Security fixes from 2017-01-07 12:19 UTC

[Graham Christensen]

The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21642.

The following changes were applied to release-16.09:

608276a openjpeg2: patch for multiple CVEs
>
> - Floating Point Exception (aka FPE or divide by zero) in
> opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG
> 2.1.2. (CVE-2016-9112)
>
> - There is a NULL Pointer Access in function imagetopnm of
> convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is
> not assigned a value after initialization(NULL). Impact is Denial of
> Service. (CVE-2016-9114)
>
> - NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in
> OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a
> crafted j2k file. (CVE-2016-9116)
>
> - Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of
> convert.c:1719 in OpenJPEG 2.1.2. (CVE-2016-9118)

555f6f6 mpd: 0.9.19 -> 0.20
> Note this is actually moving 0.19.19 -> 0.20
>
> ffmpeg: fix crash bug
>
> More: http://git.musicpd.org/cgit/master/mpd.git/plain/NEWS?h=v0.19.21

ecaaea6 kernel: 4.4.39 -> 4.4.40
> All kernel patches are considered security-sensitive.

e4d7458 kernel: 4.8.15 -> 4.8.16
> All kernel patches are considered security-sensitive.

303ff51 libpng12: security 1.2.56 -> 1.2.57
> fix a potential "NULL dereference" bug that has existed in libpng
> since version 0.71 of June 26, 1995. To be vulnerable, an application
> has to load a text chunk into the png structure, then delete all text,
> then add another text chunk to the same png structure, which seems to
> be an unlikely sequence, but it has happened.
>
> More: https://sourceforge.net/p/png-mng/mailman/message/35575076/

e9a8853 irssi: 0.8.20 -> 0.8.21 (security)
>
> Four vulnerabilities have been located in Irssi.
>
> (a) A NULL pointer dereference in the nickcmp function found by Joseph
> Bisch. (CWE-690)
>
> (b) Use after free when receiving invalid nick message (Issue #466,
> CWE-146)
>
> (c) Out of bounds read in certain incomplete control codes found by
> Joseph Bisch. (CWE-126)
>
> (d) Out of bounds read in certain incomplete character sequences found
> by Hanno Böck and independently by J. Bisch. (CWE-126)
>
>
> More: https://irssi.org/security/irssi_sa_2017_01.txt

a0f8bc1 pythonPackages.pycrypto: add patch to fix CVE-2013-7459
> CVE-2013-7459: Buffer overflow

e924319 bash-4.3: fix security problems via a Gentoo patch
>
> CVE-2016-9401:
> A vulnerability was found in popd. It can be tricked to free a user
> supplied address in the following way:
>
> $ popd +-111111
>
> This could be used to bypass restricted shells (rsh) on some
> environments to cause use-after-free.
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1396383
>
>
> CVE-2016-7543:
> Shells running as root inherited PS4 from the environment, allowing PS4
> expansion performing command substitution. Local attacker could gain
> arbitrary code execution via bogus setuid binaries using
> system()/popen() by specially crafting SHELLOPTS+PS4 environment
> variables.
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1379630

873eb9f openfire: mark as broken; its unfriendlyness towards read-..
> Marked as broken due to not working well on NixOS. Here are the notes From the
> CVE entries:
>
> Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire
> 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1)
> groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2)
> urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname
> parameter to server-session-details.jsp; or the (4) search parameter to
> group-summary.jsp. (CVE-2015-6972)
>
> Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime
> Openfire 3.10.2 allow remote attackers to hijack the authentication of
> administrators for requests that (1) change a password via a crafted request to
> user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3)
> edit server settings or (4) disable SSL on the server via a crafted request to
> server-props.jsp, or (5) add clients via a crafted request to
> plugins/clientcontrol/permitted-clients.jsp. (CVE-2015-6973)
>
> Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain
> administrator access via the isadmin parameter to user-edit-form.jsp.
> (CVE-2015-7707)

a256cf3 irssi_otr: 1.0.1 -> 1.0.2
> From the SUSE bugzilla entry:
>
> It was discovered that irssi-otr had a flaw in handing data returned
> by libotr. After the initiation of the OTR session only the first line
> was sent as a PRIVMSG, while additional data would be sent as raw
> commands to the IRC server. The additional data would ordinarily be a
> human-readable HTML-formatted instruction message from libotr, a fixed
> string. However this is a minor security concern and the remediation
> avoids further security issues.
>
> More: https://bugzilla.suse.com/show_bug.cgi?id=1016942

