Security fixes from 2017-01-12 02:27 UTC
12 views
Skip to first unread message
Graham Christensen
Jan 11, 2017, 9:28:27 PM1/11/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This mail is different in that it uses inline signatures. Michael Weiss
pointed out to me the Google group was editing my messages by appending
a footer, and was breaking my signature. Thank you Michael for pointing
it out. The rest of you must be applying XKCD's PGP Verification
Method https://xkcd.com/1181/.
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
LATEST_ROUNDUP_URL.
The following changes were applied to release-16.09:
206fb8f flashplayer: 24.0.0.186 -> 24.0.0.194
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
480684a jasper: 2.0.6 -> 2.0.10 for null pointer dereference
b138432 nvidia_x11_legacy340: 340.96 -> 340.101 for CVE-2016-7382,..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
f1c3402 nvidia_x11_legacy304: 304.131 -> 304.134 for CVE-2016-7382..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
4acd692 pcsclite: 1.8.17 -> 1.8.20 for CVE-2016-10109
> From the Arch Linux advisory:
>
> The SCardReleaseContext function normally releases resources
> associated with the given handle (including "cardsList") and clients
> should cease using this handle. A malicious client can however make
> the daemon invoke SCardReleaseContext and continue issuing other
> commands that use "cardsList", resulting in a use-after-free. When
> SCardReleaseContext is invoked multiple times, it additionally results
> in a double-free of "cardsList".
>
> The issue allows a local attacker to cause a denial of service, but
> can potentially result in privilege escalation since the daemon is
> running as root while any local user can connect to the Unix socket.
> Fixed by patch "SCardReleaseContext: prevent use-after-free of
> cardsList" which is released with hpcsc-lite 1.8.20 on 30 December
> 2016.
2b6ff8c unrtf: patch against CVE-2016-10091
> From the Mageia advisory:
>
> A Stack-based buffer overflow has been found in unrtf 0.21.9, which
> affects functions including cmd_expand, cmd_emboss and cmd_engrave
> (CVE-2016-10091).
3f42b78 icoutils: 0.31.0 -> 0.31.1
> From the Debian advisory:
>
> Choongwoo Han discovered that a programming error in the wrestool tool
> of the icoutils suite allows denial of service or the execution of
> arbitrary code if a malformed binary is parsed.
1237b44 libvncserver: 0.9.9 -> 0.9.11
> From the CVE entries:
>
> Heap-based buffer overflow in rfbproto.c in LibVNCClient in
> LibVNCServer before 0.9.11 allows remote servers to cause a denial of
> service (application crash) or possibly execute arbitrary code via a
> crafted FramebufferUpdate message containing a subrectangle outside of
> the client drawing area. (CVE-2016-9941)
>
> Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
> before 0.9.11 allows remote servers to cause a denial of service
> (application crash) or possibly execute arbitrary code via a crafted
> FramebufferUpdate message with the Ultra type tile, such that the LZO
> payload decompressed length exceeds what is specified by the tile
> dimensions. (CVE-2016-9942)
cd27f9d flac: 1.3.1 -> 1.3.2 (security update)
> Three crashes from crafted files are noted in the 2015 flac bug
> report: https://sourceforge.net/p/flac/bugs/425/
6435585 runc: add patches to fix CVE-2016-9962
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
479df3e gnutls33: 3.3.25 -> 3.3.26
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
924a0b9 docker: 1.12.5 -> 1.12.6
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
b5f9bb6 linux: 4.8.16 -> 4.8.17
> All kernel patches are considered security-sensitive.
eec4304 linux: 4.4.40 -> 4.4.41
> All kernel patches are considered security-sensitive.
8e68070 libgit2: 0.24.3 -> 0.24.6
> Fixes the following vulnerabilities:
>
> * CVE-2016-10128
> * CVE-2016-10129
> * CVE-2016-10130
> * CVE-2017-5338
> * CVE-2017-5339
fd1dbe5 flashplayer: 24.0.0.186 -> 24.0.0.194
>
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
145d33c firejail: 0.9.44.2 -> 0.9.44.4
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/
======================================================================
The following changes were applied to unstable:
18e2639 jasper: 2.0.6 -> 2.0.10 for null pointer dereference
d20d38e nvidia_x11_legacy340: 340.96 -> 340.101 for CVE-2016-7382,..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
9837dce nvidia_x11_legacy304: 304.131 -> 304.134 for CVE-2016-7382..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
847647a pcsclite: 1.8.17 -> 1.8.20 for CVE-2016-10109
> From the Arch Linux advisory:
>
> The SCardReleaseContext function normally releases resources
> associated with the given handle (including "cardsList") and clients
> should cease using this handle. A malicious client can however make
> the daemon invoke SCardReleaseContext and continue issuing other
> commands that use "cardsList", resulting in a use-after-free. When
> SCardReleaseContext is invoked multiple times, it additionally results
> in a double-free of "cardsList".
>
> The issue allows a local attacker to cause a denial of service, but
> can potentially result in privilege escalation since the daemon is
> running as root while any local user can connect to the Unix socket.
> Fixed by patch "SCardReleaseContext: prevent use-after-free of
> cardsList" which is released with hpcsc-lite 1.8.20 on 30 December
> 2016.
2dab778 unrtf: patch against CVE-2016-10091
> From the Mageia advisory:
>
> A Stack-based buffer overflow has been found in unrtf 0.21.9, which
> affects functions including cmd_expand, cmd_emboss and cmd_engrave
> (CVE-2016-10091).
a3778f6 flashplayer: 24.0.0.186 -> 24.0.0.194
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
a00f1c9 icoutils: 0.31.0 -> 0.31.1
> From the Debian advisory:
>
> Choongwoo Han discovered that a programming error in the wrestool tool
> of the icoutils suite allows denial of service or the execution of
> arbitrary code if a malformed binary is parsed.
905349b libvncserver: 0.9.9 -> 0.9.11
> From the CVE entries:
>
> Heap-based buffer overflow in rfbproto.c in LibVNCClient in
> LibVNCServer before 0.9.11 allows remote servers to cause a denial of
> service (application crash) or possibly execute arbitrary code via a
> crafted FramebufferUpdate message containing a subrectangle outside of
> the client drawing area. (CVE-2016-9941)
>
> Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
> before 0.9.11 allows remote servers to cause a denial of service
> (application crash) or possibly execute arbitrary code via a crafted
> FramebufferUpdate message with the Ultra type tile, such that the LZO
> payload decompressed length exceeds what is specified by the tile
> dimensions. (CVE-2016-9942)
260d97c runc: add patches to fix CVE-2016-9962
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
0aa4931 runc: 2016-06-15 -> 1.0.0-rc2
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
cb07316 docker: 1.12.5 -> 1.12.6
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
c03bc57 libgit2: 0.24.3 -> 0.24.6
> Fixes the following vulnerabilities:
>
> * CVE-2016-10128
> * CVE-2016-10129
> * CVE-2016-10130
> * CVE-2017-5338
> * CVE-2017-5339
85ac790 gnutls35: 3.5.5 -> 3.5.8
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
0e963d2 gnutls33: 3.3.25 -> 3.3.26
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
ce11097 flashplayer: 24.0.0.186 -> 24.0.0.194
>
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
6b01b22 linux: 4.9.1 -> 4.9.2
> All kernel patches are considered security-sensitive.
3b17823 linux: 4.8.16 -> 4.8.17
> All kernel patches are considered security-sensitive.
4c43937 linux: 4.4.40 -> 4.4.41
> All kernel patches are considered security-sensitive.
1753d8c irssi: 0.8.21 -> 1.0.0
9653be4 firejail: 0.9.44.2 -> 0.9.44.4
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/
030065f libpng: 1.6.27 -> 1.6.28
> From the libpng-1.6.27, 1.5.28, and 1.2.57 release announcement:
>
> These all fix a potential "NULL dereference" bug that has existed in
> libpng since version 0.71 of June 26, 1995. To be vulnerable, an
> application has to load a text chunk into the png structure, then
> delete all text, then add another text chunk to the same png
> structure, which seems to be an unlikely sequence, but it has
> happened.
e2cde15 flac: 1.3.1 -> 1.3.2
> Three crashes from crafted files are noted in the 2015 flac bug
> report: https://sourceforge.net/p/flac/bugs/425/
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYdunCAAoJEAYSHTZv6UNcnyQQALsAkViTJvLYImzz0VACp5fz
hH/c/o5X1jVMIP00bgR9UF4wu6/uOc2sc0BpgRzOj4xhHOiMrid0jRYRKRPV+lrN
fTO/NSmokfNaOgaCSR8WPRGolRL4aZzA/PJIYpzI3AKh9g6Co+CQ0T8Q8FAhCdj0
IeGPjznK4KBsTKR72QRnINoZKlGYsjrNNUGchaOsJjsT88Xc0Nh6Bv+/HjHMj2Fu
GTme+5+rY+DK0+I70FNI841YE+7yJygJvyZvWErbLHF4dG7yiri8c/bycsec+jWb
PkZkELh7/p8RjiDL9pszdITG9w68ssTcAcLS4rt6ds1xb8O2wF1T4cx4TOfmqXo5
3KvuS3LHalljqkprm4U1kDJtdgbBaQ8hGSPdtSTcrGL/tIhjIBwwqgBaUD7v3WBt
w/Ez1RZYdQTGX8+WpgGvzwINK4jHkn+lhEBHrya5vrA3Y2C5d8Ebc5167Jp3XTJK
LOq/JIQGMfXtYXlI6MyKrYWBzrgmB/JxCZGVbn/x/C3Sl66cjbcsPDgHoXu5ZagI
jqw91I9adPOfZglx7CSUzLNN2d2jcc5ySYChjB2x9Q/DxwcxBlspkdQ0kYZ3qCwc
L7OOc44Qd5jdPwmWGRmb081MQTm8rWEuTokeGO+5o64MZ4q3UChBsqUB6SArPSnQ
+5EskqeiRoHLdsYiyCE/
=xBS0
-----END PGP SIGNATURE-----
Hash: SHA256
This mail is different in that it uses inline signatures. Michael Weiss
pointed out to me the Google group was editing my messages by appending
a footer, and was breaking my signature. Thank you Michael for pointing
it out. The rest of you must be applying XKCD's PGP Verification
Method https://xkcd.com/1181/.
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
LATEST_ROUNDUP_URL.
The following changes were applied to release-16.09:
206fb8f flashplayer: 24.0.0.186 -> 24.0.0.194
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
480684a jasper: 2.0.6 -> 2.0.10 for null pointer dereference
b138432 nvidia_x11_legacy340: 340.96 -> 340.101 for CVE-2016-7382,..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
f1c3402 nvidia_x11_legacy304: 304.131 -> 304.134 for CVE-2016-7382..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
4acd692 pcsclite: 1.8.17 -> 1.8.20 for CVE-2016-10109
> From the Arch Linux advisory:
>
> The SCardReleaseContext function normally releases resources
> associated with the given handle (including "cardsList") and clients
> should cease using this handle. A malicious client can however make
> the daemon invoke SCardReleaseContext and continue issuing other
> commands that use "cardsList", resulting in a use-after-free. When
> SCardReleaseContext is invoked multiple times, it additionally results
> in a double-free of "cardsList".
>
> The issue allows a local attacker to cause a denial of service, but
> can potentially result in privilege escalation since the daemon is
> running as root while any local user can connect to the Unix socket.
> Fixed by patch "SCardReleaseContext: prevent use-after-free of
> cardsList" which is released with hpcsc-lite 1.8.20 on 30 December
> 2016.
2b6ff8c unrtf: patch against CVE-2016-10091
> From the Mageia advisory:
>
> A Stack-based buffer overflow has been found in unrtf 0.21.9, which
> affects functions including cmd_expand, cmd_emboss and cmd_engrave
> (CVE-2016-10091).
3f42b78 icoutils: 0.31.0 -> 0.31.1
> From the Debian advisory:
>
> Choongwoo Han discovered that a programming error in the wrestool tool
> of the icoutils suite allows denial of service or the execution of
> arbitrary code if a malformed binary is parsed.
1237b44 libvncserver: 0.9.9 -> 0.9.11
> From the CVE entries:
>
> Heap-based buffer overflow in rfbproto.c in LibVNCClient in
> LibVNCServer before 0.9.11 allows remote servers to cause a denial of
> service (application crash) or possibly execute arbitrary code via a
> crafted FramebufferUpdate message containing a subrectangle outside of
> the client drawing area. (CVE-2016-9941)
>
> Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
> before 0.9.11 allows remote servers to cause a denial of service
> (application crash) or possibly execute arbitrary code via a crafted
> FramebufferUpdate message with the Ultra type tile, such that the LZO
> payload decompressed length exceeds what is specified by the tile
> dimensions. (CVE-2016-9942)
cd27f9d flac: 1.3.1 -> 1.3.2 (security update)
> Three crashes from crafted files are noted in the 2015 flac bug
> report: https://sourceforge.net/p/flac/bugs/425/
6435585 runc: add patches to fix CVE-2016-9962
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
479df3e gnutls33: 3.3.25 -> 3.3.26
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
924a0b9 docker: 1.12.5 -> 1.12.6
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
b5f9bb6 linux: 4.8.16 -> 4.8.17
> All kernel patches are considered security-sensitive.
eec4304 linux: 4.4.40 -> 4.4.41
> All kernel patches are considered security-sensitive.
8e68070 libgit2: 0.24.3 -> 0.24.6
> Fixes the following vulnerabilities:
>
> * CVE-2016-10128
> * CVE-2016-10129
> * CVE-2016-10130
> * CVE-2017-5338
> * CVE-2017-5339
fd1dbe5 flashplayer: 24.0.0.186 -> 24.0.0.194
>
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
145d33c firejail: 0.9.44.2 -> 0.9.44.4
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/
======================================================================
The following changes were applied to unstable:
18e2639 jasper: 2.0.6 -> 2.0.10 for null pointer dereference
d20d38e nvidia_x11_legacy340: 340.96 -> 340.101 for CVE-2016-7382,..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
9837dce nvidia_x11_legacy304: 304.131 -> 304.134 for CVE-2016-7382..
> From the Mageia advisory:
>
> NVIDIA GPU Display Driver contains a vulnerability in the kernel mode
> layer (nvidia.ko) where a user can cause a GPU interrupt storm,
> leading to a denial of service.
847647a pcsclite: 1.8.17 -> 1.8.20 for CVE-2016-10109
> From the Arch Linux advisory:
>
> The SCardReleaseContext function normally releases resources
> associated with the given handle (including "cardsList") and clients
> should cease using this handle. A malicious client can however make
> the daemon invoke SCardReleaseContext and continue issuing other
> commands that use "cardsList", resulting in a use-after-free. When
> SCardReleaseContext is invoked multiple times, it additionally results
> in a double-free of "cardsList".
>
> The issue allows a local attacker to cause a denial of service, but
> can potentially result in privilege escalation since the daemon is
> running as root while any local user can connect to the Unix socket.
> Fixed by patch "SCardReleaseContext: prevent use-after-free of
> cardsList" which is released with hpcsc-lite 1.8.20 on 30 December
> 2016.
2dab778 unrtf: patch against CVE-2016-10091
> From the Mageia advisory:
>
> A Stack-based buffer overflow has been found in unrtf 0.21.9, which
> affects functions including cmd_expand, cmd_emboss and cmd_engrave
> (CVE-2016-10091).
a3778f6 flashplayer: 24.0.0.186 -> 24.0.0.194
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
a00f1c9 icoutils: 0.31.0 -> 0.31.1
> From the Debian advisory:
>
> Choongwoo Han discovered that a programming error in the wrestool tool
> of the icoutils suite allows denial of service or the execution of
> arbitrary code if a malformed binary is parsed.
905349b libvncserver: 0.9.9 -> 0.9.11
> From the CVE entries:
>
> Heap-based buffer overflow in rfbproto.c in LibVNCClient in
> LibVNCServer before 0.9.11 allows remote servers to cause a denial of
> service (application crash) or possibly execute arbitrary code via a
> crafted FramebufferUpdate message containing a subrectangle outside of
> the client drawing area. (CVE-2016-9941)
>
> Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
> before 0.9.11 allows remote servers to cause a denial of service
> (application crash) or possibly execute arbitrary code via a crafted
> FramebufferUpdate message with the Ultra type tile, such that the LZO
> payload decompressed length exceeds what is specified by the tile
> dimensions. (CVE-2016-9942)
260d97c runc: add patches to fix CVE-2016-9962
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
0aa4931 runc: 2016-06-15 -> 1.0.0-rc2
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
cb07316 docker: 1.12.5 -> 1.12.6
> RunC allowed additional container processes via runc exec to be
> ptraced by the pid 1 of the container. This allows the main processes
> of the container, if running as root, to gain access to
> file-descriptors of these new processes during the initialization and
> can lead to container escapes or modification of runC state before the
> process is fully placed inside the container.
c03bc57 libgit2: 0.24.3 -> 0.24.6
> Fixes the following vulnerabilities:
>
> * CVE-2016-10128
> * CVE-2016-10129
> * CVE-2016-10130
> * CVE-2017-5338
> * CVE-2017-5339
85ac790 gnutls35: 3.5.5 -> 3.5.8
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
0e963d2 gnutls33: 3.3.25 -> 3.3.26
> Fixes the following security issues:
>
> * CVE-2017-5334
> * CVE-2017-5335
> * CVE-2017-5336
> * CVE-2017-5337
>
> See https://www.gnutls.org/news.html#2017-01-09 for more information.
ce11097 flashplayer: 24.0.0.186 -> 24.0.0.194
>
> From the advisory:
>
> These updates resolve a security bypass vulnerability that could
> lead to information disclosure (CVE-2017-2938).
> These updates resolve use-after-free vulnerabilities that could
> lead to code execution (CVE-2017-2932, CVE-2017-2936,
> CVE-2017-2937).
> These updates resolve heap buffer overflow vulnerabilities that
> could lead to code execution (CVE-2017-2927, CVE-2017-2933,
> CVE-2017-2934, CVE-2017-2935).
> These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2017-2925, CVE-2017-2926,
> CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).
>
>
>
> Release notes:
> https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> Advisory:
> https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
6b01b22 linux: 4.9.1 -> 4.9.2
> All kernel patches are considered security-sensitive.
3b17823 linux: 4.8.16 -> 4.8.17
> All kernel patches are considered security-sensitive.
4c43937 linux: 4.4.40 -> 4.4.41
> All kernel patches are considered security-sensitive.
1753d8c irssi: 0.8.21 -> 1.0.0
9653be4 firejail: 0.9.44.2 -> 0.9.44.4
> CVE-2016-7545, CVE-2016-9016:
>
> It was found that the sandbox tool provided in policycoreutils was
> vulnerable to a TIOCSTI ioctl attack. A specially crafted program
> executed via the sandbox command could use this flaw to execute
> arbitrary commands in the context of the parent shell, escaping the
> sandbox.
>
> and fixes for:
>
> security: overwrite /etc/resolv.conf found by Martin Carpenter
> secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
> security: invalid environment exploit found by Martin Carpenter
> security: several security enhancements
>
> See more: https://firejail.wordpress.com/download-2/release-notes/
030065f libpng: 1.6.27 -> 1.6.28
> From the libpng-1.6.27, 1.5.28, and 1.2.57 release announcement:
>
> These all fix a potential "NULL dereference" bug that has existed in
> libpng since version 0.71 of June 26, 1995. To be vulnerable, an
> application has to load a text chunk into the png structure, then
> delete all text, then add another text chunk to the same png
> structure, which seems to be an unlikely sequence, but it has
> happened.
e2cde15 flac: 1.3.1 -> 1.3.2
> Three crashes from crafted files are noted in the 2015 flac bug
> report: https://sourceforge.net/p/flac/bugs/425/
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYdunCAAoJEAYSHTZv6UNcnyQQALsAkViTJvLYImzz0VACp5fz
hH/c/o5X1jVMIP00bgR9UF4wu6/uOc2sc0BpgRzOj4xhHOiMrid0jRYRKRPV+lrN
fTO/NSmokfNaOgaCSR8WPRGolRL4aZzA/PJIYpzI3AKh9g6Co+CQ0T8Q8FAhCdj0
IeGPjznK4KBsTKR72QRnINoZKlGYsjrNNUGchaOsJjsT88Xc0Nh6Bv+/HjHMj2Fu
GTme+5+rY+DK0+I70FNI841YE+7yJygJvyZvWErbLHF4dG7yiri8c/bycsec+jWb
PkZkELh7/p8RjiDL9pszdITG9w68ssTcAcLS4rt6ds1xb8O2wF1T4cx4TOfmqXo5
3KvuS3LHalljqkprm4U1kDJtdgbBaQ8hGSPdtSTcrGL/tIhjIBwwqgBaUD7v3WBt
w/Ez1RZYdQTGX8+WpgGvzwINK4jHkn+lhEBHrya5vrA3Y2C5d8Ebc5167Jp3XTJK
LOq/JIQGMfXtYXlI6MyKrYWBzrgmB/JxCZGVbn/x/C3Sl66cjbcsPDgHoXu5ZagI
jqw91I9adPOfZglx7CSUzLNN2d2jcc5ySYChjB2x9Q/DxwcxBlspkdQ0kYZ3qCwc
L7OOc44Qd5jdPwmWGRmb081MQTm8rWEuTokeGO+5o64MZ4q3UChBsqUB6SArPSnQ
+5EskqeiRoHLdsYiyCE/
=xBS0
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages