Security fixes from 2017-02-27 13:42 UTC
27 views
Skip to first unread message
Graham Christensen
Feb 27, 2017, 8:43:47 AM2/27/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/23072.
The following changes were applied to release-16.09:
2296799 gstreamer: 1.10.3 -> 1.10.4 for multiple CVEs
(Thank you, Franz Pletz)
> See https://gstreamer.freedesktop.org/releases/1.10/#1.10.4.
>
> Fixes:
>
> * CVE-2017-5847
> * CVE-2017-5848
fcc6e3a linux: 4.9.12 -> 4.9.13
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
d2ceedd linux: 4.4.51 -> 4.4.52
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
bda6b18 diffoscope: 63 -> 77
(Thank you: Frederik Rietdijk (author), Vladimír Čunát (committer))
> From the Arch Linux advisory:
>
> It has been discovered that diffoscope may write to arbitrary
> locations on disk depending on the contents of an untrusted archive.
> An attacker is able to create a specially crafted archive that, when
> processed, overwrites arbitrary files on disc.
7ed757d grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
db39fea grsecurity: 4.9.11-201702181444 -> 201702222257
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
149028c grsecurity: 4.9.10-201702152052 -> 4.9.11-201702181444
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
38ba8c4 mpd: 0.20.4 -> 0.20.5
(Thank you, Franz Pletz)
> Fixes buffer overflows and a memleak.
58f363f mupdf: add patch to fix CVE-2017-5896
(Thank you, Franz Pletz)
edce91c qemu: apply patches for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2615
> * CVE-2017-5667
> * CVE-2017-5898
> * CVE-2017-5931
> * CVE-2017-5973
>
> We are vulnerable to even more CVEs but those are either not severe
> like memory leaks in obscure situations or upstream hasn't
> acknowledged the patch yet.
4d006d3 Revert "Revert "linux kernels: patch against DCCP double f..
> All kernel patches are considered security-sensitive.
9ae2c60 kernel: 4.4.50 -> 4.4.51
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ee0cbde kernel: 4.9.11 -> 4.9.12
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
d87a40e firebird: 2.5.6.27020-0 -> 2.5.7.27050-0 for '2.5.7.27050-..
> security vulnerability fix for bypassing 'Restrict UDF' value of
> UdfAccess config directive
1b72afd lynx: 2.8.8rel.2 -> 2.8.9dev.11
(Thank you, Peter Hoeg)
> From the CVE entry:
>
> lynx: It was found that Lynx doesn't parse the authority component of
> the URL correctly when the host name part ends with '?', and could
> instead be tricked into connecting to a different host.
3de44ca libevent: apply security patches from Debian
(Thank you, Vladimír Čunát)
6fcd2d2 curl: 7.52.1 -> 7.53.0 (#23063)
(Thank you: Tim Steinbach (author), Vladimír Čunát (committer))
> CVE-2017-2629
6e17350 wireshark: patch for CVE-2017-6041
(Thank you, Michael Raskin)
142fd06 xen: patch for XSAs: 197, 199, 207, 208, 209
> XSA-197 Issue Description:
>
> > The compiler can emit optimizations in qemu which can lead to double
> > fetch vulnerabilities. Specifically data on the rings shared
> > between qemu and the hypervisor (which the guest under control can
> > obtain mappings of) can be fetched twice (during which time the
> > guest can alter the contents) possibly leading to arbitrary code
> > execution in qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-197.html
>
> XSA-199 Issue Description:
>
> > The code in qemu which implements ioport read/write looks up the
> > specified ioport address in a dispatch table. The argument to the
> > dispatch function is a uint32_t, and is used without a range check,
> > even though the table has entries for only 2^16 ioports.
> >
> > When qemu is used as a standalone emulator, ioport accesses are
> > generated only from cpu instructions emulated by qemu, and are
> > therefore necessarily 16-bit, so there is no vulnerability.
> >
> > When qemu is used as a device model within Xen, io requests are
> > generated by the hypervisor and read by qemu from a shared ring. The
> > entries in this ring use a common structure, including a 64-bit
> > address field, for various accesses, including ioport addresses.
> >
> > Xen will write only 16-bit address ioport accesses. However,
> > depending on the Xen and qemu version, the ring may be writeable by
> > the guest. If so, the guest can generate out-of-range ioport
> > accesses, resulting in wild pointer accesses within qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-199.html
>
> XSA-207 Issue Description:
>
> > Certain internal state is set up, during domain construction, in
> > preparation for possible pass-through device assignment. On ARM and
> > AMD V-i hardware this setup includes memory allocation. On guest
> > teardown, cleanup was erroneously only performed when the guest
> > actually had a pass-through device assigned.
>
> More: https://xenbits.xen.org/xsa/advisory-207.html
>
> XSA-209 Issue Description:
>
> > When doing bitblt copy backwards, qemu should negate the blit width.
> > This avoids an oob access before the start of video memory.
>
> More: https://xenbits.xen.org/xsa/advisory-208.html
>
> XSA-208 Issue Description:
>
> > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> > cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> > region is safe.
>
> More: https://xenbits.xen.org/xsa/advisory-209.html
46f1e9a linux: 4.4.48 -> 4.4.50
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
c056f0a kernel: 4.9.10 -> 4.9.11
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
======================================================================
The following changes were applied to unstable:
442b589 webkitgtk24x: mark as insecure
(Thank you, Joachim Fasting)
f3a6991 grsecurity: 4.9.12-201702231830 -> 4.9.13-201702261126
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
701544d linux: 4.9.12 -> 4.9.13
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
62857b1 linux: 4.4.51 -> 4.4.52
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
8a75569 linux: 4.10 -> 4.10.1
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
5e937b1 gstreamer: 1.10.3 -> 1.10.4 for multiple CVEs
(Thank you, Franz Pletz)
> See https://gstreamer.freedesktop.org/releases/1.10/#1.10.4.
>
> Fixes:
>
> * CVE-2017-5847
> * CVE-2017-5848
0150d9a grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
0570686 mpd: 0.20.4 -> 0.20.5
(Thank you, Franz Pletz)
> Fixes buffer overflows and a memleak.
6dfbb07 mupdf: add patch to fix CVE-2017-5896
(Thank you, Franz Pletz)
6bafe64 qemu: apply patches for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2615
> * CVE-2017-5667
> * CVE-2017-5898
> * CVE-2017-5931
> * CVE-2017-5973
>
> We are vulnerable to even more CVEs but those are either not severe
> like memory leaks in obscure situations or upstream hasn't
> acknowledged the patch yet.
30cea5f libplist: mark as insecure
a9c875f nixpkgs: allow packages to be marked insecure
d36b1cc Revert "Revert "linux kernels: patch against DCCP double f..
> All kernel patches are considered security-sensitive.
82aae8f kernel: 4.4.50 -> 4.4.51
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
18c2be2 kernel: 4.9.11 -> 4.9.12
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
b92501f grsecurity: 4.9.11-201702181444 -> 201702222257
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
db0316d opera: 42.0.2393.517 -> 43.0.2442.991
(Thank you, Demin Dmitriy)
> All browser patches are considered security-sensitive.
c8859b7 libplist: mark as insecure
6c37a92 firebird: 2.5.6.27020-0 -> 2.5.7.27050-0 for '2.5.7.27050-..
> security vulnerability fix for bypassing 'Restrict UDF' value of
> UdfAccess config directive
a3bf71b lynx: 2.8.8rel.2 -> 2.8.9dev.11
(Thank you, Peter Hoeg)
> From the CVE entry:
>
> lynx: It was found that Lynx doesn't parse the authority component of
> the URL correctly when the host name part ends with '?', and could
> instead be tricked into connecting to a different host.
de4643e diffoscope: 63 -> 77
(Thank you, Frederik Rietdijk)
> From the Arch Linux advisory:
>
> It has been discovered that diffoscope may write to arbitrary
> locations on disk depending on the contents of an untrusted archive.
> An attacker is able to create a specially crafted archive that, when
> processed, overwrites arbitrary files on disc.
f5eea8b libevent: apply security patches from Debian
(Thank you, Vladimír Čunát)
194d137 wireshark: patch for CVE-2017-6041
(Thank you, Michael Raskin)
cc4919d xen: patch for XSAs: 197, 199, 207, 208, 209
> XSA-197 Issue Description:
>
> > The compiler can emit optimizations in qemu which can lead to double
> > fetch vulnerabilities. Specifically data on the rings shared
> > between qemu and the hypervisor (which the guest under control can
> > obtain mappings of) can be fetched twice (during which time the
> > guest can alter the contents) possibly leading to arbitrary code
> > execution in qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-197.html
>
> XSA-199 Issue Description:
>
> > The code in qemu which implements ioport read/write looks up the
> > specified ioport address in a dispatch table. The argument to the
> > dispatch function is a uint32_t, and is used without a range check,
> > even though the table has entries for only 2^16 ioports.
> >
> > When qemu is used as a standalone emulator, ioport accesses are
> > generated only from cpu instructions emulated by qemu, and are
> > therefore necessarily 16-bit, so there is no vulnerability.
> >
> > When qemu is used as a device model within Xen, io requests are
> > generated by the hypervisor and read by qemu from a shared ring. The
> > entries in this ring use a common structure, including a 64-bit
> > address field, for various accesses, including ioport addresses.
> >
> > Xen will write only 16-bit address ioport accesses. However,
> > depending on the Xen and qemu version, the ring may be writeable by
> > the guest. If so, the guest can generate out-of-range ioport
> > accesses, resulting in wild pointer accesses within qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-199.html
>
> XSA-207 Issue Description:
>
> > Certain internal state is set up, during domain construction, in
> > preparation for possible pass-through device assignment. On ARM and
> > AMD V-i hardware this setup includes memory allocation. On guest
> > teardown, cleanup was erroneously only performed when the guest
> > actually had a pass-through device assigned.
>
> More: https://xenbits.xen.org/xsa/advisory-207.html
>
> XSA-209 Issue Description:
>
> > When doing bitblt copy backwards, qemu should negate the blit width.
> > This avoids an oob access before the start of video memory.
>
> More: https://xenbits.xen.org/xsa/advisory-208.html
>
> XSA-208 Issue Description:
>
> > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> > cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> > region is safe.
>
> More: https://xenbits.xen.org/xsa/advisory-209.html
b1c6a9b curl: 7.52.1 -> 7.53.0
(Thank you, Tim Steinbach)
> CVE-2017-2629
9458018 dbus: 1.10.14 -> 1.10.16
(Thank you, Vladimír Čunát)
f454297 linux 4.10
(Thank you, Shea Levy)
> All kernel patches are considered security-sensitive.
7274fc3 linux: 4.4.48 -> 4.4.50
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
2423313 kernel: 4.9.10 -> 4.9.11
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ca016c2 grsecurity: 4.9.10-201702152052 -> 4.9.11-201702181444
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
38771ba nixpkgs: allow packages to be marked insecure
748e7b2 chromium: update dev and beta
(Thank you, Nikolay Amiantov)
> All browser patches are considered security-sensitive.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYtC0FAAoJEAYSHTZv6UNcYw0P/A6n3mSHAJ1b5m7uI7byAtcX
l9PPgYYQr45ozKfy5kRjHoACllq0P28/Tznlx+P20C1pHvYxkcsJToW4GEH/+Su8
9obt1AtlT+JdlgyhYzJ20E6ICFEN83Vuf3T2d+meWTyJx0CKQ5R4ilaqsftbhmri
azfO7ERETA+vXDdW+BjKEF1ULP/u2DQu4D/tkAXfzaOQP0zvMesySsJBNrHFiPS/
yjr8nWduEA2YkWeAmw0h83z4QQ+S0pA92a2PhmV3xqJ0L19VaOC+ImcnbmeApHwI
ws8UommL8uDjj8SUW6r1TR2ejYfSFAkYHE80DzxOY7XzFZaXDvVi33VAQ4Cvkucz
V0FzlK3aAFD4XX/z7ZKcjBUccSneuH3WcKiSUfR6oEB8QLgrF8o0uMzaHyZSTWv8
MQyCgEMJZFJxcX6CthIn8GtuWTexvla45WCbw39BuoqXrPEBc48q/9O6R3UdXknM
PVLUOUo2aZbE2tf0SC6nFTABcBPDIaJUQCTHkfOR2Ghmsy9HtIxijiUWi13e5X1s
unBn6TsnTinqpG/dsfYHib2tc6v9sD+l6/NL2P5ZWGcQ0luvJNhSTI/zCb5oCnZ2
d5KMdzflTCOJ2+4o+FHYPAZjAW/k2/FR5Z/RCVi8bZurZ7h6g7ep1EGHoaLSNIA7
PsqhyYsfese1cT5NU8pL
=8efW
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/23072.
The following changes were applied to release-16.09:
2296799 gstreamer: 1.10.3 -> 1.10.4 for multiple CVEs
(Thank you, Franz Pletz)
> See https://gstreamer.freedesktop.org/releases/1.10/#1.10.4.
>
> Fixes:
>
> * CVE-2017-5847
> * CVE-2017-5848
fcc6e3a linux: 4.9.12 -> 4.9.13
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
d2ceedd linux: 4.4.51 -> 4.4.52
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
bda6b18 diffoscope: 63 -> 77
(Thank you: Frederik Rietdijk (author), Vladimír Čunát (committer))
> From the Arch Linux advisory:
>
> It has been discovered that diffoscope may write to arbitrary
> locations on disk depending on the contents of an untrusted archive.
> An attacker is able to create a specially crafted archive that, when
> processed, overwrites arbitrary files on disc.
7ed757d grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
db39fea grsecurity: 4.9.11-201702181444 -> 201702222257
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
149028c grsecurity: 4.9.10-201702152052 -> 4.9.11-201702181444
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
38ba8c4 mpd: 0.20.4 -> 0.20.5
(Thank you, Franz Pletz)
> Fixes buffer overflows and a memleak.
58f363f mupdf: add patch to fix CVE-2017-5896
(Thank you, Franz Pletz)
edce91c qemu: apply patches for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2615
> * CVE-2017-5667
> * CVE-2017-5898
> * CVE-2017-5931
> * CVE-2017-5973
>
> We are vulnerable to even more CVEs but those are either not severe
> like memory leaks in obscure situations or upstream hasn't
> acknowledged the patch yet.
4d006d3 Revert "Revert "linux kernels: patch against DCCP double f..
> All kernel patches are considered security-sensitive.
9ae2c60 kernel: 4.4.50 -> 4.4.51
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ee0cbde kernel: 4.9.11 -> 4.9.12
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
d87a40e firebird: 2.5.6.27020-0 -> 2.5.7.27050-0 for '2.5.7.27050-..
> security vulnerability fix for bypassing 'Restrict UDF' value of
> UdfAccess config directive
1b72afd lynx: 2.8.8rel.2 -> 2.8.9dev.11
(Thank you, Peter Hoeg)
> From the CVE entry:
>
> lynx: It was found that Lynx doesn't parse the authority component of
> the URL correctly when the host name part ends with '?', and could
> instead be tricked into connecting to a different host.
3de44ca libevent: apply security patches from Debian
(Thank you, Vladimír Čunát)
6fcd2d2 curl: 7.52.1 -> 7.53.0 (#23063)
(Thank you: Tim Steinbach (author), Vladimír Čunát (committer))
> CVE-2017-2629
6e17350 wireshark: patch for CVE-2017-6041
(Thank you, Michael Raskin)
142fd06 xen: patch for XSAs: 197, 199, 207, 208, 209
> XSA-197 Issue Description:
>
> > The compiler can emit optimizations in qemu which can lead to double
> > fetch vulnerabilities. Specifically data on the rings shared
> > between qemu and the hypervisor (which the guest under control can
> > obtain mappings of) can be fetched twice (during which time the
> > guest can alter the contents) possibly leading to arbitrary code
> > execution in qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-197.html
>
> XSA-199 Issue Description:
>
> > The code in qemu which implements ioport read/write looks up the
> > specified ioport address in a dispatch table. The argument to the
> > dispatch function is a uint32_t, and is used without a range check,
> > even though the table has entries for only 2^16 ioports.
> >
> > When qemu is used as a standalone emulator, ioport accesses are
> > generated only from cpu instructions emulated by qemu, and are
> > therefore necessarily 16-bit, so there is no vulnerability.
> >
> > When qemu is used as a device model within Xen, io requests are
> > generated by the hypervisor and read by qemu from a shared ring. The
> > entries in this ring use a common structure, including a 64-bit
> > address field, for various accesses, including ioport addresses.
> >
> > Xen will write only 16-bit address ioport accesses. However,
> > depending on the Xen and qemu version, the ring may be writeable by
> > the guest. If so, the guest can generate out-of-range ioport
> > accesses, resulting in wild pointer accesses within qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-199.html
>
> XSA-207 Issue Description:
>
> > Certain internal state is set up, during domain construction, in
> > preparation for possible pass-through device assignment. On ARM and
> > AMD V-i hardware this setup includes memory allocation. On guest
> > teardown, cleanup was erroneously only performed when the guest
> > actually had a pass-through device assigned.
>
> More: https://xenbits.xen.org/xsa/advisory-207.html
>
> XSA-209 Issue Description:
>
> > When doing bitblt copy backwards, qemu should negate the blit width.
> > This avoids an oob access before the start of video memory.
>
> More: https://xenbits.xen.org/xsa/advisory-208.html
>
> XSA-208 Issue Description:
>
> > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> > cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> > region is safe.
>
> More: https://xenbits.xen.org/xsa/advisory-209.html
46f1e9a linux: 4.4.48 -> 4.4.50
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
c056f0a kernel: 4.9.10 -> 4.9.11
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
======================================================================
The following changes were applied to unstable:
442b589 webkitgtk24x: mark as insecure
(Thank you, Joachim Fasting)
f3a6991 grsecurity: 4.9.12-201702231830 -> 4.9.13-201702261126
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
701544d linux: 4.9.12 -> 4.9.13
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
62857b1 linux: 4.4.51 -> 4.4.52
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
8a75569 linux: 4.10 -> 4.10.1
(Thank you, Franz Pletz)
> All kernel patches are considered security-sensitive.
5e937b1 gstreamer: 1.10.3 -> 1.10.4 for multiple CVEs
(Thank you, Franz Pletz)
> See https://gstreamer.freedesktop.org/releases/1.10/#1.10.4.
>
> Fixes:
>
> * CVE-2017-5847
> * CVE-2017-5848
0150d9a grsecurity: 4.9.11-201702222257 -> 4.9.12-201702231830
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
0570686 mpd: 0.20.4 -> 0.20.5
(Thank you, Franz Pletz)
> Fixes buffer overflows and a memleak.
6dfbb07 mupdf: add patch to fix CVE-2017-5896
(Thank you, Franz Pletz)
6bafe64 qemu: apply patches for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2615
> * CVE-2017-5667
> * CVE-2017-5898
> * CVE-2017-5931
> * CVE-2017-5973
>
> We are vulnerable to even more CVEs but those are either not severe
> like memory leaks in obscure situations or upstream hasn't
> acknowledged the patch yet.
30cea5f libplist: mark as insecure
a9c875f nixpkgs: allow packages to be marked insecure
d36b1cc Revert "Revert "linux kernels: patch against DCCP double f..
> All kernel patches are considered security-sensitive.
82aae8f kernel: 4.4.50 -> 4.4.51
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
18c2be2 kernel: 4.9.11 -> 4.9.12
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
b92501f grsecurity: 4.9.11-201702181444 -> 201702222257
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
db0316d opera: 42.0.2393.517 -> 43.0.2442.991
(Thank you, Demin Dmitriy)
> All browser patches are considered security-sensitive.
c8859b7 libplist: mark as insecure
6c37a92 firebird: 2.5.6.27020-0 -> 2.5.7.27050-0 for '2.5.7.27050-..
> security vulnerability fix for bypassing 'Restrict UDF' value of
> UdfAccess config directive
a3bf71b lynx: 2.8.8rel.2 -> 2.8.9dev.11
(Thank you, Peter Hoeg)
> From the CVE entry:
>
> lynx: It was found that Lynx doesn't parse the authority component of
> the URL correctly when the host name part ends with '?', and could
> instead be tricked into connecting to a different host.
de4643e diffoscope: 63 -> 77
(Thank you, Frederik Rietdijk)
> From the Arch Linux advisory:
>
> It has been discovered that diffoscope may write to arbitrary
> locations on disk depending on the contents of an untrusted archive.
> An attacker is able to create a specially crafted archive that, when
> processed, overwrites arbitrary files on disc.
f5eea8b libevent: apply security patches from Debian
(Thank you, Vladimír Čunát)
194d137 wireshark: patch for CVE-2017-6041
(Thank you, Michael Raskin)
cc4919d xen: patch for XSAs: 197, 199, 207, 208, 209
> XSA-197 Issue Description:
>
> > The compiler can emit optimizations in qemu which can lead to double
> > fetch vulnerabilities. Specifically data on the rings shared
> > between qemu and the hypervisor (which the guest under control can
> > obtain mappings of) can be fetched twice (during which time the
> > guest can alter the contents) possibly leading to arbitrary code
> > execution in qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-197.html
>
> XSA-199 Issue Description:
>
> > The code in qemu which implements ioport read/write looks up the
> > specified ioport address in a dispatch table. The argument to the
> > dispatch function is a uint32_t, and is used without a range check,
> > even though the table has entries for only 2^16 ioports.
> >
> > When qemu is used as a standalone emulator, ioport accesses are
> > generated only from cpu instructions emulated by qemu, and are
> > therefore necessarily 16-bit, so there is no vulnerability.
> >
> > When qemu is used as a device model within Xen, io requests are
> > generated by the hypervisor and read by qemu from a shared ring. The
> > entries in this ring use a common structure, including a 64-bit
> > address field, for various accesses, including ioport addresses.
> >
> > Xen will write only 16-bit address ioport accesses. However,
> > depending on the Xen and qemu version, the ring may be writeable by
> > the guest. If so, the guest can generate out-of-range ioport
> > accesses, resulting in wild pointer accesses within qemu.
>
> More: https://xenbits.xen.org/xsa/advisory-199.html
>
> XSA-207 Issue Description:
>
> > Certain internal state is set up, during domain construction, in
> > preparation for possible pass-through device assignment. On ARM and
> > AMD V-i hardware this setup includes memory allocation. On guest
> > teardown, cleanup was erroneously only performed when the guest
> > actually had a pass-through device assigned.
>
> More: https://xenbits.xen.org/xsa/advisory-207.html
>
> XSA-209 Issue Description:
>
> > When doing bitblt copy backwards, qemu should negate the blit width.
> > This avoids an oob access before the start of video memory.
>
> More: https://xenbits.xen.org/xsa/advisory-208.html
>
> XSA-208 Issue Description:
>
> > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> > cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> > region is safe.
>
> More: https://xenbits.xen.org/xsa/advisory-209.html
b1c6a9b curl: 7.52.1 -> 7.53.0
(Thank you, Tim Steinbach)
> CVE-2017-2629
9458018 dbus: 1.10.14 -> 1.10.16
(Thank you, Vladimír Čunát)
f454297 linux 4.10
(Thank you, Shea Levy)
> All kernel patches are considered security-sensitive.
7274fc3 linux: 4.4.48 -> 4.4.50
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
2423313 kernel: 4.9.10 -> 4.9.11
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ca016c2 grsecurity: 4.9.10-201702152052 -> 4.9.11-201702181444
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
38771ba nixpkgs: allow packages to be marked insecure
748e7b2 chromium: update dev and beta
(Thank you, Nikolay Amiantov)
> All browser patches are considered security-sensitive.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYtC0FAAoJEAYSHTZv6UNcYw0P/A6n3mSHAJ1b5m7uI7byAtcX
l9PPgYYQr45ozKfy5kRjHoACllq0P28/Tznlx+P20C1pHvYxkcsJToW4GEH/+Su8
9obt1AtlT+JdlgyhYzJ20E6ICFEN83Vuf3T2d+meWTyJx0CKQ5R4ilaqsftbhmri
azfO7ERETA+vXDdW+BjKEF1ULP/u2DQu4D/tkAXfzaOQP0zvMesySsJBNrHFiPS/
yjr8nWduEA2YkWeAmw0h83z4QQ+S0pA92a2PhmV3xqJ0L19VaOC+ImcnbmeApHwI
ws8UommL8uDjj8SUW6r1TR2ejYfSFAkYHE80DzxOY7XzFZaXDvVi33VAQ4Cvkucz
V0FzlK3aAFD4XX/z7ZKcjBUccSneuH3WcKiSUfR6oEB8QLgrF8o0uMzaHyZSTWv8
MQyCgEMJZFJxcX6CthIn8GtuWTexvla45WCbw39BuoqXrPEBc48q/9O6R3UdXknM
PVLUOUo2aZbE2tf0SC6nFTABcBPDIaJUQCTHkfOR2Ghmsy9HtIxijiUWi13e5X1s
unBn6TsnTinqpG/dsfYHib2tc6v9sD+l6/NL2P5ZWGcQ0luvJNhSTI/zCb5oCnZ2
d5KMdzflTCOJ2+4o+FHYPAZjAW/k2/FR5Z/RCVi8bZurZ7h6g7ep1EGHoaLSNIA7
PsqhyYsfese1cT5NU8pL
=8efW
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages