Security fixes from 2017-03-05 15:11 UTC
91 views
Skip to first unread message
Graham Christensen
Mar 5, 2017, 10:13:05 AM3/5/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09,
release-17.03, and unstable. They remain potentially vulnerable on
older major releases.
These patches will be released to the release-16.09, release-17.03,
and unstable channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/release-17.03/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Currently, 17.03 is considered beta. It will be released around the
end of March. NixOS typically only supports one release at a time.
This means when 17.03 is released you should upgrade as soon as
possible. To ease this transition, I've decided to extend 16.09
security patches for one month after 17.03 is released.
You can switch from 16.09 to 17.03-beta via:
$ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
$ sudo nix-channel --update
$ sudo nixos-rebuild boot
$ reboot
Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
changed, and using switch will break setuid binaries (like sudo, ping,
etc.) until you reboot.
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/23334.
The following changes were applied to release-16.09
43e84f4085 kde.kdelibs: patch for insecure URL passing
>
> CVE-2017-6410
> Information Leak when accessing https when using a malicious PAC file
646958098d kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
5888067a7d profanity: 0.4.7 -> 0.5.1
(Thank you, Michael Raskin)
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
40de598c60 screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
76f84955d5 opera: 42.0.2393.517 -> 43.0.2442.991
(Thank you: Demin Dmitriy (author), Joachim Fasting (committer))
> All browser patches are considered security-sensitive.
a20da2e556 opera: 41.0.2353.56 -> 42.0.2393.517
(Thank you: Benjamin Smith (author), Joachim Fasting (committer))
> All browser patches are considered security-sensitive.
======================================================================
The following changes were applied to release-17.03
84deb2205c jitsi: 2.8.5426 -> 2.10.5550 for CVE-2017-5603
> CVE-2017-5603: An incorrect implementation of
> "XEP-0280: Message Carbons" in multiple XMPP
> clients allows a remote attacker to impersonate
> any user, including contacts, in the vulnerable
> application's display. This allows for various
> kinds of social engineering attacks.
25c590f910 xorg.xorgserver: security 1.19.1 -> 1.19.2
(Thank you, Vladimír Čunát)
> CVE-2017-2624
>
> From the Redhat bugtracker:
>
> xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check
> the received MIT cookie against a series of valid cookies. If the cookie
> is correct, it is allowed to attach to the Xorg session. Since most
> memcmp() implementations return after an invalid
> byte is seen, this causes a time difference between a valid and invalid
> byte, which in theory could allow an efficient brute force attack[1].
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1424984
17a3e979a4 kdeApplications.kdelibs: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
9daae5bb85 kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
14b680a698 profanity: 0.5.0 -> 0.5.1
(Thank you: Michael Raskin (author), Robin Gloster (committer))
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
9117d57d84 utillinux: 2.29 -> 2.29.2 for CVE-2017-2616
(Thank you: Franz Pletz (author), Vladimír Čunát (committer))
> Sending SIGKILL to other processes with root privileges via su
810fc81107 screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
======================================================================
The following changes were applied to unstable
6011e3ea93 jitsi: 2.8.5426 -> 2.10.5550 for CVE-2017-5603
> CVE-2017-5603: An incorrect implementation of
> "XEP-0280: Message Carbons" in multiple XMPP
> clients allows a remote attacker to impersonate
> any user, including contacts, in the vulnerable
> application's display. This allows for various
> kinds of social engineering attacks.
da3c0ac19c xorg.xorgserver: security 1.19.1 -> 1.19.2
(Thank you, Vladimír Čunát)
> CVE-2017-2624
>
> From the Redhat bugtracker:
>
> xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check
> the received MIT cookie against a series of valid cookies. If the cookie
> is correct, it is allowed to attach to the Xorg session. Since most
> memcmp() implementations return after an invalid
> byte is seen, this causes a time difference between a valid and invalid
> byte, which in theory could allow an efficient brute force attack[1].
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1424984
7abda54bbb kdeApplications.kdelibs: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
5ce06263a3 kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
d2aa1706bd ffmpeg-full: 3.2.2 -> 3.2.4
(Thank you, Cray Elliott)
> Fixes an out of bounds read.
b8812dfeac profanity: 0.5.0 -> 0.5.1
(Thank you, Michael Raskin)
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
6d9a3f0dcd screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
9d14ea4295 utillinux: 2.29 -> 2.29.2 for CVE-2017-2616
(Thank you, Franz Pletz)
> Sending SIGKILL to other processes with root privileges via su
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8KvUACgkQBhIdNm/p
Q1yYvxAAuvXHRAzMLEghPJ4MBimvfgD6KfyiLYor/eTjz4WLkl3/cmi1FBzG7aJG
FlkdhIAV7x9+67MAXRoFBONzGfaKjiQd1+Zu54AfSuGMKknHpqDHXwvmsSv0J/O2
SvOEgKbQfkRk9N9Az8SZY/vVBgmWIO1jPu2waLcQRx3Ek+oYmizIp6WWj5JOQltT
eQejHyufo2nL89ZFQmB9ewryovDp3WUrN/2slOG79shjafPBJR0qfZpsVJe37LBD
3iOOjVNzflTrnxK/6XYs447PWO75+XPPhzlLaKr7yf6jgOdv8u4l6lBRM+9KGMP9
bJ5gLXWH+1UlFocDAjhp3ycuMbYa7haToUGrEpgxGTGisPWumXXSnfYbPJ9Pt9xZ
FIMA40P1af0IkxxkCbh/C3EVimI/Rt3WQhNzfw5vuAOY8wVaHafV6AEOjRy+UDbq
BioGn1axGGas+b/TBg0bSmeMGeAuN6v5X+DTy0khoUrJ3ynfVn7Q0S3Iokyyh6Kp
giQzeQcUuZjHZ4gOxF8HS7YQCdCKDQADBUI5bcYUKwqXXdx+QbKvbWQVfFFyM8jB
5cC7EJ/zVTKOdtzHXQ+CbyzLZI7cWWjfuW0UbBudzpU3W1fAMLN7fc3U9/CMpO/B
RS9poeSfOWlY3A5pX2zM5UFCXosQhyCbj8QVuVKZ0Z9lxE2HhBA=
=S7jx
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09,
release-17.03, and unstable. They remain potentially vulnerable on
older major releases.
These patches will be released to the release-16.09, release-17.03,
and unstable channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/release-17.03/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Currently, 17.03 is considered beta. It will be released around the
end of March. NixOS typically only supports one release at a time.
This means when 17.03 is released you should upgrade as soon as
possible. To ease this transition, I've decided to extend 16.09
security patches for one month after 17.03 is released.
You can switch from 16.09 to 17.03-beta via:
$ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
$ sudo nix-channel --update
$ sudo nixos-rebuild boot
$ reboot
Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
changed, and using switch will break setuid binaries (like sudo, ping,
etc.) until you reboot.
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/23334.
The following changes were applied to release-16.09
43e84f4085 kde.kdelibs: patch for insecure URL passing
>
> CVE-2017-6410
> Information Leak when accessing https when using a malicious PAC file
646958098d kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
5888067a7d profanity: 0.4.7 -> 0.5.1
(Thank you, Michael Raskin)
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
40de598c60 screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
76f84955d5 opera: 42.0.2393.517 -> 43.0.2442.991
(Thank you: Demin Dmitriy (author), Joachim Fasting (committer))
> All browser patches are considered security-sensitive.
a20da2e556 opera: 41.0.2353.56 -> 42.0.2393.517
(Thank you: Benjamin Smith (author), Joachim Fasting (committer))
> All browser patches are considered security-sensitive.
======================================================================
The following changes were applied to release-17.03
84deb2205c jitsi: 2.8.5426 -> 2.10.5550 for CVE-2017-5603
> CVE-2017-5603: An incorrect implementation of
> "XEP-0280: Message Carbons" in multiple XMPP
> clients allows a remote attacker to impersonate
> any user, including contacts, in the vulnerable
> application's display. This allows for various
> kinds of social engineering attacks.
25c590f910 xorg.xorgserver: security 1.19.1 -> 1.19.2
(Thank you, Vladimír Čunát)
> CVE-2017-2624
>
> From the Redhat bugtracker:
>
> xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check
> the received MIT cookie against a series of valid cookies. If the cookie
> is correct, it is allowed to attach to the Xorg session. Since most
> memcmp() implementations return after an invalid
> byte is seen, this causes a time difference between a valid and invalid
> byte, which in theory could allow an efficient brute force attack[1].
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1424984
17a3e979a4 kdeApplications.kdelibs: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
9daae5bb85 kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
14b680a698 profanity: 0.5.0 -> 0.5.1
(Thank you: Michael Raskin (author), Robin Gloster (committer))
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
9117d57d84 utillinux: 2.29 -> 2.29.2 for CVE-2017-2616
(Thank you: Franz Pletz (author), Vladimír Čunát (committer))
> Sending SIGKILL to other processes with root privileges via su
810fc81107 screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
======================================================================
The following changes were applied to unstable
6011e3ea93 jitsi: 2.8.5426 -> 2.10.5550 for CVE-2017-5603
> CVE-2017-5603: An incorrect implementation of
> "XEP-0280: Message Carbons" in multiple XMPP
> clients allows a remote attacker to impersonate
> any user, including contacts, in the vulnerable
> application's display. This allows for various
> kinds of social engineering attacks.
da3c0ac19c xorg.xorgserver: security 1.19.1 -> 1.19.2
(Thank you, Vladimír Čunát)
> CVE-2017-2624
>
> From the Redhat bugtracker:
>
> xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check
> the received MIT cookie against a series of valid cookies. If the cookie
> is correct, it is allowed to attach to the Xorg session. Since most
> memcmp() implementations return after an invalid
> byte is seen, this causes a time difference between a valid and invalid
> byte, which in theory could allow an efficient brute force attack[1].
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1424984
7abda54bbb kdeApplications.kdelibs: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
5ce06263a3 kdeFrameworks.kio: patch for insecure URL passing
> CVE-2017-6410
> Information Leak when accessing https when using a
> malicious PAC file
d2aa1706bd ffmpeg-full: 3.2.2 -> 3.2.4
(Thank you, Cray Elliott)
> Fixes an out of bounds read.
b8812dfeac profanity: 0.5.0 -> 0.5.1
(Thank you, Michael Raskin)
> An incorrect implementation of "XEP-0280:
> Message Carbons" in multiple XMPP clients
> allows a remote attacker to impersonate any
> user, including contacts, in the vulnerable
> application's display. This allows for
> various kinds of social engineering attacks.
> This CVE is for profanity (0.4.7 - 0.5.0).
6d9a3f0dcd screen: 4.5.0 -> 4.5.1 for CVE-2017-5618
(Thank you: Lancelot SIX (author), Franz Pletz (committer))
> The check opens the logfile with full root privileges. This
> allows us to truncate any file or create a root-owned file
> with any contents in any directory and can be easily
> exploited to full root access in several ways.
9d14ea4295 utillinux: 2.29 -> 2.29.2 for CVE-2017-2616
(Thank you, Franz Pletz)
> Sending SIGKILL to other processes with root privileges via su
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8KvUACgkQBhIdNm/p
Q1yYvxAAuvXHRAzMLEghPJ4MBimvfgD6KfyiLYor/eTjz4WLkl3/cmi1FBzG7aJG
FlkdhIAV7x9+67MAXRoFBONzGfaKjiQd1+Zu54AfSuGMKknHpqDHXwvmsSv0J/O2
SvOEgKbQfkRk9N9Az8SZY/vVBgmWIO1jPu2waLcQRx3Ek+oYmizIp6WWj5JOQltT
eQejHyufo2nL89ZFQmB9ewryovDp3WUrN/2slOG79shjafPBJR0qfZpsVJe37LBD
3iOOjVNzflTrnxK/6XYs447PWO75+XPPhzlLaKr7yf6jgOdv8u4l6lBRM+9KGMP9
bJ5gLXWH+1UlFocDAjhp3ycuMbYa7haToUGrEpgxGTGisPWumXXSnfYbPJ9Pt9xZ
FIMA40P1af0IkxxkCbh/C3EVimI/Rt3WQhNzfw5vuAOY8wVaHafV6AEOjRy+UDbq
BioGn1axGGas+b/TBg0bSmeMGeAuN6v5X+DTy0khoUrJ3ynfVn7Q0S3Iokyyh6Kp
giQzeQcUuZjHZ4gOxF8HS7YQCdCKDQADBUI5bcYUKwqXXdx+QbKvbWQVfFFyM8jB
5cC7EJ/zVTKOdtzHXQ+CbyzLZI7cWWjfuW0UbBudzpU3W1fAMLN7fc3U9/CMpO/B
RS9poeSfOWlY3A5pX2zM5UFCXosQhyCbj8QVuVKZ0Z9lxE2HhBA=
=S7jx
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages