The twentieth roundup! We have, together, examined 1,293 issues. A feat to be proud of, to be sure. Thank you, everyone!
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @7c6f434c @NeQuissimus @bachp @vcunat @FRidh.
_Note:_ The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001
@NixOS/security-notifications
If you would like to be CC'd on _all_ roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.
Notes on the list
- The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already. - Some issues will be duplicated, because it affects multiple
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed. - By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it. - This issue is created by https://github.com/NixOS/security
Instructions:
- Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable. - Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate. - When an entire section is completed, move the section to the
"Triaged and Resolved Issues"detailsblock below.
Upon Completion ...
- [x] Run the issue through
reformatone last time - [x] Review commits since last roundup for backport candidates
- [x] Send an update e-mail to [email protected]
- [x] Update the database at https://github.com/NixOS/security
Without further ado...
Assorted (30 issues)
- [x] [
#713059](https://lwn.net/Vulnerabilities/713059/) (search, files) 389-ds-base: denial of service - [x] [
#591371](https://lwn.net/Vulnerabilities/591371/) (search, files) asterisk: two vulnerabilities - [x] [
#712801](https://lwn.net/Vulnerabilities/712801/) (search, files) chromium-browser: multiple vulnerabilities - [x] [
#713054](https://lwn.net/Vulnerabilities/713054/) (search, files) ghostscript: denial of service - [x] [
#712664](https://lwn.net/Vulnerabilities/712664/) (search, files) ming: multiple vulnerabilities - [x] [
#713145](https://lwn.net/Vulnerabilities/713145/) (search, files) nagios: command execution - [x] [
#713148](https://lwn.net/Vulnerabilities/713148/) (search, files) ruby-archive-tar-minitar: file overwrites - [x] [
#713146](https://lwn.net/Vulnerabilities/713146/) (search, files) libarchive: denial of service - [x] [
#713050](https://lwn.net/Vulnerabilities/713050/) (search, files) libgd2: two vulnerabilities - [x] [
#713153](https://lwn.net/Vulnerabilities/713153/) (search, files) virtualbox: multiple vulnerabilities - [x] [
#713055](https://lwn.net/Vulnerabilities/713055/) (search, files) ffmpeg: two vulnerabilities - [x] [
#713043](https://lwn.net/Vulnerabilities/713043/) (search, files) lib32-openssl: three vulnerabilities - [x] [
#712803](https://lwn.net/Vulnerabilities/712803/) (search, files) libxpm: code execution - [x] [
#712499](https://lwn.net/Vulnerabilities/712499/) (search, files) oracle-jre-bin: insufficient sandboxing - [x] [
#713062](https://lwn.net/Vulnerabilities/713062/) (search, files) shadow-utils: two vulnerabilities - [x] [
#713051](https://lwn.net/Vulnerabilities/713051/) (search, files) tiff3: invalid tiff files - [x] [
#712666](https://lwn.net/Vulnerabilities/712666/) (search, files) tigervnc: code execution - [x] [
#713052](https://lwn.net/Vulnerabilities/713052/) (search, files) zoneminder: information leak, authentication bypass - [x] [
#592675](https://lwn.net/Vulnerabilities/592675/) (search, files) a2ps: multiple vulnerabilities - [x] [
#712493](https://lwn.net/Vulnerabilities/712493/) (search, files) boomaga: wrong permissions - [x] [
#712494](https://lwn.net/Vulnerabilities/712494/) (search, files) fedmsg: insufficient signature validation - [x] [
#713053](https://lwn.net/Vulnerabilities/713053/) (search, files) flatpak: sandbox escape - [x] [
#713049](https://lwn.net/Vulnerabilities/713049/) (search, files) imagemagick: multiple vulnerabilities - [x] [
#712802](https://lwn.net/Vulnerabilities/712802/) (search, files) puppet-swift: information disclosure - [x] [
#651775](https://lwn.net/Vulnerabilities/651775/) (search, files) squashfs-tools: two vulnerabilities - [x] [
#712501](https://lwn.net/Vulnerabilities/712501/) (search, files) systemd: privilege escalation - [x] [
#712496](https://lwn.net/Vulnerabilities/712496/) (search, files) w3m: unspecified - [x] [
#712498](https://lwn.net/Vulnerabilities/712498/) (search, files) xemacs-packages-extra: unspecified - [x] [
#713061](https://lwn.net/Vulnerabilities/713061/) (search, files) mbedtls: two vulnerabilities - [x] [
#713047](https://lwn.net/Vulnerabilities/713047/) (search, files) tcpdump: multiple vulnerabilities
ansible (2 issues)
- [x] [
#712658](https://lwn.net/Vulnerabilities/712658/) (search, files) ansible: code execution - [x] [
#712665](https://lwn.net/Vulnerabilities/712665/) (search, files) ansible: password change botch
firefox (2 issues)
- [x] [
#713036](https://lwn.net/Vulnerabilities/713036/) (search, files) mozilla: multiple vulnerabilities - [x] [
#712491](https://lwn.net/Vulnerabilities/712491/) (search, files) mozilla: multiple vulnerabilities
kernel (2 issues)
- [x] [
#713154](https://lwn.net/Vulnerabilities/713154/) (search, files) kernel: two vulnerabilities - [x] [
#713150](https://lwn.net/Vulnerabilities/713150/) (search, files) kernel: multiple vulnerabilities
openssl (3 issues)
- [x] [
#713046](https://lwn.net/Vulnerabilities/713046/) (search, files) openssl: two vulnerabilities - [x] [
#713043](https://lwn.net/Vulnerabilities/713043/) (search, files) lib32-openssl: three vulnerabilities - [x] [
#666889](https://lwn.net/Vulnerabilities/666889/) (search, files) openssl: multiple vulnerabilities
seamonkey (2 issues)
- [x] [
#713036](https://lwn.net/Vulnerabilities/713036/) (search, files) mozilla: multiple vulnerabilities - [x] [
#712491](https://lwn.net/Vulnerabilities/712491/) (search, files) mozilla: multiple vulnerabilities
thunderbird (2 issues)
grahamc
All 42 comments
Systemd CVE #712501 is affecting v228 and fixed in v229. Since we use v231. We are then not impacted.
nlewo
on 1 Feb 2017
We have fresh firefox and thunderbird, inlcuding -bin, on both branches.
We don't really have Seamonkey in NixPkgs, the hit is a false positive («Synchronise all profiles looking like Mozilla» contains a list including Seamonkey).
7c6f434c
on 1 Feb 2017
CVE-2016-8610: OpenSSL considers it non-security-critical, has quietly fixed it last September.
CVE-2016-7056: Seems to be about 1.0.1 but not 1.0.2 and 1.1.0, but I am unsure. Patch is simple enough: http://seclists.org/oss-sec/2017/q1/68 Debian seems to use it only for 1.0.1
CVE-2017-3731: we have the fixed versions
CVE-2016-7055: ditto
CVE-2017-3732: ditto
2015-year advisory with a minor fresh update seems ignorable.
7c6f434c
on 1 Feb 2017
Ansible was already updateed to 2.2.1.0 in 16.09 https://github.com/NixOS/nixpkgs/commit/9b02319ed7a34df2827354f9b9471f26f7a54faa
bachp
on 1 Feb 2017
BTW, today I dealt with a minor security problem, fixed by c3ec88864. There's no CVE, at least not yet. (NixOS is probably the first distro to get the update.)
vcunat
on 1 Feb 2017
@bachp did we manage to get ansible merged for master?
grahamc
on 2 Feb 2017
~@DerTim1 should we upgrade Asterisk to 14.2.1? I think we're good on Asterisk, but if it needs an update, might as well.~ A PR is in. Sorry for the ping :)
grahamc
on 2 Feb 2017
389 should be upgraded to 1.3.5.15. With that deep of a version number, it must be safe to backport, too ;) I think the hard part (please help with this) is identifying the security related issues in those diffs. Also, do try and apply the patch from the LWN link.
grahamc
on 2 Feb 2017
imagemagick fixed in 5e753c1a65e106ffaeb71ad3fa66a13b2dfaf5d5 & 4dae4f86faed8150a922dd9ee618d7d937b155ac.
fpletz
on 2 Feb 2017
ffmpeg was already up to date on 16.09, needed a bump on master.
grahamc
on 2 Feb 2017
@peterhoeg (fpm), @offlinehacker (panamax), @Szczyp (rhc) the ruby gem archive-tar-minitar is vulnerable to directory traversal attacks (https://lwn.net/Alerts/713254/) can you'll take a look at your packages to see if we can apply a patch? (found via https://search.nix.gsc.io/?q=archive-tar-minitar)
grahamc
on 2 Feb 2017
@bachp did we manage to get ansible merged for master?
@grahamc, yes we did.
ruby gem archive-tar-minitar is vulnerable to directory traversal attacks
I'll fork it now, apply the fix from debian and reference that as a test for fpm. Assuming that works, we can apply the same fix to the other ruby packages.
peterhoeg
on 2 Feb 2017
I'll update rhc this weekend as this version is about 2 years old now.
I'll use your minitar fork.
Szczyp
on 3 Feb 2017
shadow: real vulnerability, new upstream is at github, updated to 4.4, d6710e3d66c09c0a7485b2079d6e0d01c14faf07, cherry-picked
libXpm: real vulnerability, updated via overrides, 4675cb78cb5fbadb7aab67b125cd450322dcf3d1, cherry-picked
7c6f434c
on 3 Feb 2017
~I've got a patch for tigervnc on its way.~ d66fa9a -- 1.6.0 on stable, I'll see if there is a patch to backport.
grahamc
on 3 Feb 2017
I updated virtualbox on master (https://github.com/NixOS/nixpkgs/pull/22383) to fix an unrelated issue. Not sure what to do for 16.09. Maybe just update the version too?
bachp
on 3 Feb 2017
Both kernel issues are covered by what we have
NeQuissimus
on 4 Feb 2017
thank you, @NeQuissimus!
@bachp, what is latest virtualbox vs. what is on stable?
grahamc
on 5 Feb 2017
About that see https://github.com/NixOS/nixpkgs/pull/22274#issuecomment-277530565
vcunat
on 5 Feb 2017
:)
obadz
on 5 Feb 2017
tigervnc fixed in stable in 36ffe58
grahamc
on 5 Feb 2017
👍 thank you! :D
grahamc
on 5 Feb 2017
@wkennington do you have opinions on the safety of upgrading 389 from 1.3.3.9 to 1.3.5.15 on stable?
grahamc
on 5 Feb 2017
We are affected by the ming issues: https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-heap-based-buffer-overflow-in-parseswf_rgba-parser-c/
grahamc
on 5 Feb 2017
Regarding 389-ds-base, the person who discovered it disagrees that it's really a security issue:
This [the CVE description] is incorrect. Only an authenticated user, with write access to cn=config, specifically the uiduniq plugin configuration can trigger this. In a default install this is only directory manager. If you are directory manager, you can do so many other things, there is no need to trigger an exploit. This is why I deemed this a stability issue, not a security issue. Users who are anonymous or bound from a backend do not have access to trigger this.
joachifm
on 7 Feb 2017
Re: ghostscript, per https://bugs.ghostscript.com/show_bug.cgi?id=697457, they do not expect to make a new release until march. Until then perhaps we can somehow apply http://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=e698d5c11d27212aa1098bc5b1673a3378563092, which is supposed to address the issue (per the previously linked bug).
joachifm
on 7 Feb 2017
nagios 4.2.4 is already patched https://www.nagios.org/projects/nagios-core/history/4x/ https://lwn.net/Alerts/713125/
shlevy
on 7 Feb 2017
Think I found the ming patches, let me verify and try to apply
shlevy
on 7 Feb 2017
But possibly we should consider removing it, it's unmaintained and debian's dropped it for example
shlevy
on 7 Feb 2017
I'd be 👍 on removing from unstable, and probably a mark-as-broken for stable.
grahamc
on 7 Feb 2017
Alright I'll just do that, I don't have all the patches I don't think (and they're on top of 0.4.4)
shlevy
on 7 Feb 2017
Just checked: nothing depends on ming.
grahamc
on 7 Feb 2017
ming handled in ff7777b22492dc126a0de4f50cdbf2a3c427ef21 and 41ba205dda86ce99dfdd58976dc845524d1d9933
shlevy
on 7 Feb 2017
I think the ghostscript issue would be resolved by https://github.com/NixOS/nixpkgs/pull/22509
joachifm
on 7 Feb 2017
We also need release-16.09. I say we just take the version bump there too, if someone needs the old version they can help secure it ;)
shlevy
on 7 Feb 2017
A few builds failed after upgrading, I'll try and find my list. Maybe they were broken before. Thank you so much for your help on these last few.
grahamc
on 7 Feb 2017
After removing ming, perhaps gnash could be removed as well. Not security related per se, but it's been abandoned for a while, I think, and was the only reverse dependency of ming.
joachifm
on 7 Feb 2017
Sure enough, gnash needs to be removed as well from unstable. Removed in 8608f91.
grahamc
on 7 Feb 2017
Shit:
anonymous function at /home/grahamc/.nox/nixpkgs/pkgs/applications/networking/browsers/firefox/wrapper.nix:1:1 called without required argument ‘gnash’, at /home/grahamc/.nox/nixpkgs/lib/customisation.nix:56:12
grahamc
on 7 Feb 2017
Just remove it and the enableGnash option
shlevy
on 7 Feb 2017
Finished. 😂 Thank you!
grahamc
on 7 Feb 2017
Thanks for all your hard work @grahamc!
peterhoeg
on 7 Feb 2017
Related issues
nico202
·
70Comments
Infinisil
·
146Comments
fdietze
·
144Comments
grahamc
·
77Comments
7c6f434c
·
66Comments
Most helpful comment
BTW, today I dealt with a minor security problem, fixed by c3ec88864. There's no CVE, at least not yet. (NixOS is probably the first distro to get the update.)