Security fixes from 2016-12-29 02:29 UTC

8 views
Skip to first unread message

Graham Christensen

unread,
Dec 28, 2016, 9:30:13 PM12/28/16
to nix-securi...@googlegroups.com

The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21457.

The following changes were applied to release-16.09:

fb67220 imagemagick: 6.9.6-7 -> 6.9.7-0
> heap-based buffer overflow in IsPixelGray (pixel-accessor.h)
> (Incomplete fix for CVE-2016-9556)

ef500ee botan: 1.10.13 -> 1.10.14, enforce c++11
> While decoding BER length fields, an integer overflow could
> occur. This could occur while parsing untrusted inputs such as X.509
> certificates. The overflow does not seem to lead to any obviously
> exploitable condition, but exploitation cannot be positively ruled
> out. Only 32-bit platforms are likely affected; to cause an overflow
> on 64-bit the parsed data would have to be many gigabytes.

48864eb1 cryptopp: 5.6.4 -> 5.6.5
> From the Debian advisory:
>
> Gergely Gábor Nagy from Tresorit discovered that libcrypto++, a C++
> cryptographic library, contained a bug in several ASN.1 parsing
> routines. This would allow an attacker to remotely cause a denial of
> service.

67c5f30 shellinabox: 2.19 -> 2.20
> The shellinabox server, while using the HTTPS protocol, allows HTTP
> fallback through the "/plain" URL.

35f30c1 qemu: fix CVE-2016-9921 and CVE-2016-9922
> From Debian:
>
> CVE-2016-9921, CVE-2016-9922
>
> Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator
> support is vulnerable to a divide by zero issue. It could occur
> while copying VGA data when cirrus graphics mode was set to be
> VGA. A privileged user inside guest could use this flaw to crash
> the Qemu process instance on the host, resulting in DoS.

d9fc36b qemu: fix CVE-2016-9911
> From Debian:
>
> Quick Emulator (Qemu) built with the USB EHCI Emulation support
> is vulnerable to a memory leakage issue. It could occur while
> processing packet data in 'ehci_init_transfer'. A guest user/
> process could use this issue to leak host memory, resulting in
> DoS for a host.

cb967ae apacheHttpd: 2.4.23 -> 2.4.25 for CVE-2016-8743, CVE-2016-..
> From the Red Hat bugzilla:
>
> CVE-2016-0736: It was found that session data/cookies presented to
> mod_session_crypto were not authenticated that can lead to deciphering
> or tampering with a padding oracle attack.
>
> Affects version 2.4.x up to 2.4.23
>
> CVE-2016-2161: It was found that malicious input to mod_auth_digest
> will cause the server to crash, and each instance continues to crash
> even for subsequently valid requests.
>
> Affects versions 2.4.x up to 2.4.23
>
> CVE-2016-8743: Apache HTTP Server, prior to release 2.4.25, accepted a
> broad pattern of unusual whitespace patterns from the user-agent,
> including bare CR, FF, VTAB in parsing the request line and request
> header lines, as well as HTAB in parsing the request line. Any bare CR
> present in request lines was treated as whitespace and remained in the
> request field member "the_request", while a bare CR in the request
> header field name would be honored as whitespace, and a bare CR in the
> request header field value was retained the input headers
> array. Implied additional whitespace was accepted in the request line
> and prior to the ':' delimiter of any request header lines.
>
> These defects represent a security concern when httpd is participating
> in any chain of proxies or interacting with back-end application
> servers, either through mod_proxy or using conventional CGI
> mechanisms. In each case where one agent accepts such CTL characters
> and does not treat them as whitespace, there is the possibility in a
> proxy chain of generating two responses from a server behind the
> uncautious proxy agent. In a sequence of two requests, this results in
> request A to the first proxy being interpreted as requests A + A' by
> the backend server, and if requests A and B were submitted to the
> first proxy in a keepalive connection, the proxy may interpret
> response A' as the response to request B, polluting the cache or
> potentially serving the A' content to a different downstream
> user-agent.
>
> Affects versions since 2.2.0 up to 2.4.23

f3d3835 gdk-pixbuf: security 2.34.0 -> 2.36.2
> * Fix integer overflows in the jpeg loader (#775218)
> * Fix a NULL pointer dereference (#776026)
> * Avoid a buffer overrun in the qtif loader ($#775648)
> * Fix a crash in the bmp loader (#775242)
> * Prevent buffer overflow in the pixdata loader (#775693)
======================================================================



The following changes were applied to unstable:

8f4098f cryptopp: 5.6.4 -> 5.6.5
> From the Debian advisory:
>
> Gergely Gábor Nagy from Tresorit discovered that libcrypto++, a C++
> cryptographic library, contained a bug in several ASN.1 parsing
> routines. This would allow an attacker to remotely cause a denial of
> service.

d6254e0 shellinabox: 2.19 -> 2.20
> The shellinabox server, while using the HTTPS protocol, allows HTTP
> fallback through the "/plain" URL.

bc63738 qemu: fix CVE-2016-9921 and CVE-2016-9922
> From Debian:
>
> CVE-2016-9921, CVE-2016-9922
>
> Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator
> support is vulnerable to a divide by zero issue. It could occur
> while copying VGA data when cirrus graphics mode was set to be
> VGA. A privileged user inside guest could use this flaw to crash
> the Qemu process instance on the host, resulting in DoS.

a5dd311 qemu: fix CVE-2016-9911
> From Debian:
>
> Quick Emulator (Qemu) built with the USB EHCI Emulation support
> is vulnerable to a memory leakage issue. It could occur while
> processing packet data in 'ehci_init_transfer'. A guest user/
> process could use this issue to leak host memory, resulting in
> DoS for a host.

5ca180f apacheHttpd: 2.4.23 -> 2.4.25 for CVE-2016-8743, CVE-2016-..
> From the Red Hat bugzilla:
>
> CVE-2016-0736: It was found that session data/cookies presented to
> mod_session_crypto were not authenticated that can lead to deciphering
> or tampering with a padding oracle attack.
>
> Affects version 2.4.x up to 2.4.23
>
> CVE-2016-2161: It was found that malicious input to mod_auth_digest
> will cause the server to crash, and each instance continues to crash
> even for subsequently valid requests.
>
> Affects versions 2.4.x up to 2.4.23
>
> CVE-2016-8743: Apache HTTP Server, prior to release 2.4.25, accepted a
> broad pattern of unusual whitespace patterns from the user-agent,
> including bare CR, FF, VTAB in parsing the request line and request
> header lines, as well as HTAB in parsing the request line. Any bare CR
> present in request lines was treated as whitespace and remained in the
> request field member "the_request", while a bare CR in the request
> header field name would be honored as whitespace, and a bare CR in the
> request header field value was retained the input headers
> array. Implied additional whitespace was accepted in the request line
> and prior to the ':' delimiter of any request header lines.
>
> These defects represent a security concern when httpd is participating
> in any chain of proxies or interacting with back-end application
> servers, either through mod_proxy or using conventional CGI
> mechanisms. In each case where one agent accepts such CTL characters
> and does not treat them as whitespace, there is the possibility in a
> proxy chain of generating two responses from a server behind the
> uncautious proxy agent. In a sequence of two requests, this results in
> request A to the first proxy being interpreted as requests A + A' by
> the backend server, and if requests A and B were submitted to the
> first proxy in a keepalive connection, the proxy may interpret
> response A' as the response to request B, polluting the cache or
> potentially serving the A' content to a different downstream
> user-agent.
>
> Affects versions since 2.2.0 up to 2.4.23

421a7f3 gdk-pixbuf: security 2.36.0 -> 2.36.2
> * Fix integer overflows in the jpeg loader (#775218)
> * Fix a NULL pointer dereference (#776026)
> * Avoid a buffer overrun in the qtif loader ($#775648)
> * Fix a crash in the bmp loader (#775242)
> * Prevent buffer overflow in the pixdata loader (#775693)

040d516 imagemagick: 6.9.6-7 -> 6.9.7-0
> heap-based buffer overflow in IsPixelGray (pixel-accessor.h)
> (Incomplete fix for CVE-2016-9556)

c12613c botan: 1.10.13 -> 1.10.14, enforce c++11
> While decoding BER length fields, an integer overflow could
> occur. This could occur while parsing untrusted inputs such as X.509
> certificates. The overflow does not seem to lead to any obviously
> exploitable condition, but exploitation cannot be positively ruled
> out. Only 32-bit platforms are likely affected; to cause an overflow
> on 64-bit the parsed data would have to be many gigabytes.

c6bcc48 linux_4_8: add patch to fix CVE-2016-9919
> The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through
> 4.8.12 omits a certain check of the dst data structure, which allows
> remote attackers to cause a denial of service (panic) via a fragmented
> IPv6 packet.

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security

signature.asc
Reply all
Reply to author
Forward
0 new messages