Security fixes from 2017-01-21 13:44 UTC
7 views
Skip to first unread message
Graham Christensen
Jan 21, 2017, 8:46:28 AM1/21/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21967.
The following changes were applied to release-16.09:
ee4fc9c libopus: add patch to fix CVE-2017-0381
> CVE-2017-0381:
>
> A remote code execution vulnerability in silk/NLSF_stabilize.c in
> libopus in Mediaserver could enable an attacker using a specially
> crafted file to cause memory corruption during media file and data
> processing.
ca03c9f ark: add security patch for CVE-2017-5330 (#22007)
> From the Arch Linux advisory on CVE-2017-5330:
>
> Opening an url with ark will call KRUN::runURL() which detects the
> mime-type of the url and runs the appropriate service for that
> mimetype when found. This leads to unintended execution of scripts and
> executable files.
>
> An attacker can execute arbitrary command on the affected host by
> tricking a user into opening an executable file from an archive.
2e2558f Merge pull request #22001 from nlewo/qemu-cve
> From the CVE entries:
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9845)
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> updating the cursor data in update_cursor_data_virgl. A guest
> user/process could use this flaw to leak host memory bytes, resulting
> in DoS for a host. (CVE-2016-9846)
>
> Quick Emulator (Qemu) built with the USB redirector usb-guest support
> is vulnerable to a memory leakage flaw. It could occur while
> destroying the USB redirector in 'usbredir_handle_destroy'. A guest
> user/process could use this issue to leak host memory, resulting in
> DoS for a host. (CVE-2016-9907)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9908)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> destroying gpu resource object in 'virtio_gpu_resource_destroy'. A
> guest user/process could use this flaw to leak host memory bytes,
> resulting in DoS for a host. (CVE-2016-9912)
f86de91 php70: 7.0.14 -> 7.0.15
> From the changelog:
>
> Core:
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
> - Fixed bug #73092 (Unserialize use-after-free when resizing object's
> properties hash table).
> - Fixed bug #69425 (Use After Free in unserialize()).
>
> COM:
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF:
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD:
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> GMP:
> - Fixed bug #70513 (GMP Deserialization Type Confusion
> Vulnerability).
>
> Mysqlnd:
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> Phar:
> - Fixed bug #73773 (Seg fault when loading hostile phar).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73764 (Crash while loading hostile phar archive).
>
> Standard:
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> Zlib:
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
> More: http://www.php.net/ChangeLog-7.php#7.0.15
2f6f53e php56: 5.6.29 -> 5.6.30
> From the changelog:
>
> GD:
> - Fixed bug #73549 (Use after free when stream is passed to
> imagepng).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
>
> Phar:
> - Fixed bug #73764 (Crash while loading hostile phar archive).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73773 (Seg fault when loading hostile phar).
>
> Standard:
> - Fixed bug #70213 (Unserialize context shared on double class
> lookup).
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
>
> More: http://www.php.net/ChangeLog-5.php#5.6.30
======================================================================
The following changes were applied to unstable:
98bd722 systemd-boot: allow setting editor security option (#21853)
> Thanks to @sphalerite on GitHub, you can now specify
>
> boot.loader.systemd-boot.editor = false;
>
> and disable editing boot entries while booting.
140d135 libopus: add patch to fix CVE-2017-0381
> CVE-2017-0381:
>
> A remote code execution vulnerability in silk/NLSF_stabilize.c in
> libopus in Mediaserver could enable an attacker using a specially
> crafted file to cause memory corruption during media file and data
> processing.
34c5289 linux 4.9.4 -> 4.9.5
> All kernel patches are considered security-sensitive.
0fdef7d 4.9 is the latest longterm kernel.
> All kernel patches are considered security-sensitive.
e5acde0 php71: 7.1.0 -> 7.1.1
> From the changelog:
>
> Core
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
>
> COM
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> mbstring
> - Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
>
> mysqlnd
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> opcache
> - Fixed bug #73654 (Segmentation fault in zend_call_function).
> - Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when
> divide by minus 1).
>
> Standard
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> zlib
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
>
> More: http://www.php.net/ChangeLog-7.php#7.1.1
ff5ef7d php70: 7.0.14 -> 7.0.15
> From the changelog:
>
> Core:
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
> - Fixed bug #73092 (Unserialize use-after-free when resizing object's
> properties hash table).
> - Fixed bug #69425 (Use After Free in unserialize()).
>
> COM:
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF:
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD:
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> GMP:
> - Fixed bug #70513 (GMP Deserialization Type Confusion
> Vulnerability).
>
> Mysqlnd:
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> Phar:
> - Fixed bug #73773 (Seg fault when loading hostile phar).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73764 (Crash while loading hostile phar archive).
>
> Standard:
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> Zlib:
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
> More: http://www.php.net/ChangeLog-7.php#7.0.15
35fdfd8 php56: 5.6.29 -> 5.6.30
> From the changelog:
>
> GD:
> - Fixed bug #73549 (Use after free when stream is passed to
> imagepng).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
>
> Phar:
> - Fixed bug #73764 (Crash while loading hostile phar archive).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73773 (Seg fault when loading hostile phar).
>
> Standard:
> - Fixed bug #70213 (Unserialize context shared on double class
> lookup).
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
>
> More: http://www.php.net/ChangeLog-5.php#5.6.30
9f1514f qemu: fix several CVEs
> From the CVE entries:
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9845)
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> updating the cursor data in update_cursor_data_virgl. A guest
> user/process could use this flaw to leak host memory bytes, resulting
> in DoS for a host. (CVE-2016-9846)
>
> Quick Emulator (Qemu) built with the USB redirector usb-guest support
> is vulnerable to a memory leakage flaw. It could occur while
> destroying the USB redirector in 'usbredir_handle_destroy'. A guest
> user/process could use this issue to leak host memory, resulting in
> DoS for a host. (CVE-2016-9907)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9908)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> destroying gpu resource object in 'virtio_gpu_resource_destroy'. A
> guest user/process could use this flaw to leak host memory bytes,
> resulting in DoS for a host. (CVE-2016-9912)
5326cb7 webkit: security 2.14.2 -> 2.14.3
> From the announcement page:
>
> https://webkitgtk.org/security/WSA-2017-0001.html
>
> CVE-2016-7586
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Boris Zbarsky.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: A validation
> issue was addressed through improved state management.
> CVE-2016-7589
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
> CVE-2016-7592
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may
> compromise user information. Description: An issue existed in
> handling of JavaScript prompts. This was addressed through
> improved state management.
> CVE-2016-7599
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Muneaki Nishimura (nishimunea) of Recruit Technologies
> Co., Ltd.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: An issue
> existed in the handling of HTTP redirects. This issue was
> addressed through improved cross origin validation.
> CVE-2016-7623
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Visiting a maliciously crafted website may compromise
> user information. Description: An issue existed in the handling
> of blob URLs. This issue was addressed through improved URL
> handling.
> CVE-2016-7632
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Jeonghoon Shin.
> Impact: Visiting a maliciously crafted webpage may lead to an
> unexpected application termination or arbitrary code execution.
> Description: A memory corruption issue was addressed through
> improved state management.
> CVE-2016-7635
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7639
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Tongbo Luo of Palo Alto Networks.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7641
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7645
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7652
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7654
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7656
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
68c9530 libtiff: apply security patches from Debian
> * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
> TIFFReadEncodedStrip() that caused an integer division by zero.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
>
> * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
> can cause various issues, such as buffer overflows in the library.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
>
> * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
> overflow on generation of PixarLog / LUV compressed files, with
> ColorMap, TransferFunction attached and nasty plays with bitspersample.
> The fix for LUV has not been tested, but suffers from the same kind
> of issue of PixarLog.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
>
> * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
> instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
> rowsperstrip), instead of a logic based on the total size of data.