9899790 mysql55: 5.7.16 -> 5.7.17
> Unsafe use of rm and chown in mysqld_safe could result in privilege
> escalation. chown now can be used only when the target directory is
> /var/log. An incompatible change is that if the directory for the Unix
> socket file is missing, it is no longer created; instead, an error
> occurs. Due to these changes, /bin/bash is required to run mysqld_safe
> on Solaris. /bin/sh is still used on other Unix/Linux platforms.
>
> More: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

fd9d06d mysql55: 5.5.53 -> 5.5.54
>
> Unsafe use of rm and chown in mysqld_safe could result in privilege
> escalation. chown now can be used only when the target directory is
> /var/log. An incompatible change is that if the directory for the
> Unix socket file is missing, it is no longer created; instead, an
> error occurs. Due to these changes, /bin/bash is required to run
> mysqld_safe on Solaris. /bin/sh is still used on other Unix/Linux
> platforms.
>
> More information at
> https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html

8e04c71 firejail: -> 0.9.44.2
>
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/

68dc35b curl: 7.51.0 -> 7.52.1
> From the Arch advisory:
>
> - CVE-2016-9586 (arbitrary code execution)
>
> libcurl's implementation of the printf() functions triggers a buffer
> overflow when doing a large floating point output. The bug occurs when
> the conversion outputs more than 255 bytes. The flaw happens because
> the floating point conversion is using system functions without the
> correct boundary checks.
> The functions have been documented as deprecated for a long time and
> users are discouraged from using them in "new programs" as they are
> planned to get removed at a future point. But as the functions are
> present and there's nothing preventing users from using them, we expect
> there to be a certain amount of existing users in the wild.
> If there are any application that accepts a format string from the
> outside without necessary input filtering, it could allow remote
> attacks.
>
> - CVE-2016-9594 (incorrect calculation)
>
> libcurl's (new) internal function that returns a good 32bit random
> value was implemented poorly and overwrote the pointer instead of
> writing the value into the buffer the pointer pointed to. This random
> value is used to generate nonces for Digest and NTLM authentication,
> for generating boundary strings in HTTP formposts and more. Having a
> weak or virtually non-existent random there makes these operations
> vulnerable.
> This function has been introduced in 7.52.0%

1b19369 libpng: 1.6.26 -> 1.6.27; a security update
> From the libpng-1.6.27, 1.5.28, and 1.2.57 release announcement:
>
> These all fix a potential "NULL dereference" bug that has existed in
> libpng since version 0.71 of June 26, 1995. To be vulnerable, an
> application has to load a text chunk into the png structure, then
> delete all text, then add another text chunk to the same png
> structure, which seems to be an unlikely sequence, but it has
> happened.

81e8801 chromium: 55.0.2883.75 -> 55.0.2883.87
> All browser patches are considered security-sensitive.

65ce9ce grsecurity: 4.8.15-201612151923 -> 201612301949
> All kernel patches are considered security-sensitive.
======================================================================



The following changes were applied to unstable:

428927f openjpeg2: patch for multiple CVEs
>
> - Floating Point Exception (aka FPE or divide by zero) in
> opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG
> 2.1.2. (CVE-2016-9112)
>
> - There is a NULL Pointer Access in function imagetopnm of
> convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is
> not assigned a value after initialization(NULL). Impact is Denial of
> Service. (CVE-2016-9114)
>
> - NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in
> OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a
> crafted j2k file. (CVE-2016-9116)
>
> - Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of
> convert.c:1719 in OpenJPEG 2.1.2. (CVE-2016-9118)

d6ff445 grsecurity: 4.8.15-201612301949 -> 4.8.16-201701062021
> All kernel patches are considered security-sensitive.

c1d20ea kernel: 4.9.0 -> 4.9.1
> All kernel patches are considered security-sensitive.

ecf87b1 kernel: 4.8.15 -> 4.8.16
> All kernel patches are considered security-sensitive.

8fda707 kernel: 4.4.39 -> 4.4.40
> All kernel patches are considered security-sensitive.

1e253d5 libpng12: security 1.2.56 -> 1.2.57
> fix a potential "NULL dereference" bug that has existed in libpng
> since version 0.71 of June 26, 1995. To be vulnerable, an application
> has to load a text chunk into the png structure, then delete all text,
> then add another text chunk to the same png structure, which seems to
> be an unlikely sequence, but it has happened.
>
> More: https://sourceforge.net/p/png-mng/mailman/message/35575076/

5ebee16 mpd: 0.9.19 -> 0.20
> Note this is actually moving 0.19.19 -> 0.20
>
> ffmpeg: fix crash bug
>
> More: http://git.musicpd.org/cgit/master/mpd.git/plain/NEWS?h=v0.19.21

c58ac7e irssi: 0.8.20 -> 0.8.21 (security)
>
> Four vulnerabilities have been located in Irssi.
>
> (a) A NULL pointer dereference in the nickcmp function found by Joseph
> Bisch. (CWE-690)
>
> (b) Use after free when receiving invalid nick message (Issue #466,
> CWE-146)
>
> (c) Out of bounds read in certain incomplete control codes found by
> Joseph Bisch. (CWE-126)
>
> (d) Out of bounds read in certain incomplete character sequences found
> by Hanno Böck and independently by J. Bisch. (CWE-126)
>
>
> More: https://irssi.org/security/irssi_sa_2017_01.txt

2102fa0 smack: 3.4.1 -> 4.1.9, fixe CVE-2016-10027
> From the Red Hat bugzilla entry:
>
> A vulnerability in the Smack XMPP library was reported where the
> security of the TLS connection is not always enforced. By stripping the
> "starttls" feature from the server response with a man-in-the-middle
> tool, an attacker can force the client to authenticate in clear text
> even if the "SecurityMode.required" TLS setting has been set.
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1406703

3b71936 pythonPackages.pycrypto: dummy depending on pycryptodome, ..
> Pycrypto has been superceded by Pycryptodome, which is is a drop-in replacement
> for pycrypto.

fe93734 pythonPackages.pycrypto: add patch to fix CVE-2013-7459
> CVE-2013-7459: Buffer overflow

57fc4d2 bash-4.4: p0 -> p5 + a security patch from Gentoo
> CVE-2016-9401:
> More: https://bugs.gentoo.org/show_bug.cgi?id=600174
> popd can be tricked to free a user supplied address in the following way:
>
> $ popd +-111111
>
> This could be used to bypass restricted shells (rsh) on some
> environments to cause use-after-free.
>
>
> Patches:
>
> 001:
> Bash-4.4 changed the way the history list is initially allocated to
> reduce the number of reallocations and copies. Users who set HISTSIZE
> to a very large number to essentially unlimit the size of the history
> list will get memory allocation errors
>
> 002:
> Bash-4.4 warns when discarding NUL bytes in command substitution output
> instead of silently dropping them. This patch changes the warnings from
> one per NUL byte encountered to one warning per command substitution.
>
> 003:
> Specially-crafted input, in this case an incomplete pathname expansion
> bracket expression containing an invalid collating symbol, can cause the
> shell to crash.
>
> 004:
> There is a race condition that can result in bash referencing freed
> memory when freeing data associated with the last process substitution.
>
> 005:
> Under certain circumstances, a simple command is optimized to eliminate
> a fork, resulting in an EXIT trap not being executed.

22796f0 bash-4.3: fix security problems via a Gentoo patch
>
> CVE-2016-9401:
> A vulnerability was found in popd. It can be tricked to free a user
> supplied address in the following way:
>
> $ popd +-111111
>
> This could be used to bypass restricted shells (rsh) on some
> environments to cause use-after-free.
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1396383
>
>
> CVE-2016-7543:
> Shells running as root inherited PS4 from the environment, allowing PS4
> expansion performing command substitution. Local attacker could gain
> arbitrary code execution via bogus setuid binaries using
> system()/popen() by specially crafting SHELLOPTS+PS4 environment
> variables.
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1379630

f047838 bash-4.3-p46 -> bash-4.3-p48
>
> CVE-2016-9401:
> From https://bugs.gentoo.org/show_bug.cgi?id=600174:
> popd can be tricked to free a user supplied address in the following way:
>
> $ popd +-111111
>
> This could be used to bypass restricted shells (rsh) on some
> environments to cause use-after-free.

567c1a3 openfire: mark as broken; its unfriendlyness towards read-..
> Marked as broken due to not working well on NixOS. Here are the notes From the
> CVE entries:
>
> Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire
> 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1)
> groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2)
> urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname
> parameter to server-session-details.jsp; or the (4) search parameter to
> group-summary.jsp. (CVE-2015-6972)
>
> Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime
> Openfire 3.10.2 allow remote attackers to hijack the authentication of
> administrators for requests that (1) change a password via a crafted request to
> user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3)
> edit server settings or (4) disable SSL on the server via a crafted request to
> server-props.jsp, or (5) add clients via a crafted request to
> plugins/clientcontrol/permitted-clients.jsp. (CVE-2015-6973)
>
> Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain
> administrator access via the isadmin parameter to user-edit-form.jsp.
> (CVE-2015-7707)

71c1e2f irssi_otr: 1.0.1 -> 1.0.2
> From the SUSE bugzilla entry:
>
> It was discovered that irssi-otr had a flaw in handing data returned
> by libotr. After the initiation of the OTR session only the first line
> was sent as a PRIVMSG, while additional data would be sent as raw
> commands to the IRC server. The additional data would ordinarily be a
> human-readable HTML-formatted instruction message from libotr, a fixed
> string. However this is a minor security concern and the remediation
> avoids further security issues.
>
> More: https://bugzilla.suse.com/show_bug.cgi?id=1016942

8ec3b1f mysql55: 5.7.16 -> 5.7.17
> Unsafe use of rm and chown in mysqld_safe could result in privilege
> escalation. chown now can be used only when the target directory is
> /var/log. An incompatible change is that if the directory for the Unix
> socket file is missing, it is no longer created; instead, an error
> occurs. Due to these changes, /bin/bash is required to run mysqld_safe
> on Solaris. /bin/sh is still used on other Unix/Linux platforms.
>
> More: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

b578bbb mysql55: 5.5.53 -> 5.5.54
>
> Unsafe use of rm and chown in mysqld_safe could result in privilege
> escalation. chown now can be used only when the target directory is
> /var/log. An incompatible change is that if the directory for the
> Unix socket file is missing, it is no longer created; instead, an
> error occurs. Due to these changes, /bin/bash is required to run
> mysqld_safe on Solaris. /bin/sh is still used on other Unix/Linux
> platforms.
>
> More information at
> https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html

6edb379 ldns 1.6.17 -> 1.7.0 Release notes: http://git.nlnetlabs.n..
> - bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt
> - bugfix #573: ldns-keygen write private keys with mode 0600
> - bugfix #697: Double free with ldns-dane create
>
> More: https://git.nlnetlabs.nl/ldns/tree/Changelog?id=release-1.7.0

82b0ae1 Merge pull request #21612 from NeQuissimus/curl_7_52_1
> From the Arch advisory:
>
> - CVE-2016-9586 (arbitrary code execution)
>
> libcurl's implementation of the printf() functions triggers a buffer
> overflow when doing a large floating point output. The bug occurs when
> the conversion outputs more than 255 bytes. The flaw happens because
> the floating point conversion is using system functions without the
> correct boundary checks.
> The functions have been documented as deprecated for a long time and
> users are discouraged from using them in "new programs" as they are
> planned to get removed at a future point. But as the functions are
> present and there's nothing preventing users from using them, we expect
> there to be a certain amount of existing users in the wild.
> If there are any application that accepts a format string from the
> outside without necessary input filtering, it could allow remote
> attacks.
>
> - CVE-2016-9594 (incorrect calculation)
>
> libcurl's (new) internal function that returns a good 32bit random
> value was implemented poorly and overwrote the pointer instead of
> writing the value into the buffer the pointer pointed to. This random
> value is used to generate nonces for Digest and NTLM authentication,
> for generating boundary strings in HTTP formposts and more. Having a
> weak or virtually non-existent random there makes these operations
> vulnerable.
> This function has been introduced in 7.52.0%

125fa15 curl: 7.51.1 -> 7.52.1
> From the Arch advisory:
>
> - CVE-2016-9586 (arbitrary code execution)
>
> libcurl's implementation of the printf() functions triggers a buffer
> overflow when doing a large floating point output. The bug occurs when
> the conversion outputs more than 255 bytes. The flaw happens because
> the floating point conversion is using system functions without the
> correct boundary checks.
> The functions have been documented as deprecated for a long time and
> users are discouraged from using them in "new programs" as they are
> planned to get removed at a future point. But as the functions are
> present and there's nothing preventing users from using them, we expect
> there to be a certain amount of existing users in the wild.
> If there are any application that accepts a format string from the
> outside without necessary input filtering, it could allow remote
> attacks.
>
> - CVE-2016-9594 (incorrect calculation)
>
> libcurl's (new) internal function that returns a good 32bit random
> value was implemented poorly and overwrote the pointer instead of
> writing the value into the buffer the pointer pointed to. This random
> value is used to generate nonces for Digest and NTLM authentication,
> for generating boundary strings in HTTP formposts and more. Having a
> weak or virtually non-existent random there makes these operations
> vulnerable.
> This function has been introduced in 7.52.0

2a4c831 linux_testing: 4.10-rc1 -> 4.10-rc2
> All kernel patches are considered security-sensitive.

0af8ddb libpng: 1.6.26 -> 1.6.27; a security update; @grahamc shou..
> From the libpng-1.6.27, 1.5.28, and 1.2.57 release announcement:
>
> These all fix a potential "NULL dereference" bug that has existed in
> libpng since version 0.71 of June 26, 1995. To be vulnerable, an
> application has to load a text chunk into the png structure, then
> delete all text, then add another text chunk to the same png
> structure, which seems to be an unlikely sequence, but it has
> happened.

11bfe01 firejail: 0.9.42 -> 0.9.44.2
>
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/

0812163 chromium: 55.0.2883.75 -> 55.0.2883.87
> All browser patches are considered security-sensitive.

002f3c8 mpd: listen on 127.0.0.1 by default

75ce714 grsecurity: 4.8.15-201612151923 -> 201612301949
> All kernel patches are considered security-sensitive.

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security