Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup
cc: @FRidh @fpletz @vcunat @phanimahesh.
_Note:_ The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup.
If you would like to be CC'd on the next roundup, add a comment to the
most recent vulnerability roundup. If you would like to be CC'd on
_all_ roundups, leave a comment and tell @grahamc so.
Permanent CC's: @joepie91, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
- The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already. - Some issues will be duplicated, because it affects multiple packages.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed. - By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it. - This issue is created by https://github.com/NixOS/security
Instructions:
- Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable. - Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate. - When an entire section is completed, move the section to the
"Triaged and Resolved Issues"detailsblock below.
Upon Completion ...
- [x] Run the issue through
reformatone last time - [x] Review commits since last roundup for backport candidates
- [x] Send an update e-mail to the [email protected]
- [x] Update the database at https://github.com/NixOS/security
Without further ado...
Assorted (27 issues)
- [x] [
#708243](https://lwn.net/Vulnerabilities/708243/) (search, files) GraphicsMagick: non-null null pointer - [x] [
#708137](https://lwn.net/Vulnerabilities/708137/) (search, files) chromium: multiple vulnerabilities - [x] [
#707696](https://lwn.net/Vulnerabilities/707696/) (search, files) hdf5: multiple vulnerabilities - [x] [
#707363](https://lwn.net/Vulnerabilities/707363/) (search, files) kvm: denial of service - [x] [
#708242](https://lwn.net/Vulnerabilities/708242/) (search, files) virtualbox: code execution - [x] [
#708152](https://lwn.net/Vulnerabilities/708152/) (search, files) busybox: two vulnerabilities - [x] [
#598856](https://lwn.net/Vulnerabilities/598856/) (search, files) cifs-utils: code execution - [x] [
#568668](https://lwn.net/Vulnerabilities/568668/) (search, files) davfs2: privilege escalation - [x] [
#707705](https://lwn.net/Vulnerabilities/707705/) (search, files) jenkins-remoting: code execution - [x] [
#708000](https://lwn.net/Vulnerabilities/708000/) (search, files) libctnative: SSL improvements - [x] [
#708140](https://lwn.net/Vulnerabilities/708140/) (search, files) openafs: information leak - [x] [
#707698](https://lwn.net/Vulnerabilities/707698/) (search, files) p7zip: denial of service - [x] [
#708148](https://lwn.net/Vulnerabilities/708148/) (search, files) phpMyAdmin: multiple vulnerabilities - [x] [
#668130](https://lwn.net/Vulnerabilities/668130/) (search, files) pygments: shell injection - [x] [
#707700](https://lwn.net/Vulnerabilities/707700/) (search, files) teeworlds: code execution - [x] [
#707703](https://lwn.net/Vulnerabilities/707703/) (search, files) vagrant: nfs export insertion - [x] [
#708149](https://lwn.net/Vulnerabilities/708149/) (search, files) xen: multiple vulnerabilities - [x] [
#639393](https://lwn.net/Vulnerabilities/639393/) (search, files) arj: multiple vulnerabilities - [x] [
#708138](https://lwn.net/Vulnerabilities/708138/) (search, files) libdwarf: multiple vulnerabilities - [x] [
#664646](https://lwn.net/Vulnerabilities/664646/) (search, files) libsndfile: buffer overflow - [x] [
#624610](https://lwn.net/Vulnerabilities/624610/) (search, files) util-linux: command injection - [x] [
#707997](https://lwn.net/Vulnerabilities/707997/) (search, files) calamares: encryption bypass - [x] [
#665921](https://lwn.net/Vulnerabilities/665921/) (search, files) dpkg: code execution - [x] [
#707838](https://lwn.net/Vulnerabilities/707838/) (search, files) firefox: code execution - [x] [
#708239](https://lwn.net/Vulnerabilities/708239/) (search, files) gstreamer1-plugins-good: buffer overflow - [x] [
#669403](https://lwn.net/Vulnerabilities/669403/) (search, files) nghttp2: code execution - [x] [
#708154](https://lwn.net/Vulnerabilities/708154/) (search, files) patch: denial of service
firefox (3 issues)
- [x] [
#708241](https://lwn.net/Vulnerabilities/708241/) (search, files) mozilla: file overwrites - [x] [
#707838](https://lwn.net/Vulnerabilities/707838/) (search, files) firefox: code execution - [x] [
#707854](https://lwn.net/Vulnerabilities/707854/) (search, files) firefox: same-origin bypass
imagemagick (2 issues)
- [x] [
#708243](https://lwn.net/Vulnerabilities/708243/) (search, files) GraphicsMagick: non-null null pointer - [x] [
#707857](https://lwn.net/Vulnerabilities/707857/) (search, files) imagemagick: code execution
kernel (4 issues)
- [x] [
#708246](https://lwn.net/Vulnerabilities/708246/) (search, files) kernel: code execution - [x] [
#708245](https://lwn.net/Vulnerabilities/708245/) (search, files) kernel: denial of service - [x] [
#708240](https://lwn.net/Vulnerabilities/708240/) (search, files) kernel: denial of service - [x] [
#707859](https://lwn.net/Vulnerabilities/707859/) (search, files) kernel: privilege escalation
thunderbird (2 issues)
grahamc
All 21 comments
ImageMagick fixed in my rollup.
grahamc
on 7 Dec 2016
~We should just delete~ I deleted Calamares: "LUKS accepts every WRONG password after install".
grahamc
on 7 Dec 2016
gstreamer needs updating / backporting to 1.10.2 and is ABI-safe according to https://abi-laboratory.pro/tracker/, see also https://github.com/NixOS/nixpkgs/commit/7a6185d9a1eb18fa09892fdef01a5193968cf704 for info on how.
grahamc
on 7 Dec 2016
I have an incoming patch for gstreamer
grahamc
on 7 Dec 2016
I do not think there are patched kernels for the remaining issue. Only the 4.9 RCs seem to have the commit so far.
NeQuissimus
on 7 Dec 2016
The util-linux problem was reported in 2014 and our version is from 2016 (2.28.1 both on master and 16.09), so I don't think it's vulnerable it suffers from this particular vulnerability anymore.
vcunat
on 7 Dec 2016
Our unarj was already meta.broken with notes about vulnerabilities, so I'm ticking that as well. (No changes there between master and 16.09.)
vcunat
on 7 Dec 2016
libsndfile: the LWN link says versions <= 1.0.25 suffer from that vulnerability but we have 1.0.27 both on 16.09 and master.
vcunat
on 7 Dec 2016
libdwarf: fixed up in master and 16.09, except that darwin.dtrace probably contains an embedded copy in it's code which I don't feel like digging in.
vcunat
on 7 Dec 2016
Wow, great work, @vcunat. Thank you!
grahamc
on 7 Dec 2016
Backported jenkins from 9575eeae108ca23f7af49f0a1566706feef83cb4 in 3573b6c.
grahamc
on 8 Dec 2016
It isn't clear to me if virtualbox needs updating ...
grahamc
on 8 Dec 2016
hdf5 backported from 16eb67ac9ca52d56ff13fb3cda2e4644df9f387b in b60ae78
grahamc
on 8 Dec 2016
@NeQuissimus can you clarify? all the Kernel tasks are still marked not done. Do they all need to wait on releases from kernel.org? If they all need to wait, I'll just leave them un-done for this week, and let them come back next week.
grahamc
on 8 Dec 2016
:raised_hands: they're all completed this week, except for the kernel tasks (see previous comment.) I'm letting my patch branch build for a few hours before merging in to master / release. Some bigger builds in there I'm not 100% sure about.
grahamc
on 8 Dec 2016
Re: the final kernel issue, grsec users are unaffected :)
joachifm
on 8 Dec 2016
Oh, sorry, the first one, d'oh (I got my browser tabs mixed up).
joachifm
on 8 Dec 2016
OK, that is weird, I definitely checked off three of them yesterday... Anyways... According to SuSE we are good on that one as well, everything > 4.8.8 (or equivalent 4.4.x, etc.) is safe.
NeQuissimus
on 8 Dec 2016
Thank you, @NeQuissimus! I'll merge these patches soon and close this out.
grahamc
on 8 Dec 2016
Wow. The roundup is done before I even noticed! That's awesome.
Too many github notifications to plough through. :( I'll probably have to setup a mobile notification to not miss roundups.
To avoid repeated metoo comments on the roundups I miss, @grahamc, can you please add me to permanent ccs?
phanimahesh
on 9 Dec 2016
:D Done! Thank you!
Also -- @phanimahesh that "done" also applies to your request ;)
grahamc
on 9 Dec 2016
Related issues
spacekitteh
路
3Comments
vaibhavsagar
路
3Comments
copumpkin
路
3Comments
grahamc
路
3Comments
tomberek
路
3Comments