> Which is faulty is the total size of data is not sufficient to fill
> the whole image, and thus results in reading outside of the
> StripByCounts/StripOffsets arrays when using TIFFReadScanline().
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
>
> * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
> for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
> since the above change is a better fix that makes it unnecessary.
>
> * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
> failure in OJPEGPreDecode(). This will avoid a divide by zero, and
> potential other issues.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
>
> * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
> mode so that the output buffer is correctly incremented to avoid write
> outside bounds.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
>
> * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
> readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
> buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
>
> * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
> missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
>
> * tools/tiffinfo.c: fix null pointer dereference in -r mode when the
> image has no StripByteCount tag.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
>
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
>
> * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
> called, limit the return number of inks to SamplesPerPixel, so that
> code that parses ink names doesn't go past the end of the buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
>
> * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
> heap-based buffer overflow.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
>
> * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
> check.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
>
> * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
> Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
> the binary. It happens that the Hylafax software uses the tables that
> follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
> TIFFFaxBlackTable), also they are not in a public libtiff header.
> Raised by Lee Howard.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
>
> * tools/tiff2pdf.c: avoid potential heap-based overflow in
> t2p_readwrite_pdf_image_tile(). Fixes
> http://bugzilla.maptools.org/show_bug.cgi?id=2640
>
> * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
> and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
> overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
> http://bugzilla.maptools.org/show_bug.cgi?id=2657
8e5e365 libtasn1: 4.9 -> 4.10
> - Pass the correct length to _asn1_get_indefinite_length_string in
> asn1_get_length_ber. This addresses reading 1-byte past the end
> of data. Issue found by oss-fuzz project (via gnutls):
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYg2YnAAoJEAYSHTZv6UNcdigP/0uFOAZ51TPYlpO9tJjofkZH
iOs084ziHY6sLQk84HvFfwe3RFKr05ZTm6afxepCYRrxZTbLwgqOFRJPpftxjzoH
yPW3d7iKYPgxx0UxlPqpUfVPfOYlns8ihLHUBpCPxtZOHMyumTUL1QqhVmywzytw
stC1LLF4R29cDKB6csJ6RvXvEPCbcU+/UeGK6x+QdlUApdPpyGXxncD0Ox6Zo9I3
dQryTepAGnPK+JSNQnSXJi1q6OxYpHi4bfAFBk2TWFwRUtSVIO8Q8Op/81d12tBG
p6usx8WVwRGq7ky1NAPXy+P08EOuMXaC5sQiWZkIYWRVMksdIdeBihpdSGJsJQb3
i7UO1dRYfjdBhpYyY2kze3AkXz4pKUDsQoLma1agFpMhEYZSQGoGlPzltJRTVFeG
2xqvPYfiBFtNGMG8AD6DFBRRthpg14VCwjTABGJAnpxNj+F8lT6ZzFo0zuitBljf
j+NcPwiy8KVQCyWAUvrloVarZ8f7RaK6Ri9gdhmsbezd2G0GvjEElRB2Ac0UhLlV
v6qDj8L2cXWqiNNvxwbwyoy1O3w1hhq+1ZjvO1sTfWLR8aGTMoq53Qn6VTLPLEAH
U8MjA1dZlvpb5M5SUE5UILrWjKvzV/ZlPq9QCuN7HwV6qs4Fb2eWSyX1uq5AVqHS
3tCifCMc7c/4YXDyb5F3
=60mJ
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21967.
The following changes were applied to release-16.09:
ee4fc9c libopus: add patch to fix CVE-2017-0381
> CVE-2017-0381:
>
> A remote code execution vulnerability in silk/NLSF_stabilize.c in
> libopus in Mediaserver could enable an attacker using a specially
> crafted file to cause memory corruption during media file and data
> processing.
ca03c9f ark: add security patch for CVE-2017-5330 (#22007)
> From the Arch Linux advisory on CVE-2017-5330:
>
> Opening an url with ark will call KRUN::runURL() which detects the
> mime-type of the url and runs the appropriate service for that
> mimetype when found. This leads to unintended execution of scripts and
> executable files.
>
> An attacker can execute arbitrary command on the affected host by
> tricking a user into opening an executable file from an archive.
2e2558f Merge pull request #22001 from nlewo/qemu-cve
> From the CVE entries:
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9845)
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> updating the cursor data in update_cursor_data_virgl. A guest
> user/process could use this flaw to leak host memory bytes, resulting
> in DoS for a host. (CVE-2016-9846)
>
> Quick Emulator (Qemu) built with the USB redirector usb-guest support
> is vulnerable to a memory leakage flaw. It could occur while
> destroying the USB redirector in 'usbredir_handle_destroy'. A guest
> user/process could use this issue to leak host memory, resulting in
> DoS for a host. (CVE-2016-9907)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9908)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> destroying gpu resource object in 'virtio_gpu_resource_destroy'. A
> guest user/process could use this flaw to leak host memory bytes,
> resulting in DoS for a host. (CVE-2016-9912)
f86de91 php70: 7.0.14 -> 7.0.15
> From the changelog:
>
> Core:
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
> - Fixed bug #73092 (Unserialize use-after-free when resizing object's
> properties hash table).
> - Fixed bug #69425 (Use After Free in unserialize()).
>
> COM:
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF:
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD:
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> GMP:
> - Fixed bug #70513 (GMP Deserialization Type Confusion
> Vulnerability).
>
> Mysqlnd:
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> Phar:
> - Fixed bug #73773 (Seg fault when loading hostile phar).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73764 (Crash while loading hostile phar archive).
>
> Standard:
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> Zlib:
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
> More: http://www.php.net/ChangeLog-7.php#7.0.15
2f6f53e php56: 5.6.29 -> 5.6.30
> From the changelog:
>
> GD:
> - Fixed bug #73549 (Use after free when stream is passed to
> imagepng).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
>
> Phar:
> - Fixed bug #73764 (Crash while loading hostile phar archive).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73773 (Seg fault when loading hostile phar).
>
> Standard:
> - Fixed bug #70213 (Unserialize context shared on double class
> lookup).
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
>
> More: http://www.php.net/ChangeLog-5.php#5.6.30
======================================================================
The following changes were applied to unstable:
98bd722 systemd-boot: allow setting editor security option (#21853)
> Thanks to @sphalerite on GitHub, you can now specify
>
> boot.loader.systemd-boot.editor = false;
>
> and disable editing boot entries while booting.
140d135 libopus: add patch to fix CVE-2017-0381
> CVE-2017-0381:
>
> A remote code execution vulnerability in silk/NLSF_stabilize.c in
> libopus in Mediaserver could enable an attacker using a specially
> crafted file to cause memory corruption during media file and data
> processing.
34c5289 linux 4.9.4 -> 4.9.5
> All kernel patches are considered security-sensitive.
0fdef7d 4.9 is the latest longterm kernel.
> All kernel patches are considered security-sensitive.
e5acde0 php71: 7.1.0 -> 7.1.1
> From the changelog:
>
> Core
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
>
> COM
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> mbstring
> - Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
>
> mysqlnd
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> opcache
> - Fixed bug #73654 (Segmentation fault in zend_call_function).
> - Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when
> divide by minus 1).
>
> Standard
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> zlib
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
>
> More: http://www.php.net/ChangeLog-7.php#7.1.1
ff5ef7d php70: 7.0.14 -> 7.0.15
> From the changelog:
>
> Core:
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
> - Fixed bug #73831 (NULL Pointer Dereference while unserialize php
> object).
> - Fixed bug #73832 (Use of uninitialized memory in unserialize()).
> - Fixed bug #73092 (Unserialize use-after-free when resizing object's
> properties hash table).
> - Fixed bug #69425 (Use After Free in unserialize()).
>
> COM:
> - Fixed bug #73679 (DOTNET read access violation using invalid
> codepage).
>
> EXIF:
> - Fixed bug #73737 (FPE when parsing a tag format).
>
> GD:
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
>
> GMP:
> - Fixed bug #70513 (GMP Deserialization Type Confusion
> Vulnerability).
>
> Mysqlnd:
> - Fixed bug #73800 (sporadic segfault with
> MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
>
> Phar:
> - Fixed bug #73773 (Seg fault when loading hostile phar).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73764 (Crash while loading hostile phar archive).
>
> Standard:
> - Fixed bug #73154 (serialize object with __sleep function crash).
>
> Zlib:
> - Fixed bug #73373 (deflate_add does not verify that output was not
> truncated).
>
> More: http://www.php.net/ChangeLog-7.php#7.0.15
35fdfd8 php56: 5.6.29 -> 5.6.30
> From the changelog:
>
> GD:
> - Fixed bug #73549 (Use after free when stream is passed to
> imagepng).
> - Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
> - Fixed bug #73869 (Signed Integer Overflow gd_io.c).
>
> Phar:
> - Fixed bug #73764 (Crash while loading hostile phar archive).
> - Fixed bug #73768 (Memory corruption when loading hostile phar).
> - Fixed bug #73773 (Seg fault when loading hostile phar).
>
> Standard:
> - Fixed bug #70213 (Unserialize context shared on double class
> lookup).
> - Fixed bug #73825 (Heap out of bounds read on unserialize in
> finish_nested_data()).
>
> More: http://www.php.net/ChangeLog-5.php#5.6.30
9f1514f qemu: fix several CVEs
> From the CVE entries:
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9845)
>
> QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> updating the cursor data in update_cursor_data_virgl. A guest
> user/process could use this flaw to leak host memory bytes, resulting
> in DoS for a host. (CVE-2016-9846)
>
> Quick Emulator (Qemu) built with the USB redirector usb-guest support
> is vulnerable to a memory leakage flaw. It could occur while
> destroying the USB redirector in 'usbredir_handle_destroy'. A guest
> user/process could use this issue to leak host memory, resulting in
> DoS for a host. (CVE-2016-9907)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to an information leakage issue. It could occur
> while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest
> user/process could use this flaw to leak contents of the host memory
> bytes. (CVE-2016-9908)
>
> Quick Emulator (Qemu) built with the Virtio GPU Device emulator
> support is vulnerable to a memory leakage issue. It could occur while
> destroying gpu resource object in 'virtio_gpu_resource_destroy'. A
> guest user/process could use this flaw to leak host memory bytes,
> resulting in DoS for a host. (CVE-2016-9912)
5326cb7 webkit: security 2.14.2 -> 2.14.3
> From the announcement page:
>
> https://webkitgtk.org/security/WSA-2017-0001.html
>
> CVE-2016-7586
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Boris Zbarsky.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: A validation
> issue was addressed through improved state management.
> CVE-2016-7589
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
> CVE-2016-7592
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may
> compromise user information. Description: An issue existed in
> handling of JavaScript prompts. This was addressed through
> improved state management.
> CVE-2016-7599
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Muneaki Nishimura (nishimunea) of Recruit Technologies
> Co., Ltd.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: An issue
> existed in the handling of HTTP redirects. This issue was
> addressed through improved cross origin validation.
> CVE-2016-7623
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Visiting a maliciously crafted website may compromise
> user information. Description: An issue existed in the handling
> of blob URLs. This issue was addressed through improved URL
> handling.
> CVE-2016-7632
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Jeonghoon Shin.
> Impact: Visiting a maliciously crafted webpage may lead to an
> unexpected application termination or arbitrary code execution.
> Description: A memory corruption issue was addressed through
> improved state management.
> CVE-2016-7635
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7639
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Tongbo Luo of Palo Alto Networks.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7641
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7645
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7652
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7654
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7656
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
68c9530 libtiff: apply security patches from Debian
> * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
> TIFFReadEncodedStrip() that caused an integer division by zero.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
>
> * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
> can cause various issues, such as buffer overflows in the library.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
>
> * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
> overflow on generation of PixarLog / LUV compressed files, with
> ColorMap, TransferFunction attached and nasty plays with bitspersample.
> The fix for LUV has not been tested, but suffers from the same kind
> of issue of PixarLog.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
>
> * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
> instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
> rowsperstrip), instead of a logic based on the total size of data.
> Which is faulty is the total size of data is not sufficient to fill
> the whole image, and thus results in reading outside of the
> StripByCounts/StripOffsets arrays when using TIFFReadScanline().
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
>
> * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
> for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273
> since the above change is a better fix that makes it unnecessary.
>
> * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
> failure in OJPEGPreDecode(). This will avoid a divide by zero, and
> potential other issues.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
>
> * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
> mode so that the output buffer is correctly incremented to avoid write
> outside bounds.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
>
> * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
> readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
> buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
>
> * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is
> missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
>
> * tools/tiffinfo.c: fix null pointer dereference in -r mode when the
> image has no StripByteCount tag.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
>
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
>
> * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
> called, limit the return number of inks to SamplesPerPixel, so that
> code that parses ink names doesn't go past the end of the buffer.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
>
> * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples
> tag is missing.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
>
> * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
> heap-based buffer overflow.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
>
> * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
> check.
> Reported by Agostino Sarubbo.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
>
> * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
> Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
> the binary. It happens that the Hylafax software uses the tables that
> follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
> TIFFFaxBlackTable), also they are not in a public libtiff header.
> Raised by Lee Howard.
> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
>
> * tools/tiff2pdf.c: avoid potential heap-based overflow in
> t2p_readwrite_pdf_image_tile(). Fixes
> http://bugzilla.maptools.org/show_bug.cgi?id=2640
>
> * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
> and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
> overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
> http://bugzilla.maptools.org/show_bug.cgi?id=2657
8e5e365 libtasn1: 4.9 -> 4.10
> - Pass the correct length to _asn1_get_indefinite_length_string in
> asn1_get_length_ber. This addresses reading 1-byte past the end
> of data. Issue found by oss-fuzz project (via gnutls):
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYg2YnAAoJEAYSHTZv6UNcdigP/0uFOAZ51TPYlpO9tJjofkZH
iOs084ziHY6sLQk84HvFfwe3RFKr05ZTm6afxepCYRrxZTbLwgqOFRJPpftxjzoH
yPW3d7iKYPgxx0UxlPqpUfVPfOYlns8ihLHUBpCPxtZOHMyumTUL1QqhVmywzytw
stC1LLF4R29cDKB6csJ6RvXvEPCbcU+/UeGK6x+QdlUApdPpyGXxncD0Ox6Zo9I3
dQryTepAGnPK+JSNQnSXJi1q6OxYpHi4bfAFBk2TWFwRUtSVIO8Q8Op/81d12tBG
p6usx8WVwRGq7ky1NAPXy+P08EOuMXaC5sQiWZkIYWRVMksdIdeBihpdSGJsJQb3
i7UO1dRYfjdBhpYyY2kze3AkXz4pKUDsQoLma1agFpMhEYZSQGoGlPzltJRTVFeG
2xqvPYfiBFtNGMG8AD6DFBRRthpg14VCwjTABGJAnpxNj+F8lT6ZzFo0zuitBljf
j+NcPwiy8KVQCyWAUvrloVarZ8f7RaK6Ri9gdhmsbezd2G0GvjEElRB2Ac0UhLlV
v6qDj8L2cXWqiNNvxwbwyoy1O3w1hhq+1ZjvO1sTfWLR8aGTMoq53Qn6VTLPLEAH
U8MjA1dZlvpb5M5SUE5UILrWjKvzV/ZlPq9QCuN7HwV6qs4Fb2eWSyX1uq5AVqHS
3tCifCMc7c/4YXDyb5F3
=60mJ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages