Security fixes from 2016-12-29 23:22 UTC

[Graham Christensen]

The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21457.

The following changes were applied to release-16.09:

7e1846e ceph: mark as broken
> Our version of Ceph (9.2.0) hasn't been maintained since before 16.09
> came out, and has several security issues. Marking as broken until
> someone takes over.
>
> http://docs.ceph.com/docs/master/release-notes/

0468ae1 Revert "Revert "openssh: security 7.3p1 -> 7.4p1""
> From the Arch Linux advisory:
>
> - CVE-2016-10009 (arbitrary code execution): It was found that
> ssh-agent could load PKCS#11 modules from paths outside of a trusted
> whitelist. An attacker able to load a crafted PKCS#11 module across
> a forwarded agent channel could potentially use this flaw to execute
> arbitrary code on the system running the ssh- agent. Note that the
> attacker must have control of the forwarded agent- socket and the
> ability to write to the filesystem of the host running ssh-agent.
>
> - CVE-2016-10010 (privilege escalation): It was found that when
> privilege separation was disabled in OpenSSH, forwarded Unix-domain
> sockets would be created by sshd with root privileges instead of the
> privileges of the authenticated user. This could allow an
> authenticated attacker to potentially gain root privileges on the
> host system. Privileges separation has been enabled by default since
> OpenSSH 3.3/3.3p1 (2002-06-21). Thus, OpenSSH is not affected by
> default. An affected OpenSSH configuration would have to
> specifically disable privilege separation with the
> "UsePrivilegeSeparation no" configuration directive in
> /etc/ssh/sshd_config.
>
> - CVE-2016-10011 (information disclosure): It was found that there is
> a theoretical leak of host private key material to
> privilege-separated child processes via realloc() when reading
> keys. No such leak was observed in practice for normal-sized keys,
> nor does a leak to the child processes directly expose key material
> to unprivileged users.
>
> - CVE-2016-10012 (insufficient validation): It was found that the
> shared memory manager used by pre-authentication compression support
> had a bounds checks that could be elided by some optimizing
> compilers. Additionally, this memory manager was incorrectly
> accessible when pre-authentication compression was disabled. This
> could potentially allow attacks against the privileged monitor
> process from the sandboxed privilege-separation process (a
> compromise of the latter would be required first).

68f2b18 thunderbird-bin: 45.5.1 -> 45.6.0
> CVE-2016-9899: Use-after-free while manipulating DOM events and audio
> elements
> CVE-2016-9895: CSP bypass using marquee tag
> CVE-2016-9897: Memory corruption in libGLES
> CVE-2016-9898: Use-after-free in Editor while manipulating DOM
> subtrees
> CVE-2016-9900: Restricted external resources can be loaded by SVG
> images through data URLs
> CVE-2016-9904: Cross-origin information leak in shared atoms
> CVE-2016-9905: Crash in EnumerateSubDocuments
> CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6

27c21a2 thunderbird: 45.5.1 -> 45.6.0
> CVE-2016-9899: Use-after-free while manipulating DOM events and audio
> elements
> CVE-2016-9895: CSP bypass using marquee tag
> CVE-2016-9897: Memory corruption in libGLES
> CVE-2016-9898: Use-after-free in Editor while manipulating DOM
> subtrees
> CVE-2016-9900: Restricted external resources can be loaded by SVG
> images through data URLs
> CVE-2016-9904: Cross-origin information leak in shared atoms
> CVE-2016-9905: Crash in EnumerateSubDocuments
> CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
======================================================================



The following changes were applied to unstable:

eb01090 ceph: mark as broken
> Our version of Ceph (9.2.0) hasn't been maintained since before 16.09
> came out, and has several security issues. Marking as broken until
> someone takes over.
>
> http://docs.ceph.com/docs/master/release-notes/

11e8ed5 Revert "Revert "openssh: security 7.3p1 -> 7.4p1""
> From the Arch Linux advisory:
>
> - CVE-2016-10009 (arbitrary code execution): It was found that
> ssh-agent could load PKCS#11 modules from paths outside of a trusted
> whitelist. An attacker able to load a crafted PKCS#11 module across
> a forwarded agent channel could potentially use this flaw to execute
> arbitrary code on the system running the ssh- agent. Note that the
> attacker must have control of the forwarded agent- socket and the
> ability to write to the filesystem of the host running ssh-agent.
>
> - CVE-2016-10010 (privilege escalation): It was found that when
> privilege separation was disabled in OpenSSH, forwarded Unix-domain
> sockets would be created by sshd with root privileges instead of the
> privileges of the authenticated user. This could allow an
> authenticated attacker to potentially gain root privileges on the
> host system. Privileges separation has been enabled by default since
> OpenSSH 3.3/3.3p1 (2002-06-21). Thus, OpenSSH is not affected by
> default. An affected OpenSSH configuration would have to
> specifically disable privilege separation with the
> "UsePrivilegeSeparation no" configuration directive in
> /etc/ssh/sshd_config.
>
> - CVE-2016-10011 (information disclosure): It was found that there is
> a theoretical leak of host private key material to
> privilege-separated child processes via realloc() when reading
> keys. No such leak was observed in practice for normal-sized keys,
> nor does a leak to the child processes directly expose key material
> to unprivileged users.
>
> - CVE-2016-10012 (insufficient validation): It was found that the
> shared memory manager used by pre-authentication compression support
> had a bounds checks that could be elided by some optimizing
> compilers. Additionally, this memory manager was incorrectly
> accessible when pre-authentication compression was disabled. This
> could potentially allow attacks against the privileged monitor
> process from the sandboxed privilege-separation process (a
> compromise of the latter would be required first).

a1f595c thunderbird: 45.5.1 -> 45.6.0
> CVE-2016-9899: Use-after-free while manipulating DOM events and audio
> elements
> CVE-2016-9895: CSP bypass using marquee tag
> CVE-2016-9897: Memory corruption in libGLES
> CVE-2016-9898: Use-after-free in Editor while manipulating DOM
> subtrees
> CVE-2016-9900: Restricted external resources can be loaded by SVG
> images through data URLs
> CVE-2016-9904: Cross-origin information leak in shared atoms
> CVE-2016-9905: Crash in EnumerateSubDocuments
> CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6

373fb99 thunderbird-bin: 45.5.1 -> 45.6.0
> CVE-2016-9899: Use-after-free while manipulating DOM events and audio
> elements
> CVE-2016-9895: CSP bypass using marquee tag
> CVE-2016-9897: Memory corruption in libGLES
> CVE-2016-9898: Use-after-free in Editor while manipulating DOM
> subtrees
> CVE-2016-9900: Restricted external resources can be loaded by SVG
> images through data URLs
> CVE-2016-9904: Cross-origin information leak in shared atoms
> CVE-2016-9905: Crash in EnumerateSubDocuments
> CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security