From owner-freebsd-security@FreeBSD.ORG Mon Nov 10 11:20:05 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 377F9106567C; Mon, 10 Nov 2008 11:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CC2988FC49; Mon, 10 Nov 2008 11:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAABK2Ga061295; Mon, 10 Nov 2008 11:20:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAABK2jO061294; Mon, 10 Nov 2008 11:20:02 GMT (envelope-from gnats) Resent-Date: Mon, 10 Nov 2008 11:20:02 GMT Resent-Message-Id: <200811101120.mAABK2jO061294@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: garga@FreeBSD.org, freebsd-security@FreeBSD.org, secteam@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9227A1065673 for ; Mon, 10 Nov 2008 11:19:46 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3A70F8FC14 for ; Mon, 10 Nov 2008 11:19:46 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1KzUo5-0000el-3V for FreeBSD-gnats-submit@freebsd.org; Mon, 10 Nov 2008 14:19:45 +0300 Message-Id: <20081110111944.ADFC11AF424@void.codelabs.ru> Date: Mon, 10 Nov 2008 14:19:44 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: garga@FreeBSD.org, freebsd-security@freebsd.org, secteam@freebsd.org X-Mailman-Approved-At: Mon, 10 Nov 2008 12:26:17 +0000 Cc: Subject: ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2008 11:20:05 -0000 >Number: 128749 >Category: ports >Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 10 11:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: As was recently reported in the BugTraq list, VBA parser in ClamAV is contains the off-by-one overflow and can lead to the arbitrary code execution within the clamd process. VBA component seem to be unconditionally included to the libclamav and OLE2 scanning is "on" by-default. >How-To-Repeat: http://www.securityfocus.com/archive/1/498169/30/0/threaded >Fix: The following VuXML entry describes this issue: --- vuln.xml begins here --- clamav -- off-by-one heap overflow in VBA project parser clamav 0.94.1

Advisory from Moritz Jodeit, November 8th, 2008:

ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.

A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.

Entry from Thu Oct 30 13:52:42 CET 2008 (acab) in ChangeLog:

libclamav/vba_extract.c: get_unicode_name off-by-one, bb#1239 reported by Moritz Jodeit >moritz*jodeit.org<

 http://www.securityfocus.com/archive/1/498169/30/0/threaded http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog 2008-11-08 --- vuln.xml ends here --- FreeBSD port itself is already at 0.94.1, so it is fully patched. >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Tue Nov 11 05:02:54 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7DEE106564A; Tue, 11 Nov 2008 05:02:54 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A78968FC13; Tue, 11 Nov 2008 05:02:54 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (miwi@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAB52s9a065469; Tue, 11 Nov 2008 05:02:54 GMT (envelope-from miwi@freefall.freebsd.org) Received: (from miwi@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAB52sY0065465; Tue, 11 Nov 2008 05:02:54 GMT (envelope-from miwi) Date: Tue, 11 Nov 2008 05:02:54 GMT Message-Id: <200811110502.mAB52sY0065465@freefall.freebsd.org> To: garga@FreeBSD.org, freebsd-security@FreeBSD.org, secteam@FreeBSD.org, miwi@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, miwi@FreeBSD.org From: miwi@FreeBSD.org Cc: Subject: Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 05:02:55 -0000 Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Tue Nov 11 05:02:54 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128749 From owner-freebsd-security@FreeBSD.ORG Tue Nov 11 10:28:19 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFEBF106567C; Tue, 11 Nov 2008 10:28:19 +0000 (UTC) (envelope-from garga@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8A7068FC14; Tue, 11 Nov 2008 10:28:19 +0000 (UTC) (envelope-from garga@FreeBSD.org) Received: from freefall.freebsd.org (garga@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mABASJTG036380; Tue, 11 Nov 2008 10:28:19 GMT (envelope-from garga@freefall.freebsd.org) Received: (from garga@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mABASIHi036376; Tue, 11 Nov 2008 10:28:18 GMT (envelope-from garga) Date: Tue, 11 Nov 2008 10:28:18 GMT Message-Id: <200811111028.mABASIHi036376@freefall.freebsd.org> To: garga@FreeBSD.org, freebsd-security@FreeBSD.org, secteam@FreeBSD.org, rea-fbsd@codelabs.ru, garga@FreeBSD.org, miwi@FreeBSD.org From: garga@FreeBSD.org X-Mailman-Approved-At: Tue, 11 Nov 2008 12:19:46 +0000 Cc: Subject: Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 10:28:19 -0000 Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 State-Changed-From-To: open->closed State-Changed-By: garga State-Changed-When: Tue Nov 11 10:28:18 UTC 2008 State-Changed-Why: Already committed, just closing now. Thanks for contributing!! http://www.freebsd.org/cgi/query-pr.cgi?pr=128749 From owner-freebsd-security@FreeBSD.ORG Tue Nov 11 16:11:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B12E1065691 for ; Tue, 11 Nov 2008 16:11:24 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 262198FC31 for ; Tue, 11 Nov 2008 16:11:24 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 11 Nov 2008 08:01:20 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20081111120022.60DD110657DB@hub.freebsd.org> References: <20081111120022.60DD110657DB@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20081111160120.B49F32B2089@mx5.roble.com> Subject: Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 16:11:24 -0000 > As was recently reported in the BugTraq list, VBA parser in ClamAV is > contains the off-by-one overflow and can lead to the arbitrary code > execution within the clamd process. > > VBA component seem to be unconditionally included to the libclamav > and OLE2 scanning is "on" by-default. FWIW, clamav-0.94.1 does not compile under 5.X without CONFIGURE_ARGS+= --disable-gethostbyname_r. When compiled this way it does not run (exits after initialization with no error logging). Though 5.X is no longer officially supported there are many sites still running it which could benefit from a patch, assuming it would be trivial to create such a patch. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Thu Nov 13 01:27:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58715106568E for ; Thu, 13 Nov 2008 01:27:11 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from fl.us.spammertrap.net (fl.us.spammertrap.net [204.89.241.173]) by mx1.freebsd.org (Postfix) with ESMTP id 270638FC19 for ; Thu, 13 Nov 2008 01:27:11 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by fl.us.spammertrap.net (Postfix) with ESMTP id CC57BE6032 for ; Wed, 12 Nov 2008 20:08:02 -0500 (EST) X-Quarantine-ID: X-Virus-Scanned: SpammerTrap(r) SME-150 1.84 at fl.us.spammertrap.net X-Amavis-Modified: Mail body modified (using disclaimer) by fl.us.spammertrap.net Received: from secnap3.secnap.com (secnap3.secnap.com [204.89.241.130]) by fl.us.spammertrap.net (Postfix) with ESMTP id 6D3E0E6002 for ; Wed, 12 Nov 2008 20:08:02 -0500 (EST) User-Agent: Microsoft-Entourage/12.14.0.081024 Date: Wed, 12 Nov 2008 20:08:26 -0500 From: Michael Scheidell To: Roger Marquis , Message-ID: Thread-Topic: ports/128749: [vuxml] VBA parser vulnerability in ClamAV Thread-Index: AclFLFTH8V50GLdpREioVyL7EsEA0A== In-Reply-To: <20081111160120.B49F32B2089@mx5.roble.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: Subject: Re: ports/128749: [vuxml] VBA parser vulnerability in ClamAV X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2008 01:27:11 -0000 > FWIW, clamav-0.94.1 does not compile under 5.X without CONFIGURE_ARGS+= > --disable-gethostbyname_r. When compiled this way it does not run (exits > after initialization with no error logging). One more patch needed: sed -i '' -e "s/enable-gethostbyname/disable-gethostbyname/; /^PTHREAD_LIBS/s/lthr/lpthread/" Makefile (replace lthr with lpthread which has proven unstable in clamav anyway) I have several legacy 5.5 systems running this way. Note: unofficial, not supported by me, SECNAP, Freebsd, the RNC, the DNC, or the free masons. YMMV -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 06:13:37 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69A461065678 for ; Fri, 14 Nov 2008 06:13:37 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0BA728FC08 for ; Fri, 14 Nov 2008 06:13:37 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=i1nL23cX/mQhVOvFLu3By7esTmnTHha7ilOD6iV2nUvVWlMj5U4qBR4EEPU1Cuy10JLy0/fY4WdUq74IShBLO6GWEtH3E3RCx31veztGpCK00Kti+zJqYjCEtFE5HBjjGA/+k9khxh2RCzlR9k8juCLdwZUC+TXNTNQfUz7NGwY=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L0rd3-0001zO-5m; Fri, 14 Nov 2008 08:54:01 +0300 Date: Fri, 14 Nov 2008 08:54:00 +0300 From: Eygene Ryabinkin To: bug-followup@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: References: <20081113105909.ED4181AF419@void.codelabs.ru> <200811131100.mADB0BAp023332@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kJMkLA1uPhjFFA+D" Content-Disposition: inline In-Reply-To: <200811131100.mADB0BAp023332@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: Subject: Re: ports/128837: [vuxml] net-mgmt/net-snmp and net-mgmt/net-snmp53: CVE-2008-4309 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 06:13:37 -0000 --kJMkLA1uPhjFFA+D Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I thought I had added Cc to the freebsd-security, but I hadn't seen the PR in the list. So I am bouncing this message to the freebsd-security. Thu, Nov 13, 2008 at 11:00:11AM +0000, FreeBSD-gnats-submit@FreeBSD.org wro= te: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D128837 >=20 > >Category: ports > >Responsible: freebsd-ports-bugs > >Synopsis: [vuxml] net-mgmt/net-snmp and net-mgmt/net-snmp53: CVE-2= 008-4309 > >Arrival-Date: Thu Nov 13 11:00:11 UTC 2008 --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --kJMkLA1uPhjFFA+D Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkdEncACgkQthUKNsbL7YiJggCgm0ZnmxWlTaxTrR6tsPBVAiKy KRoAoITMZGsf+jYf94rqopoAj2IzulZh =iGxs -----END PGP SIGNATURE----- --kJMkLA1uPhjFFA+D-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 15:00:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB61D1065672; Fri, 14 Nov 2008 15:00:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6EA288FC0A; Fri, 14 Nov 2008 15:00:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAEF0Bgn004161; Fri, 14 Nov 2008 15:00:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAEF0BTe004160; Fri, 14 Nov 2008 15:00:11 GMT (envelope-from gnats) Resent-Date: Fri, 14 Nov 2008 15:00:11 GMT Resent-Message-Id: <200811141500.mAEF0BTe004160@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, novel@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE6AA1065672 for ; Fri, 14 Nov 2008 14:54:15 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5D0A68FC22 for ; Fri, 14 Nov 2008 14:54:15 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from amnesiac.at.no.dns ([144.206.182.38]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L103q-000F0N-5A for FreeBSD-gnats-submit@freebsd.org; Fri, 14 Nov 2008 17:54:14 +0300 Received: by amnesiac.at.no.dns (Postfix, from userid 1001) id 3C4DC1721C; Fri, 14 Nov 2008 17:54:14 +0300 (MSK) Message-Id: <20081114145414.3C4DC1721C@amnesiac.at.no.dns> Date: Fri, 14 Nov 2008 17:54:14 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, novel@FreeBSD.org Cc: Subject: ports/128868: [vuxml] security/gnutls: CVE-2008-4989 and update to 2.4.2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 15:00:11 -0000 >Number: 128868 >Category: ports >Synopsis: [vuxml] security/gnutls: CVE-2008-4989 and update to 2.4.2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 14 15:00:10 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 8.0-CURRENT amd64 >Description: According to the Martin von Gagem, http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 there is X.509 trust chains validation failure that allows man in the middle to assume any DN and trick GNU TLS clients into trusting that name. >How-To-Repeat: Look at http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 http://www.gnu.org/software/gnutls/security.html >Fix: The following VuXML entry should be added: --- vuln.xml begins here --- GnuTLS -- X.509 certificate chain validation vulnerability gnutls 2.4.02.4.2 gnutls 2.6.02.6.1

Martin von Gagern reports:

This is an analysis fo the GNU TLS vulnerability recently published as GNUTLS-SA-2008-3 and CVE-2008-4989.

I found a bug in GNU TLS which breaks X.509 certificate chain verification. This allows a man in the middle to assume any name and trick GNU TLS clients into trusting that name.

This could be used to imitate a server using a specially crafted server certificate chain together with DNS spoofing or some way of intercepting packets along their route. It could also be used to imitate clients authenticating to some service using client certificates, again using specially crafted certificate chains.

Announcement of GnuTLS 2.6.1:

Version 2.6.1 is a maintainance and security release on our stable branch.

** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]

The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern <Martin.vGagern <at> gmx.net>. [CVE-2008-4989]

 CVE-2008-4989 http://www.gnu.org/software/gnutls/security.html http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 2008-11-10 --- vuln.xml ends here --- I am assuming that the maintainer will update the port to the version 2.4.2 (the latest one from the 2.4 branch) or to 2.6.1. One can drop 2.6.x from the VuXML entry if he won't planning to introduce GnuTLS 2.6.x to the ports or he is planning to update to GnuTLS >= 2.6.1. I had extracted the patch from the http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 and had applied it to the 2.4.2. --- gnutls-2.4.2-CVE-2008-4989.patch begins here --- Obtained from: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 Remarks: applied original patch to 2.4.2 and diffed the sources again --- lib/x509/verify.c.orig 2008-09-16 00:04:19.000000000 +0400 +++ lib/x509/verify.c 2008-11-14 16:06:59.000000000 +0300 @@ -376,6 +376,17 @@ int i = 0, ret; unsigned int status = 0, output; + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0 + && clist_size > 0) + { + clist_size--; + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * @@ -414,17 +425,6 @@ } #endif - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) > 0 - && clist_size > 0) - { - clist_size--; - } - /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) --- gnutls-2.4.2-CVE-2008-4989.patch ends here --- I had made a quick patch to update to 2.4.2. It works for me and fixes the CVS in question: --- gnutls-2.4.1_1-to-2.4.2-plus-CVE-2008-4989.patch begins here --- diff -urN ./Makefile ../gnutls/Makefile --- ./Makefile 2008-11-14 16:42:13.000000000 +0300 +++ ../gnutls/Makefile 2008-11-14 16:42:31.000000000 +0300 @@ -6,8 +6,7 @@ # PORTNAME= gnutls -PORTVERSION= 2.4.1 -PORTREVISION= 1 +PORTVERSION= 2.4.2 CATEGORIES= security net MASTER_SITES= http://josefsson.org/gnutls/releases/ \ ftp://ftp.gnutls.org/pub/gnutls/ \ diff -urN ./distinfo ../gnutls/distinfo --- ./distinfo 2008-11-14 16:42:13.000000000 +0300 +++ ../gnutls/distinfo 2008-11-14 16:52:41.000000000 +0300 @@ -1,3 +1,3 @@ -MD5 (gnutls-2.4.1.tar.bz2) = 573db36cb3f8472b0293cfa1f52c607a -SHA256 (gnutls-2.4.1.tar.bz2) = d91401a6828d7300dc2b1106ff99610479aa35af05d39746cacdab8cdc7be5fd -SIZE (gnutls-2.4.1.tar.bz2) = 4940118 +MD5 (gnutls-2.4.2.tar.bz2) = 148bde1f43cae2ea4265439df0da6399 +SHA256 (gnutls-2.4.2.tar.bz2) = 1c70e916c691c7c31ea3c8f2abeedae6c7dfda754e02b373287ceb5b46bfbb0e +SIZE (gnutls-2.4.2.tar.bz2) = 4958098 diff -urN ./files/patch-CVE-2008-4989 ../gnutls/files/patch-CVE-2008-4989 --- ./files/patch-CVE-2008-4989 1970-01-01 03:00:00.000000000 +0300 +++ ../gnutls/files/patch-CVE-2008-4989 2008-11-14 17:06:13.000000000 +0300 @@ -0,0 +1,38 @@ +--- lib/x509/verify.c.orig 2008-09-16 00:04:19.000000000 +0400 ++++ lib/x509/verify.c 2008-11-14 16:06:59.000000000 +0300 +@@ -376,6 +376,17 @@ + int i = 0, ret; + unsigned int status = 0, output; + ++ /* Check if the last certificate in the path is self signed. ++ * In that case ignore it (a certificate is trusted only if it ++ * leads to a trusted party by us, not the server's). ++ */ ++ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], ++ certificate_list[clist_size - 1]) > 0 ++ && clist_size > 0) ++ { ++ clist_size--; ++ } ++ + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * +@@ -414,17 +425,6 @@ + } + #endif + +- /* Check if the last certificate in the path is self signed. +- * In that case ignore it (a certificate is trusted only if it +- * leads to a trusted party by us, not the server's). +- */ +- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], +- certificate_list[clist_size - 1]) > 0 +- && clist_size > 0) +- { +- clist_size--; +- } +- + /* Verify the certificate path (chain) + */ + for (i = clist_size - 1; i > 0; i--) --- gnutls-2.4.1_1-to-2.4.2-plus-CVE-2008-4989.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 16:44:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FBB7106564A for ; Fri, 14 Nov 2008 16:44:56 +0000 (UTC) (envelope-from mark@foster.cc) Received: from mail.bitpusher.com (mail.bitpusher.com [208.75.56.13]) by mx1.freebsd.org (Postfix) with ESMTP id 3CBE18FC0A for ; Fri, 14 Nov 2008 16:44:56 +0000 (UTC) (envelope-from mark@foster.cc) Received: from [192.168.1.17] (c-24-17-96-78.hsd1.wa.comcast.net [24.17.96.78]) by mail.bitpusher.com (Postfix) with ESMTP id BD1BE4C057 for ; Fri, 14 Nov 2008 08:21:04 -0800 (PST) Message-ID: <491DA571.2060105@foster.cc> Date: Fri, 14 Nov 2008 08:21:05 -0800 From: Mark Foster User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: portaudit, vuxml & OVAL data X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 16:44:56 -0000 I have a project idea regarding the extension of portaudit (which now solely relies on the vuxml data from security/vuxml) to additionally parse OVAL (CVE) data from the SCAP project. http://nvd.nist.gov/scap.cfm http://oval.mitre.org/ I see that they already have a schema definition for FreeBSD found here: http://oval.mitre.org/language/download/schema/version5.5/index.html I could see this turning into a oval2portaudit tool accompanied by a modification of portaudit (if necessary) to accomodate additional/disparate data sources. -- Realization #2031: That the "meaning of life" is now just another Google search. Mark D. Foster http://mark.foster.cc/ | http://conshell.net/ From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 15:00:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63F401065670; Fri, 14 Nov 2008 15:00:21 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 374818FC16; Fri, 14 Nov 2008 15:00:21 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAEF0LeY004835; Fri, 14 Nov 2008 15:00:21 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAEF0LFM004825; Fri, 14 Nov 2008 15:00:21 GMT (envelope-from edwin) Date: Fri, 14 Nov 2008 15:00:21 GMT Message-Id: <200811141500.mAEF0LFM004825@freefall.freebsd.org> To: freebsd-security@freebsd.org, novel@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, novel@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Fri, 14 Nov 2008 17:25:36 +0000 Cc: Subject: Re: ports/128868: [vuxml] security/gnutls: CVE-2008-4989 and update to 2.4.2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 15:00:21 -0000 Synopsis: [vuxml] security/gnutls: CVE-2008-4989 and update to 2.4.2 Responsible-Changed-From-To: freebsd-ports-bugs->novel Responsible-Changed-By: edwin Responsible-Changed-When: Fri Nov 14 15:00:20 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=128868 From owner-freebsd-security@FreeBSD.ORG Fri Nov 14 21:20:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9986A1065690 for ; Fri, 14 Nov 2008 21:20:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 48A538FC29 for ; Fri, 14 Nov 2008 21:20:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=Qdy8L7K3x5c6JEqohWlSiPcXqX7MKn9hTiouKJyxN/D4ZZDL3sdqB0BWM+zJ5VXiK3DWqtYypB1bo4BDzm0HErTtGZ9MXsN7mHPqyB4fMoetFrhdWs/Lv+RQeDMSWZA2DYcf8s3A+YU7zzojHCpArpoqGYlzgZQOtgVUEDniw9E=; Received: from amnesiac.at.no.dns (ppp85-141-160-59.pppoe.mtu-net.ru [85.141.160.59]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L165u-000GyM-6S; Sat, 15 Nov 2008 00:20:46 +0300 Date: Sat, 15 Nov 2008 00:20:45 +0300 From: Eygene Ryabinkin To: Mark Foster Message-ID:

References: <491DA571.2060105@foster.cc> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6zdv2QT/q3FMhpsV" Content-Disposition: inline In-Reply-To: <491DA571.2060105@foster.cc> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: portaudit, vuxml & OVAL data X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 21:20:49 -0000 --6zdv2QT/q3FMhpsV Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mark, good day. Fri, Nov 14, 2008 at 08:21:05AM -0800, Mark Foster wrote: > I have a project idea regarding the extension of portaudit (which now > solely relies on the vuxml data from security/vuxml) to additionally > parse OVAL (CVE) data from the SCAP project. > http://nvd.nist.gov/scap.cfm > http://oval.mitre.org/ >=20 > I see that they already have a schema definition for FreeBSD found here: > http://oval.mitre.org/language/download/schema/version5.5/index.html I had glanced over this: there are FreeBSD-specific test definitions, but currently there are no FreeBSD-specific vulnerability data at OVAL. At least I had not found one. > I could see this turning into a oval2portaudit tool accompanied by a > modification of portaudit (if necessary) to accomodate > additional/disparate data sources. I could be a bit stupid, but I don't understand how the data from CVE is pushed to the OVAL. From what I had seen, there should be some person who will do it: looking at the sources of OVAL data for the different OSes, I had found that one should still write some tests to see if the vulnerability is applicable to the current system state. If it is really so, then writing such tests is more-or-less equal to the creation of a new VuXML entry. I have another idea: use CVE XML feeds, http://nvd.nist.gov/download.cfm#CVE_FEED to create drafts of the VuXML entries that will be passed to the human for the inspection. Such inspection is needed anyway, because, for example, FreeBSD could have the port with the backported patch. So, feed contents will tell us that the program is vulnerable, but the reality will be different. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --6zdv2QT/q3FMhpsV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkd660ACgkQthUKNsbL7Yi7XgCeJ0NtfOIr6NARpJZTwxXU1ip1 pYcAn1nvTOmghQk9YOUx0CnD1rCrZPsx =Ot81 -----END PGP SIGNATURE----- --6zdv2QT/q3FMhpsV--