM8PJVoxqEhMi4Z3jGljy+Ojz75wn13T88S1XZy/XnOAh8hfQt
ip6XyDvInuNwJ5Fjo4K6H2c8TcRL85dFqBG1B/dc1IOxvX1u8uFQ0t26uZORjwPZ
cym8GUYFPYvQZgCTXqxCb5n3xuIrpix6Snv9WziBjtw0SnjsAvqtVErOm8dH9VP/
y+/gWbfiiYRlt5alfH6b7icdtPJzOfVW7TPD55lOk51iqxtTBL88rVf7d8U0mVMA
rMGuOx+Iy698bdVg9gu3
=UuZl
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21967.
The following changes were applied to release-16.09:
4e25b8c wordpress: 4.6.1 -> 4.7.1 for multiple CVEs
> From the Arch Linux advisory:
>
> - CVE-2017-5487 (access restriction bypass): A vulnerability has been
> discovered in wordpress exposing user data for all users who had
> authored a post of a public post type via the REST API. wordpress
> 4.7.1 limits this to only post types which have specified that they
> should be shown within the REST API.
>
> - CVE-2017-5488 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via the plugin name
> or version header on update-core.php.
>
> - CVE-2017-5489 (cross-site request forgery): A cross-site request
> forgery (CSRF) bypass has been discovered in wordpress via uploading
> a Flash file.
>
> - CVE-2017-5490 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via theme name
> fallback.
>
> - CVE-2017-5491 (access restriction bypass): A vulnerability has been
> discovered in wordpress allowing to post via email as it checks for
> mail.example.com if default settings aren't changed.
>
> - CVE-2017-5492 (cross-site request forgery): A cross-site request
> forgery (CSRF) vulnerability has been discovered in wordpress in the
> accessibility mode of widget editing.
>
> - CVE-2017-5493 (insufficient validation): An insufficient validation
> vulnerability has been discovered in wordpress leading to weak
> cryptographic security for multisite activation key.
b4e2d7c pythonPackages.pysaml2: patch against external XML entitie..
> CVE-2016-10127
>
> From the Debian advisory:
>
> Matias P. Brutti discovered that python-pysaml2, a Python
> implementation of the Security Assertion Markup Language 2.0, did not
> correctly sanitize the XML messages it handled. This allowed a remote
> attacker to perform XML External Entity attacks, leading to a wide
> range of exploits.
55516d8 ikiwiki: 3.20160905 -> 3.20170111
> From the Debian advisory:
>
> CVE-2016-9646: Commit metadata forgery via CGI::FormBuilder
> context-dependent APIs
>
> CVE-2016-10026: Editing restriction bypass for git revert
>
> CVE-2017-0356: Authentication bypass via repeated parameters
89c567c libtiff: apply security patches from Debian
> * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
> TIFFReadEncodedStrip() that caused an integer division by zero.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
>
> * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
> can cause various issues, such as buffer overflows in the library.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
>
> * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
> overflow on generation of PixarLog / LUV compressed files, with
> ColorMap, TransferFunction attached and nasty plays with bitspersample.
> The fix for LUV has not been tested, but suffers from the same kind
> of issue of PixarLog.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
>
> * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
> instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
> rowsperstrip), instead of a logic based on the total size of data.
> Which is faulty is the total size of data is not sufficient to fill
> the whole image, and thus results in reading outside of the
> StripByCounts/StripOffsets arrays when using TIFFReadScanline().
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
>
> * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
> for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
> since the above change is a better fix that makes it unnecessary.
>
> * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
> failure in OJPEGPreDecode(). This will avoid a divide by zero, and
> potential other issues.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
>
> * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
> mode so that the output buffer is correctly incremented to avoid write
> outside bounds.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
>
> * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
> readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
> buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
>
> * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
> missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
>
> * tools/tiffinfo.c: fix null pointer dereference in -r mode when the
> image has no StripByteCount tag.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
>
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
>
> * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
> called, limit the return number of inks to SamplesPerPixel, so that
> code that parses ink names doesn't go past the end of the buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
>
> * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
> heap-based buffer overflow.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
>
> * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
> check.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
>
> * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
> Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
> the binary. It happens that the Hylafax software uses the tables that
> follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
> TIFFFaxBlackTable), also they are not in a public libtiff header.
> Raised by Lee Howard.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
>
> * tools/tiff2pdf.c: avoid potential heap-based overflow in
> t2p_readwrite_pdf_image_tile(). Fixes
> http://bugzilla.maptools.org/show_bug.cgi?id=2640
>
> * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
> and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
> overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
> http://bugzilla.maptools.org/show_bug.cgi?id=2657
d7a254a gnutls35: 3.5.5 -> 3.5.8
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
c22274c libtasn1: 4.8 -> 4.10
> - Pass the correct length to _asn1_get_indefinite_length_string in
> asn1_get_length_ber. This addresses reading 1-byte past the end
> of data. Issue found by oss-fuzz project (via gnutls):
3be6e9f libupnp: 1.6.20 -> 1.6.21
> CVE-2016-6255: write files via POST
>
> CVE-2016-8863: Buffer overflow in create_url_list
6be51cd oraclejdk: 8u111, 8u112 -> 8u121
> This Critical Patch Update contains 17 new security fixes for Oracle
> Java SE. 16 of these vulnerabilities may be remotely exploitable
> without authentication, i.e., may be exploited over a network without
> requiring user credentials.
>
> More information:
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
96c1132 linux: 4.4.42 -> 4.4.43
> All kernel patches are considered security-sensitive.
372f157 runc: 2016-06-15 -> 1.0.0-rc2
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
fb78a10 linux: 4.4.41 -> 4.4.42
> All kernel patches are considered security-sensitive.
b83c7ec nix: 1.11.5 -> 1.11.6
> Nix 1.11.5 would under certain circumstances incorrectly executed code
> from stdin.
7b34209 bind: update to 9.10.4-P5 (CVE-2016-9131, CVE-2016-9147, C..
> From the Debian advisory:
>
> CVE-2016-9131: A crafted upstream response to an ANY query could cause
> an assertion failure.
>
> CVE-2016-9147: A crafted upstream response with self-contradicting
> DNSSEC data could cause an assertion failure.
>
> CVE-2016-9444: Specially-crafted upstream responses with a DS record
> could cause an assertion failure.
>
> From the Slackware advisory:
>
> CVE-2016-9778: This update fixes a denial-of-service vulnerability.
> An error in handling certain queries can cause an assertion failure
> when a server is using the nxdomain-redirect feature to cover a zone
> for which it is also providing authoritative service. A vulnerable
> server could be intentionally stopped by an attacker if it was using a
> configuration that met the criteria for the vulnerability and if the
> attacker could cause it to accept a query that possessed the required
> attributes.
======================================================================
The following changes were applied to unstable:
c0f3b8d wordpress: 4.6.1 -> 4.7.1 for multiple CVEs
> From the Arch Linux advisory:
>
> - CVE-2017-5487 (access restriction bypass): A vulnerability has been
> discovered in wordpress exposing user data for all users who had
> authored a post of a public post type via the REST API. wordpress
> 4.7.1 limits this to only post types which have specified that they
> should be shown within the REST API.
>
> - CVE-2017-5488 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via the plugin name
> or version header on update-core.php.
>
> - CVE-2017-5489 (cross-site request forgery): A cross-site request
> forgery (CSRF) bypass has been discovered in wordpress via uploading
> a Flash file.
>
> - CVE-2017-5490 (cross-site scripting): A cross-site scripting (XSS)
> vulnerability has been discovered in wordpress via theme name
> fallback.
>
> - CVE-2017-5491 (access restriction bypass): A vulnerability has been
> discovered in wordpress allowing to post via email as it checks for
> mail.example.com if default settings aren't changed.
>
> - CVE-2017-5492 (cross-site request forgery): A cross-site request
> forgery (CSRF) vulnerability has been discovered in wordpress in the
> accessibility mode of widget editing.
>
> - CVE-2017-5493 (insufficient validation): An insufficient validation
> vulnerability has been discovered in wordpress leading to weak
> cryptographic security for multisite activation key.
cda11c9 pythonPackages.pysaml2: patch against external XML entitie..
> CVE-2016-10127
>
> From the Debian advisory:
>
> Matias P. Brutti discovered that python-pysaml2, a Python
> implementation of the Security Assertion Markup Language 2.0, did not
> correctly sanitize the XML messages it handled. This allowed a remote
> attacker to perform XML External Entity attacks, leading to a wide
> range of exploits.
03700da ikiwiki: 3.20160905 -> 3.20170111
> From the Debian advisory:
>
> CVE-2016-9646: Commit metadata forgery via CGI::FormBuilder
> context-dependent APIs
>
> CVE-2016-10026: Editing restriction bypass for git revert
>
> CVE-2017-0356: Authentication bypass via repeated parameters
ce0e16f libupnp: 1.6.20 -> 1.6.21
> CVE-2016-6255: write files via POST
>
> CVE-2016-8863: Buffer overflow in create_url_list
4f94657 oraclejdk: 8u111, 8u112 -> 8u121
> This Critical Patch Update contains 17 new security fixes for Oracle
> Java SE. 16 of these vulnerabilities may be remotely exploitable
> without authentication, i.e., may be exploited over a network without
> requiring user credentials.
>
> More information:
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
e9109b1 linux: 4.4.42 -> 4.4.43
> All kernel patches are considered security-sensitive.
9a9be92 linux: 4.9.3 -> 4.9.4
> All kernel patches are considered security-sensitive.
08ddb16 linux_testing: 4.10-rc2 -> 4.10-rc4
> All kernel patches are considered security-sensitive.
1fe5134 powerdns: 4.0.1 -> 4.0.2
> From the Debian advisory:
>
> CVE-2016-2120: Mathieu Lafon discovered that pdns does not properly
> validate records in zones. An authorized user can take advantage of
> this flaw to crash server by inserting a specially crafted record in a
> zone under their control and then sending a DNS query for that record.
>
> CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns
> parses all records present in a query regardless of whether they are
> needed or even legitimate, allowing a remote, unauthenticated attacker
> to cause an abnormal CPU usage load on the pdns server, resulting in a
> partial denial of service if the system becomes overloaded.
>
> CVE-2016-7072: Mongo discovered that the webserver in pdns is
> susceptible to a denial-of-service vulnerability. A remote,
> unauthenticated attacker to cause a denial of service by opening a
> large number of f TCP connections to the web server.
>
> CVE-2016-7073 / CVE-2016-7074: Mongo discovered that pdns does not
> sufficiently validate TSIG signatures, allowing an attacker in
> position of man-in-the-middle to alter the content of an AXFR.
295337e linux: 4.9.2 -> 4.9.3
> All kernel patches are considered security-sensitive.
9158b89 linux: 4.4.41 -> 4.4.42
> All kernel patches are considered security-sensitive.
96b6968 nix: 1.11.5 -> 1.11.6
> Nix 1.11.5 would under certain circumstances incorrectly executed code
> from stdin.
2fd0a9f bind: update to 9.10.4-P5 (CVE-2016-9131, CVE-2016-9147, C..
> From the Debian advisory:
>
> CVE-2016-9131: A crafted upstream response to an ANY query could cause
> an assertion failure.
>
> CVE-2016-9147: A crafted upstream response with self-contradicting
> DNSSEC data could cause an assertion failure.
>
> CVE-2016-9444: Specially-crafted upstream responses with a DS record
> could cause an assertion failure.
>
> From the Slackware advisory:
>
> CVE-2016-9778: This update fixes a denial-of-service vulnerability.
> An error in handling certain queries can cause an assertion failure
> when a server is using the nxdomain-redirect feature to cover a zone
> for which it is also providing authoritative service. A vulnerable
> server could be intentionally stopped by an attacker if it was using a
> configuration that met the criteria for the vulnerability and if the
> attacker could cause it to accept a query that possessed the required
> attributes.
d483a87 linux: Remove 4.8
> All kernel patches are considered security-sensitive.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYgYuZAAoJEAYSHTZv6UNc6pwQAJLORTn0jTzo9gRpl5ceSXCN
FF9bNy6bHXk5Hi2Shvp0TSgpYT8WPEwUP8pDDMqyitFCHomCHJLen/qwiEqiXWt4
pYqRJRX6rjt7PN9qGAMHusJdi4zTqsQedqPev/YA+hRmntZK9kkaKxq1nfXf2rXT
jsGwjBArrkDbD0WHqblBsHTGJwwuATtGM5JM/7mTGV2c2Aber4+8+DaPiSUkpeMC
Pvp75gywZligurz/PdqoXoGOGTP0lGqlkrqsE1uiEWig2gzAshTfak1kpEg867gx
GI5ow648XdjECAdotnpLyRzcIxgVBMlQubb3ln/HCOmexU16h8OjfwMntqKfhsP3
7Y/Cpf6N8DeimJi8HlTUj7ZsPah9uEzvUeOWgWlp6O3VnkD3cmFBc51GmhPnxNgL
WQkBXFP+n7QRDhSM8PJVoxqEhMi4Z3jGljy+Ojz75wn13T88S1XZy/XnOAh8hfQt
ip6XyDvInuNwJ5Fjo4K6H2c8TcRL85dFqBG1B/dc1IOxvX1u8uFQ0t26uZORjwPZ
cym8GUYFPYvQZgCTXqxCb5n3xuIrpix6Snv9WziBjtw0SnjsAvqtVErOm8dH9VP/
y+/gWbfiiYRlt5alfH6b7icdtPJzOfVW7TPD55lOk51iqxtTBL88rVf7d8U0mVMA
rMGuOx+Iy698bdVg9gu3
=UuZl
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages