From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 10:40:01 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DB07106576A; Tue, 18 Nov 2008 10:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 687048FC19; Tue, 18 Nov 2008 10:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIAe1ku077640; Tue, 18 Nov 2008 10:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIAe1Ki077639; Tue, 18 Nov 2008 10:40:01 GMT (envelope-from gnats) Resent-Date: Tue, 18 Nov 2008 10:40:01 GMT Resent-Message-Id: <200811181040.mAIAe1Ki077639@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, ale@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82E74106564A for ; Tue, 18 Nov 2008 10:34:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id B319A8FC13 for ; Tue, 18 Nov 2008 10:34:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2Nuj-0000ma-Gs for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 13:34:33 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id 38D5817115; Tue, 18 Nov 2008 13:34:33 +0300 (MSK) Message-Id: <20081118103433.38D5817115@shadow.codelabs.ru> Date: Tue, 18 Nov 2008 13:34:33 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, ale@freebsd.org Cc: Subject: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 10:40:01 -0000 >Number: 128956 >Category: ports >Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: There are some vulnerabilities in the stock PHP 5.2.6 that were silently fixed in the CVS, but after 5.2.6 was out. >How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 >Fix: The following patches should fix all three issues. I had mildly tested them in my setups. --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- diff -urN ./Makefile ../php5/Makefile --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.2.6 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} MASTER_SITE_SUBDIR= distributions diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 @@ -0,0 +1,27 @@ +Patch for CVE-2008-3659. + +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch +See also: http://news.php.net/php.cvs/52002 +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 + +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ + + #ifndef ZEND_OPERATORS_H + #define ZEND_OPERATORS_H +@@ -220,6 +220,9 @@ + char *p = haystack; + char ne = needle[needle_len-1]; + ++ if(needle_len > end-haystack) { ++ return NULL; ++ } + end -= needle_len; + + while (p <= end) { diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 @@ -0,0 +1,82 @@ +Patch for CVE-2008-3660 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 + +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 +@@ -765,6 +765,39 @@ + } + /* }}} */ + ++/* {{{ is_valid_path ++ * ++ * some server configurations allow '..' to slip through in the ++ * translated path. We'll just refuse to handle such a path. ++ */ ++static int is_valid_path(const char *path) ++{ ++ const char *p; ++ ++ if (!path) { ++ return 0; ++ } ++ p = strstr(path, ".."); ++ if (p) { ++ if ((p == path || IS_SLASH(*(p-1))) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ while (1) { ++ p = strstr(p+1, ".."); ++ if (!p) { ++ break; ++ } ++ if (IS_SLASH(*(p-1)) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ } ++ } ++ return 1; ++} ++/* }}} */ ++ + /* {{{ init_request_info + + initializes request_info structure +@@ -1061,9 +1094,7 @@ + if (pt) { + efree(pt); + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + } else { +@@ -1094,9 +1125,7 @@ + } else { + SG(request_info).request_uri = env_script_name; + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + free(real_path); +@@ -1114,9 +1143,7 @@ + script_path_translated = env_path_translated; + } + #endif +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + #if ENABLE_PATHINFO_CHECK --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 @@ -0,0 +1,282 @@ +Fix for CVE-2008-2829 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked + '-3213,7 +3214,7'. + +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 +@@ -40,6 +40,7 @@ + #include "ext/standard/php_string.h" + #include "ext/standard/info.h" + #include "ext/standard/file.h" ++#include "ext/standard/php_smart_str.h" + + #ifdef ERROR + #undef ERROR +@@ -66,10 +67,11 @@ + #define SENDBUFLEN 16385 + #endif + ++ + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); +-static int _php_imap_address_size(ADDRESS *addresslist); ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); + + /* the gets we use */ + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); +@@ -2109,7 +2111,7 @@ + { + zval **mailbox, **host, **personal; + ADDRESS *addr; +- char string[MAILTMPLEN]; ++ char *string; + + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { + ZEND_WRONG_PARAM_COUNT(); +@@ -2137,13 +2139,12 @@ + addr->error=NIL; + addr->adl=NIL; + +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { ++ string = _php_rfc822_write_address(addr TSRMLS_CC); ++ if (string) { ++ RETVAL_STRING(string, 0); ++ } else { + RETURN_FALSE; + } +- +- string[0]='\0'; +- rfc822_write_address(string, addr); +- RETVAL_STRING(string, 1); + } + /* }}} */ + +@@ -2873,7 +2874,7 @@ + zval **streamind, **sequence, **pflags; + pils *imap_le_struct; + zval *myoverview; +- char address[MAILTMPLEN]; ++ char *address; + long status, flags=0L; + int myargc = ZEND_NUM_ARGS(); + +@@ -2908,17 +2909,19 @@ + if (env->subject) { + add_property_string(myoverview, "subject", env->subject, 1); + } +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { ++ if (env->from) { + env->from->next=NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->from); +- add_property_string(myoverview, "from", address, 1); ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "from", address, 0); ++ } + } +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { ++ if (env->to) { + env->to->next = NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->to); +- add_property_string(myoverview, "to", address, 1); ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "to", address, 0); ++ } + } + if (env->date) { + add_property_string(myoverview, "date", env->date, 1); +@@ -3858,6 +3861,43 @@ + /* }}} */ + + /* Support Functions */ ++ ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST ++/* {{{ _php_rfc822_soutr ++ */ ++static long _php_rfc822_soutr (void *stream, char *string) ++{ ++ smart_str *ret = (smart_str*)stream; ++ int len = strlen(string); ++ ++ smart_str_appendl(ret, string, len); ++ return LONGT; ++} ++ ++/* }}} */ ++ ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[MAILTMPLEN]; ++ smart_str ret = {0}; ++ RFC822BUFFER buf; ++ ++ buf.beg = address; ++ buf.cur = buf.beg; ++ buf.end = buf.beg + sizeof(address) - 1; ++ buf.s = &ret; ++ buf.f = _php_rfc822_soutr; ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); ++ rfc822_output_flush(&buf); ++ smart_str_0(&ret); ++ return ret.c; ++} ++/* }}} */ ++ ++#else ++ + /* {{{ _php_imap_get_address_size + */ + static int _php_imap_address_size (ADDRESS *addresslist) +@@ -3887,26 +3927,33 @@ + + /* }}} */ + ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[SENDBUFLEN]; + ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); ++ return NULL; ++ } ++ address[0] = 0; ++ rfc822_write_address(address, addresslist); ++ return estrdup(address); ++} ++/* }}} */ ++#endif + /* {{{ _php_imap_parse_address + */ +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) + { ++ char *fulladdress; + ADDRESS *addresstmp; + zval *tmpvals; +- char *tmpstr; +- int len=0; + + addresstmp = addresslist; + +- if ((len = _php_imap_address_size(addresstmp))) { +- tmpstr = (char *) pemalloc(len + 1, 1); +- tmpstr[0] = '\0'; +- rfc822_write_address(tmpstr, addresstmp); +- *fulladdress = tmpstr; +- } else { +- *fulladdress = NULL; +- } ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); + + addresstmp = addresslist; + do { +@@ -3918,6 +3965,7 @@ + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); + add_next_index_object(paddress, tmpvals TSRMLS_CC); + } while ((addresstmp = addresstmp->next)); ++ return fulladdress; + } + /* }}} */ + +@@ -3944,10 +3992,9 @@ + if (en->to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); + } +@@ -3955,10 +4002,9 @@ + if (en->from) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); + } +@@ -3966,10 +4012,9 @@ + if (en->cc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); + } +@@ -3977,10 +4022,9 @@ + if (en->bcc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); + } +@@ -3988,10 +4032,9 @@ + if (en->reply_to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); + } +@@ -3999,10 +4042,9 @@ + if (en->sender) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); + } +@@ -4010,10 +4052,9 @@ + if (en->return_path) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); + } --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- I assume that they all will go in one shot, so the following VuXML entries use 5.2.6_3 as the first version where issues were fixed. --- cve-2008-2829.xml begins here --- PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension php5-imap 5.2.6_3

Entry for CVE-2008-2829 says:

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.

 CVE-2008-2829 http://bugs.php.net/bug.php?id=42862 http://bugs.php.net/bug.php?id=40925 http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260 2008-06-19 --- cve-2008-2829.xml ends here --- --- cve-2008-3659.xml begins here --- PHP 5.x -- buffer overflow in the memnstr() php5 5.2.6_3

Entry for CVE-2008-3659 says:

Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function.

NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.

 CVE-2008-3659 http://news.php.net/php.cvs/52002 http://www.openwall.com/lists/oss-security/2008/08/08/2 2008-08-05 --- cve-2008-3659.xml ends here --- --- cve-2008-3660.xml begins here --- PHP 5.x -- Denial of Service in the FastCGI mode php5 5.2.6_3

Entry for CVE-2008-3660 says:

PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.

 CVE-2008-3660 http://news.php.net/php.cvs/51129 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 2008-07-15 --- cve-2008-3660.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 11:30:01 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B201F1065675; Tue, 18 Nov 2008 11:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8DB448FC1A; Tue, 18 Nov 2008 11:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIBU1Lg013684; Tue, 18 Nov 2008 11:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIBU16X013681; Tue, 18 Nov 2008 11:30:01 GMT (envelope-from gnats) Resent-Date: Tue, 18 Nov 2008 11:30:01 GMT Resent-Message-Id: <200811181130.mAIBU16X013681@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, rafan@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16CFB106564A for ; Tue, 18 Nov 2008 11:21:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id BE7F68FC16 for ; Tue, 18 Nov 2008 11:21:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2OeQ-0004BU-Do for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 14:21:46 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id 35CA917115; Tue, 18 Nov 2008 14:21:46 +0300 (MSK) Message-Id: <20081118112146.35CA917115@shadow.codelabs.ru> Date: Tue, 18 Nov 2008 14:21:46 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, rafan@freebsd.org Cc: Subject: ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:30:01 -0000 >Number: 128958 >Category: ports >Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 11:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: There is a stack-based overflow in the enscript escape codes handling code. Citing by the Secunia's report: ----- The vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option. ----- >How-To-Repeat: http://secunia.com/secunia_research/2008-41/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 >Fix: The following patch should introduce the fix to the FreeBSD port: --- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff begins here --- diff -urN ./Makefile ../enscript-letter/Makefile --- ./Makefile 2008-11-18 13:57:48.000000000 +0300 +++ ../enscript-letter/Makefile 2008-11-18 13:58:02.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= enscript PORTVERSION= 1.6.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES+= print MASTER_SITES= http://www.codento.com/people/mtr/genscript/ PKGNAMESUFFIX= -${PAPERSIZE} diff -urN ./files/patch-CVE-2008-3863-and-4306 ../enscript-letter/files/patch-CVE-2008-3863-and-4306 --- ./files/patch-CVE-2008-3863-and-4306 1970-01-01 03:00:00.000000000 +0300 +++ ../enscript-letter/files/patch-CVE-2008-3863-and-4306 2008-11-18 13:57:08.000000000 +0300 @@ -0,0 +1,94 @@ +Patch for CVE-2008-3863 and CVE-2008-4306 + +Obtained from: http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1 + +--- src/psgen.c ++++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100 +@@ -24,6 +24,7 @@ + * Boston, MA 02111-1307, USA. + */ + ++#include + #include "gsint.h" + + /* +@@ -124,7 +125,7 @@ struct gs_token_st + double xscale; + double yscale; + int llx, lly, urx, ury; /* Bounding box. */ +- char filename[512]; ++ char filename[PATH_MAX]; + char *skipbuf; + unsigned int skipbuf_len; + unsigned int skipbuf_pos; +@@ -135,11 +136,11 @@ struct gs_token_st + Color bgcolor; + struct + { +- char name[512]; ++ char name[PATH_MAX]; + FontPoint size; + InputEncoding encoding; + } font; +- char filename[512]; ++ char filename[PATH_MAX]; + } u; + }; + +@@ -248,7 +249,7 @@ static int do_print = 1; + static int user_fontp = 0; + + /* The user ^@font{}-defined font. */ +-static char user_font_name[256]; ++static char user_font_name[PATH_MAX]; + static FontPoint user_font_pt; + static InputEncoding user_font_encoding; + +@@ -978,7 +979,8 @@ large for page\n"), + FATAL ((stderr, + _("user font encoding can be only the system's default or `ps'"))); + +- strcpy (user_font_name, token.u.font.name); ++ memset (user_font_name, 0, sizeof(user_font_name)); ++ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); + user_font_pt.w = token.u.font.size.w; + user_font_pt.h = token.u.font.size.h; + user_font_encoding = token.u.font.encoding; +@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To + buf[i] = ch; + if (i + 1 >= sizeof (buf)) + FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), +- escapes[i].name, i, buf)); ++ escapes[e].name, i, buf)); + } + buf[i] = '\0'; + +@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To + switch (escapes[e].escape) + { + case ESC_FONT: +- strcpy (token->u.font.name, buf); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); + + /* Check for the default font. */ + if (strcmp (token->u.font.name, "default") == 0) +@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To + FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), + token->u.font.name)); + +- strcpy (token->u.font.name, cp); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); + xfree (cp); + } + token->type = tFONT; +@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To + break; + + case ESC_SETFILENAME: +- strcpy (token->u.filename, buf); ++ memset (token->u.filename, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); + token->type = tSETFILENAME; + break; --- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff ends here --- The following VuXML entry should be added: --- vuln.xml begins here --- GNU enscript -- multiple vulnerabilities enscript-letter enscript-letterdj enscript-a4 1.6.4_2

Ulf Harnhammar from Secunia Research had discovered stack-based buffer overflow vulnerability in the GNU enscript code:

Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.

CVE-2008-4306 is a Ubuntu-specific mirror issue for this vulnerability.

 CVE-2008-3863 CVE-2008-4306 http://secunia.com/secunia_research/2008-41/ http://cvs.fedoraproject.org/viewvc//devel/enscript/enscript-CVE-2008-3863+CVE-2008-4306.patch https://launchpad.net/ubuntu/intrepid/+source/enscript/1.6.4-12ubuntu0.8.10.1 2008-10-22 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 11:50:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C39991065672; Tue, 18 Nov 2008 11:50:28 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B6308FC1C; Tue, 18 Nov 2008 11:50:28 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (miwi@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIBoSEi033379; Tue, 18 Nov 2008 11:50:28 GMT (envelope-from miwi@freefall.freebsd.org) Received: (from miwi@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIBoS1J033367; Tue, 18 Nov 2008 11:50:28 GMT (envelope-from miwi) Date: Tue, 18 Nov 2008 11:50:28 GMT Message-Id: <200811181150.mAIBoS1J033367@freefall.freebsd.org> To: freebsd-security@freebsd.org, ale@freebsd.org, miwi@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, miwi@FreeBSD.org From: miwi@FreeBSD.org Cc: Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:50:28 -0000 Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Tue Nov 18 11:50:28 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 12:00:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E95FF10656B1; Tue, 18 Nov 2008 12:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8CE7D8FC0C; Tue, 18 Nov 2008 12:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIC0AEX036476; Tue, 18 Nov 2008 12:00:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIC09id036474; Tue, 18 Nov 2008 12:00:09 GMT (envelope-from gnats) Resent-Date: Tue, 18 Nov 2008 12:00:09 GMT Resent-Message-Id: <200811181200.mAIC09id036474@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, ivan.lago@ifom-ieo-campus.it Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86AF8106564A for ; Tue, 18 Nov 2008 11:59:59 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3B4748FC26 for ; Tue, 18 Nov 2008 11:59:59 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2PFO-0006wt-6T for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 14:59:58 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id E4FB717116; Tue, 18 Nov 2008 14:59:57 +0300 (MSK) Message-Id: <20081118115957.E4FB717116@shadow.codelabs.ru> Date: Tue, 18 Nov 2008 14:59:57 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, ivan.lago@ifom-ieo-campus.it Cc: Subject: ports/128960: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:00:11 -0000 >Number: 128960 >Category: ports >Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 12:00:09 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before chroot, so this effectively leaking the syslog's startup directory to the chrooted environment. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 >How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 Please, note that CVE-2008-5110 is "too new" now -- ID was just created and no entry seem to be uploaded to the cve.mitre.org yet. >Fix: The following patch fixes the things: --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff begins here --- diff -urN ./Makefile ../syslog-ng2/Makefile --- ./Makefile 2008-11-18 14:31:05.000000000 +0300 +++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= syslog-ng PORTVERSION= 2.0.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ PKGNAMESUFFIX= 2 diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110 --- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300 +++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300 @@ -0,0 +1,22 @@ +Patch for CVE-2008-5110 + +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791 +Note: was not able to cleanly apply the original patch, so it was recreated + by hand using the original submission contents + +--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300 ++++ src/main.c 2008-11-18 14:38:13.000000000 +0300 +@@ -275,6 +275,13 @@ + { + if (chroot_dir) + { ++ if (chdir(chroot_dir) < 0) ++ { ++ msg_error("Error during chdir() before chroot()", ++ evt_tag_errno(EVT_TAG_OSERROR, errno), ++ NULL); ++ return 0; ++ } + if (chroot(chroot_dir) < 0) + { + msg_error("Error during chroot()", --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff ends here --- This issue deserves the following VuXML entry: --- vuln.xml begins here --- Syslog-ng -- startup directory leakage in the chroot environment syslog-ng2 2.0.9_2

Florian Grandel had reported through the Debian bug tracker that syslong-ng has the security vulnerability associated with the chroot() call.

I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.

This opens up ways to work around the chroot jail.

 CVE-2008-5110 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 2008-11-15 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 12:29:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42752106564A; Tue, 18 Nov 2008 12:29:12 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id E3D778FC16; Tue, 18 Nov 2008 12:29:11 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=kiVxNgsS34CByBX2F7ED0W00Abh42g39P18U/TgeMNQJxCj0SDbdhqvF3YooJK2YydMHyDnNNYBjGt+m+5tv+J5woOUIYrw4ddz77Vl0H1kAFkBXyTqkUZm1r2gw0v2TxLtEhAvP7ayiyDCNNmSqdG4QOABU/ve++XrmtUgSmgY=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2Phd-0008xG-CJ; Tue, 18 Nov 2008 15:29:09 +0300 Date: Tue, 18 Nov 2008 15:29:08 +0300 From: Eygene Ryabinkin To: Jille Timmermans Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J5MfuwkIyy7RmF4Q" Content-Disposition: inline In-Reply-To: <4922B371.6070002@quis.cx> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:29:12 -0000 --J5MfuwkIyy7RmF4Q Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jille, good day. Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote: > I think there is a typo in the vuxml descriptions: > "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" > (PHP 5.6 doesn't exist (yet)) Yes: it was written in that way at the CVE entry. I had spotted this, but was not sure how to handle this. Perhaps VuXML entry should really say "PHP 5.2 through 5.2.6" to avoid reader's confusion. Thanks for spotting this! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --J5MfuwkIyy7RmF4Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkitRQACgkQthUKNsbL7YgwgwCeMZynRWEuKNm1tJG2SLfqKfqr Ld8An3bQ4SXfBGxvX/Q7HRQd+5wNf3os =cIPL -----END PGP SIGNATURE----- --J5MfuwkIyy7RmF4Q-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 12:37:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 776F01065677 for ; Tue, 18 Nov 2008 12:37:11 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id EF9238FC16 for ; Tue, 18 Nov 2008 12:37:10 +0000 (UTC) (envelope-from jille@quis.cx) X-Hexon-MailScanner-Watermark: 1227616621.76386@zMOkMo5tjClH51cgrDzvqg Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0) by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id mAICaxPR021076; Tue, 18 Nov 2008 13:36:59 +0100 Message-ID: <4922B6F9.2000408@quis.cx> Date: Tue, 18 Nov 2008 13:37:13 +0100 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Eygene Ryabinkin References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: mAICaxPR021076 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:37:11 -0000 Good day to you too, "PHP 5.2 through 5.2.6" makes the most sense. However, "PHP 5.1 through" or even "PHP 5 through" are also possible. I don't know much about CVE's; can we provide them feedback for this typo ? I think the best is to wait for the CVE to get fixed and fix it in the vuxml entry afterwards. I think you also had that plan ;) -- Jille Eygene Ryabinkin wrote: > Jille, good day. > > Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote: > >> I think there is a typo in the vuxml descriptions: >> "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" >> (PHP 5.6 doesn't exist (yet)) >> > > Yes: it was written in that way at the CVE entry. I had spotted this, > but was not sure how to handle this. Perhaps VuXML entry should really > say "PHP 5.2 through 5.2.6" to avoid reader's confusion. > > Thanks for spotting this! > From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 12:38:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84CF11065696; Tue, 18 Nov 2008 12:38:06 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id 0DA798FC14; Tue, 18 Nov 2008 12:38:05 +0000 (UTC) (envelope-from jille@quis.cx) X-Hexon-MailScanner-Watermark: 1227615720.55682@BKR8kQ+xH9Fvgki5HuQ5vg Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0) by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id mAICLt0P019636; Tue, 18 Nov 2008 13:21:56 +0100 Message-ID: <4922B371.6070002@quis.cx> Date: Tue, 18 Nov 2008 13:22:09 +0100 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Eygene Ryabinkin References: <20081118103433.38D5817115@shadow.codelabs.ru> In-Reply-To: <20081118103433.38D5817115@shadow.codelabs.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: mAICLt0P019636 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx Cc: freebsd-security@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:38:06 -0000 I think there is a typo in the vuxml descriptions: "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" (PHP 5.6 doesn't exist (yet)) -- Jille Eygene Ryabinkin wrote: >> Number: 128956 >> Category: ports >> Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >> Confidential: no >> Severity: serious >> Priority: high >> Responsible: freebsd-ports-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >> Closed-Date: >> Last-Modified: >> Originator: Eygene Ryabinkin >> Release: FreeBSD 7.1-PRERELEASE amd64 >> Organization: >> > Code Labs > >> Environment: >> > > System: FreeBSD 7.1-PRERELEASE amd64 > > >> Description: >> > > There are some vulnerabilities in the stock PHP 5.2.6 that were silently > fixed in the CVS, but after 5.2.6 was out. > > >> How-To-Repeat: >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > > >> Fix: >> > > The following patches should fix all three issues. I had mildly > tested them in my setups. > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- > diff -urN ./Makefile ../php5/Makefile > --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 > +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 > @@ -7,7 +7,7 @@ > > PORTNAME= php5 > PORTVERSION= 5.2.6 > -PORTREVISION?= 2 > +PORTREVISION?= 3 > CATEGORIES?= lang devel www > MASTER_SITES= ${MASTER_SITE_PHP} > MASTER_SITE_SUBDIR= distributions > diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 > --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 > @@ -0,0 +1,27 @@ > +Patch for CVE-2008-3659. > + > +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch > +See also: http://news.php.net/php.cvs/52002 > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > + > +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 > ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 > +@@ -17,7 +17,7 @@ > + +----------------------------------------------------------------------+ > + */ > + > +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ > ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ > + > + #ifndef ZEND_OPERATORS_H > + #define ZEND_OPERATORS_H > +@@ -220,6 +220,9 @@ > + char *p = haystack; > + char ne = needle[needle_len-1]; > + > ++ if(needle_len > end-haystack) { > ++ return NULL; > ++ } > + end -= needle_len; > + > + while (p <= end) { > diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 > --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 > @@ -0,0 +1,82 @@ > +Patch for CVE-2008-3660 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 > +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 > + > +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 > ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 > +@@ -765,6 +765,39 @@ > + } > + /* }}} */ > + > ++/* {{{ is_valid_path > ++ * > ++ * some server configurations allow '..' to slip through in the > ++ * translated path. We'll just refuse to handle such a path. > ++ */ > ++static int is_valid_path(const char *path) > ++{ > ++ const char *p; > ++ > ++ if (!path) { > ++ return 0; > ++ } > ++ p = strstr(path, ".."); > ++ if (p) { > ++ if ((p == path || IS_SLASH(*(p-1))) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ while (1) { > ++ p = strstr(p+1, ".."); > ++ if (!p) { > ++ break; > ++ } > ++ if (IS_SLASH(*(p-1)) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ } > ++ } > ++ return 1; > ++} > ++/* }}} */ > ++ > + /* {{{ init_request_info > + > + initializes request_info structure > +@@ -1061,9 +1094,7 @@ > + if (pt) { > + efree(pt); > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + } else { > +@@ -1094,9 +1125,7 @@ > + } else { > + SG(request_info).request_uri = env_script_name; > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + free(real_path); > +@@ -1114,9 +1143,7 @@ > + script_path_translated = env_path_translated; > + } > + #endif > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + #if ENABLE_PATHINFO_CHECK > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- > > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- > diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 > --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 > @@ -0,0 +1,282 @@ > +Fix for CVE-2008-2829 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch > +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked > + '-3213,7 +3214,7'. > + > +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 > ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 > +@@ -40,6 +40,7 @@ > + #include "ext/standard/php_string.h" > + #include "ext/standard/info.h" > + #include "ext/standard/file.h" > ++#include "ext/standard/php_smart_str.h" > + > + #ifdef ERROR > + #undef ERROR > +@@ -66,10 +67,11 @@ > + #define SENDBUFLEN 16385 > + #endif > + > ++ > + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); > + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); > +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); > +-static int _php_imap_address_size(ADDRESS *addresslist); > ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); > + > + /* the gets we use */ > + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); > +@@ -2109,7 +2111,7 @@ > + { > + zval **mailbox, **host, **personal; > + ADDRESS *addr; > +- char string[MAILTMPLEN]; > ++ char *string; > + > + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { > + ZEND_WRONG_PARAM_COUNT(); > +@@ -2137,13 +2139,12 @@ > + addr->error=NIL; > + addr->adl=NIL; > + > +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { > ++ string = _php_rfc822_write_address(addr TSRMLS_CC); > ++ if (string) { > ++ RETVAL_STRING(string, 0); > ++ } else { > + RETURN_FALSE; > + } > +- > +- string[0]='\0'; > +- rfc822_write_address(string, addr); > +- RETVAL_STRING(string, 1); > + } > + /* }}} */ > + > +@@ -2873,7 +2874,7 @@ > + zval **streamind, **sequence, **pflags; > + pils *imap_le_struct; > + zval *myoverview; > +- char address[MAILTMPLEN]; > ++ char *address; > + long status, flags=0L; > + int myargc = ZEND_NUM_ARGS(); > + > +@@ -2908,17 +2909,19 @@ > + if (env->subject) { > + add_property_string(myoverview, "subject", env->subject, 1); > + } > +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { > ++ if (env->from) { > + env->from->next=NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->from); > +- add_property_string(myoverview, "from", address, 1); > ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "from", address, 0); > ++ } > + } > +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { > ++ if (env->to) { > + env->to->next = NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->to); > +- add_property_string(myoverview, "to", address, 1); > ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "to", address, 0); > ++ } > + } > + if (env->date) { > + add_property_string(myoverview, "date", env->date, 1); > +@@ -3858,6 +3861,43 @@ > + /* }}} */ > + > + /* Support Functions */ > ++ > ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST > ++/* {{{ _php_rfc822_soutr > ++ */ > ++static long _php_rfc822_soutr (void *stream, char *string) > ++{ > ++ smart_str *ret = (smart_str*)stream; > ++ int len = strlen(string); > ++ > ++ smart_str_appendl(ret, string, len); > ++ return LONGT; > ++} > ++ > ++/* }}} */ > ++ > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[MAILTMPLEN]; > ++ smart_str ret = {0}; > ++ RFC822BUFFER buf; > ++ > ++ buf.beg = address; > ++ buf.cur = buf.beg; > ++ buf.end = buf.beg + sizeof(address) - 1; > ++ buf.s = &ret; > ++ buf.f = _php_rfc822_soutr; > ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); > ++ rfc822_output_flush(&buf); > ++ smart_str_0(&ret); > ++ return ret.c; > ++} > ++/* }}} */ > ++ > ++#else > ++ > + /* {{{ _php_imap_get_address_size > + */ > + static int _php_imap_address_size (ADDRESS *addresslist) > +@@ -3887,26 +3927,33 @@ > + > + /* }}} */ > + > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[SENDBUFLEN]; > + > ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { > ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); > ++ return NULL; > ++ } > ++ address[0] = 0; > ++ rfc822_write_address(address, addresslist); > ++ return estrdup(address); > ++} > ++/* }}} */ > ++#endif > + /* {{{ _php_imap_parse_address > + */ > +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) > ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) > + { > ++ char *fulladdress; > + ADDRESS *addresstmp; > + zval *tmpvals; > +- char *tmpstr; > +- int len=0; > + > + addresstmp = addresslist; > + > +- if ((len = _php_imap_address_size(addresstmp))) { > +- tmpstr = (char *) pemalloc(len + 1, 1); > +- tmpstr[0] = '\0'; > +- rfc822_write_address(tmpstr, addresstmp); > +- *fulladdress = tmpstr; > +- } else { > +- *fulladdress = NULL; > +- } > ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); > + > + addresstmp = addresslist; > + do { > +@@ -3918,6 +3965,7 @@ > + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); > + add_next_index_object(paddress, tmpvals TSRMLS_CC); > + } while ((addresstmp = addresstmp->next)); > ++ return fulladdress; > + } > + /* }}} */ > + > +@@ -3944,10 +3992,9 @@ > + if (en->to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); > + } > +@@ -3955,10 +4002,9 @@ > + if (en->from) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); > + } > +@@ -3966,10 +4012,9 @@ > + if (en->cc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); > + } > +@@ -3977,10 +4022,9 @@ > + if (en->bcc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); > + } > +@@ -3988,10 +4032,9 @@ > + if (en->reply_to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); > + } > +@@ -3999,10 +4042,9 @@ > + if (en->sender) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); > + } > +@@ -4010,10 +4052,9 @@ > + if (en->return_path) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); > + } > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- > > I assume that they all will go in one shot, so the following VuXML > entries use 5.2.6_3 as the first version where issues were fixed. > --- cve-2008-2829.xml begins here --- > > PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension > > > php5-imap > 5.2.6_3 > > > > >

Entry for CVE-2008-2829 says:

>
>

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses > obsolete API calls that allow context-dependent attackers to > cause a denial of service (crash) and possibly execute arbitrary > code via a long IMAP request, which triggers an "rfc822.c legacy > routine buffer overflow" error message.

>
> > > > CVE-2008-2829 > http://bugs.php.net/bug.php?id=42862 > http://bugs.php.net/bug.php?id=40925 > http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260 > > > 2008-06-19 > > > --- cve-2008-2829.xml ends here --- > > --- cve-2008-3659.xml begins here --- > > PHP 5.x -- buffer overflow in the memnstr() > > > php5 > 5.2.6_3 > > > > >

Entry for CVE-2008-3659 says:

>
>

Buffer overflow in the memnstr function in PHP 4.4.x before > 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent > attackers to cause a denial of service (crash) and possibly > execute arbitrary code via the delimiter argument to the explode > function.

>

NOTE: the scope of this issue is limited since most > applications would not use an attacker-controlled delimiter, but > local attacks against safe_mode are feasible.

>
> > > > CVE-2008-3659 > http://news.php.net/php.cvs/52002 > http://www.openwall.com/lists/oss-security/2008/08/08/2 > > > 2008-08-05 > > > --- cve-2008-3659.xml ends here --- > > --- cve-2008-3660.xml begins here --- > > PHP 5.x -- Denial of Service in the FastCGI mode > > > php5 > 5.2.6_3 > > > > >

Entry for CVE-2008-3660 says:

>
>

PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used > as a FastCGI module, allows remote attackers to cause a denial > of service (crash) via a request with multiple dots preceding > the extension, as demonstrated using foo..php.

>
> > > > CVE-2008-3660 > http://news.php.net/php.cvs/51129 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 > > > 2008-07-15 > > > --- cve-2008-3660.xml ends here --- > >> Release-Note: >> Audit-Trail: >> Unformatted: >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 11:30:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22FE1106564A; Tue, 18 Nov 2008 11:30:13 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EED308FC13; Tue, 18 Nov 2008 11:30:12 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIBUC4x015066; Tue, 18 Nov 2008 11:30:12 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIBUCsE015052; Tue, 18 Nov 2008 11:30:12 GMT (envelope-from edwin) Date: Tue, 18 Nov 2008 11:30:12 GMT Message-Id: <200811181130.mAIBUCsE015052@freefall.freebsd.org> To: freebsd-security@freebsd.org, rafan@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, rafan@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Tue, 18 Nov 2008 12:43:43 +0000 Cc: Subject: Re: ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:30:13 -0000 Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter Responsible-Changed-From-To: freebsd-ports-bugs->rafan Responsible-Changed-By: edwin Responsible-Changed-When: Tue Nov 18 11:30:12 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=128958 From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 12:00:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B34561065814; Tue, 18 Nov 2008 12:00:30 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8A5288FC21; Tue, 18 Nov 2008 12:00:30 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIC0Uw2039441; Tue, 18 Nov 2008 12:00:30 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIC0UeQ039430; Tue, 18 Nov 2008 12:00:30 GMT (envelope-from edwin) Date: Tue, 18 Nov 2008 12:00:30 GMT Message-Id: <200811181200.mAIC0UeQ039430@freefall.freebsd.org> To: freebsd-security@freebsd.org, ivan.lago@ifom-ieo-campus.it, rea-fbsd@codelabs.ru, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Tue, 18 Nov 2008 12:43:50 +0000 Cc: Subject: Re: ports/128960: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:00:30 -0000 Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 State-Changed-From-To: open->feedback State-Changed-By: edwin State-Changed-When: Tue Nov 18 12:00:30 UTC 2008 State-Changed-Why: Awaiting maintainers feedback (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=128960 From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 14:04:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DE14106564A; Tue, 18 Nov 2008 14:04:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8BAD28FC0C; Tue, 18 Nov 2008 14:04:33 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=ekpbQucpHI+Mb+TnezEcKdk8yVzTiGWvmhxndIZh0H9HMzDAY+QNqN0W43hi86kv5KWNodzZ1wJ9KZBZPq769af/7StHzMxaJiRhXip6kFfgH3kORYgDAEpNwVfmoeYOjlQKKzI50Yra5OdNIXvUBdjH8WXnTqvhzzEVwjHqTFU=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2RBv-000FnO-3K; Tue, 18 Nov 2008 17:04:31 +0300 Date: Tue, 18 Nov 2008 17:04:29 +0300 From: Eygene Ryabinkin To: Jille Timmermans , cve@mitre.org, coley@mitre.org Message-ID: <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7cm2iqirTL37Ot+N" Content-Disposition: inline In-Reply-To: <4922B6F9.2000408@quis.cx> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 14:04:34 -0000 --7cm2iqirTL37Ot+N Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven, CVE-supporters, good day. Today I was submitted FreeBSD's VuXML entry for CVE-2008-3659 and it seem to be errorneously saying about "PHP 5.6". Could you please try to follow the discuission and say something about the entry's description text? Tue, Nov 18, 2008 at 01:37:13PM +0100, Jille Timmermans wrote: > "PHP 5.2 through 5.2.6" makes the most sense. > However, "PHP 5.1 through" or even "PHP 5 through" are also possible. I had glanced over the PHP's CVS repository: the code in question exists even for the PHP 5.0 branchpoint (source line 128 and below): http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?revision=3D1.8= 8&view=3Dmarkup&pathrev=3DPHP_5_0 My built-in history tracer tells me the following story: 1. Current code traces back to the zend_operators.h, rev 1.72, http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?view=3Dlog#re= v1.72 2. The function was moved to ZendEngine2/zend_operators.h from ext/standard/php_string.h, rev 1.74, http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?view=3Dl= og#rev1.74 3. Vulnerable code seem to be here since rev 1.40: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?r1=3D1.3= 9&r2=3D1.40&view=3Dpatch So the issue seem to be here since some 4.0.x or even 3.x. > I don't know much about CVE's; can we provide them feedback for this typo= ? > > I think the best is to wait for the CVE to get fixed and fix it > in the vuxml entry afterwards. Yes, it will be the best thing. So, gentlemen from the CVE maintainers team, it seems that the entry for the CVE-2008-3659 should be fixed by saying "PHP 5 through 5.2.6" -- the bug seem to be existed all over the lifetime for the 5.x branch. > I think you also had that plan ;) Sort of ;)) Thanks to everyone! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --7cm2iqirTL37Ot+N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkiy20ACgkQthUKNsbL7Yi4PwCfQ1n6v3nAn72NdSfacmsViTIN vKMAn120byLkVy96wnH1WxvkYSA30xiv =6RCr -----END PGP SIGNATURE----- --7cm2iqirTL37Ot+N-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 15:53:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D0641065672; Tue, 18 Nov 2008 15:53:12 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 45D6A8FC1D; Tue, 18 Nov 2008 15:53:12 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=iE0fWx850M+5KehlgehhVIdz00szcM//T5u4FBEtxKWe5xQn+5pU6Bs4hTERcGGIZFcPkmJse3PJJrIW1f20CQyVRjCXexfAovq/SwvgdWPn5ZHixSaOU4mgLVMggoCTHjLUX8x8p4i8bO6JiPmsY7/cz3GYxIYO+OUSeZw3/nA=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2St3-000O4B-Lk; Tue, 18 Nov 2008 18:53:09 +0300 Date: Tue, 18 Nov 2008 18:53:07 +0300 From: Eygene Ryabinkin To: "Steven M. Christey" Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CxDuMX1Cv2n9FQfo" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: Jille Timmermans , bug-followup@freebsd.org, freebsd-security@freebsd.org, mloveless@mitre.org, cve@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 15:53:12 -0000 --CxDuMX1Cv2n9FQfo Content-Type: multipart/mixed; boundary="o7gdRJTuwFmWapyH" Content-Disposition: inline --o7gdRJTuwFmWapyH Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven, Tue, Nov 18, 2008 at 10:01:20AM -0500, Steven M. Christey wrote: > On Tue, 18 Nov 2008, Eygene Ryabinkin wrote: > It's pretty clear that the description was a typo. It doesn't follow our > typical CVE description style of escalating versions when we list version > ranges. Most likely I introduced this typo in the original description. >=20 > I've internally changed it to "5.x through 5.2.6." This will show up on > the public CVE web site within a day or two. OK, thanks a lot! So, the VuXML entry should be changed accordingly. New content is attached. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --o7gdRJTuwFmWapyH Content-Type: application/xml Content-Disposition: attachment; filename="vuln.xml" Content-Transfer-Encoding: quoted-printable =0A PHP 5.x -- buffer overflow in the memnstr()<= /topic>=0A =0A =0A php5=0A 5.2.6_3=0A =0A =0A =0A =0A

Entry for C= VE-2008-3659 says:

=0A
=0A

Buffer overflow in the memnstr fun= ction in PHP 4.4.x before=0A 4.4.9 and PHP 5.x through 5.2.6 allows context= -dependent=0A attackers to cause a denial of service (crash) and possibly= =0A execute arbitrary code via the delimiter argument to the explode=0A fun= ction.

=0A

NOTE: the scope of this issue is limited since most=0A app= lications would not use an attacker-controlled delimiter, but=0A local atta= cks against safe_mode are feasible.

=0A
=0A =0A= =0A =0A CVE-2008-3659=0A http://news.php.net/php.cvs/52002=0A http:= //www.openwall.com/lists/oss-security/2008/08/08/2=0A =0A =0A 2008-08-05=0A =0A= =0A --o7gdRJTuwFmWapyH-- --CxDuMX1Cv2n9FQfo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkki5OMACgkQthUKNsbL7Yg/ZACfUBOnoCZnhTol7o/R0AiNLbWt fzcAoJCykRyPNoySroKYgW0RGvHsH/B5 =u6kz -----END PGP SIGNATURE----- --CxDuMX1Cv2n9FQfo-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 15:55:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BBA31065744; Tue, 18 Nov 2008 15:55:45 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by mx1.freebsd.org (Postfix) with ESMTP id D56828FC1D; Tue, 18 Nov 2008 15:55:44 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAIF1K2r028407; Tue, 18 Nov 2008 10:01:21 -0500 Received: from linus.mitre.org (linus.mitre.org [129.83.10.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAIF1KGx028386; Tue, 18 Nov 2008 10:01:20 -0500 Received: from faron.mitre.org (faron.mitre.org [129.83.10.2]) by linus.mitre.org (8.12.11/8.12.10) with ESMTP id mAIF1KpE026484; Tue, 18 Nov 2008 10:01:20 -0500 (EST) Date: Tue, 18 Nov 2008 10:01:20 -0500 (EST) From: "Steven M. Christey" X-X-Sender: coley@faron.mitre.org To: Eygene Ryabinkin In-Reply-To: <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Tue, 18 Nov 2008 16:05:53 +0000 Cc: Jille Timmermans , bug-followup@freebsd.org, freebsd-security@freebsd.org, mloveless@mitre.org, cve@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 15:55:45 -0000 On Tue, 18 Nov 2008, Eygene Ryabinkin wrote: > Steven, CVE-supporters, good day. > > Today I was submitted FreeBSD's VuXML entry for CVE-2008-3659 and it > seem to be errorneously saying about "PHP 5.6". Could you please try to > follow the discuission and say something about the entry's description > text? It's pretty clear that the description was a typo. It doesn't follow our typical CVE description style of escalating versions when we list version ranges. Most likely I introduced this typo in the original description. I've internally changed it to "5.x through 5.2.6." This will show up on the public CVE web site within a day or two. Thank you for informing us! - Steve From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 16:04:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 686871065670; Tue, 18 Nov 2008 16:04:11 +0000 (UTC) (envelope-from rafan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 408A78FC2B; Tue, 18 Nov 2008 16:04:11 +0000 (UTC) (envelope-from rafan@FreeBSD.org) Received: from freefall.freebsd.org (rafan@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIG4B0t026427; Tue, 18 Nov 2008 16:04:11 GMT (envelope-from rafan@freefall.freebsd.org) Received: (from rafan@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIG4B5N026423; Tue, 18 Nov 2008 16:04:11 GMT (envelope-from rafan) Date: Tue, 18 Nov 2008 16:04:11 GMT Message-Id: <200811181604.mAIG4B5N026423@freefall.freebsd.org> To: freebsd-security@freebsd.org, rafan@freebsd.org, rea-fbsd@codelabs.ru, rafan@FreeBSD.org, rafan@FreeBSD.org From: rafan@FreeBSD.org X-Mailman-Approved-At: Tue, 18 Nov 2008 18:14:14 +0000 Cc: Subject: Re: ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 16:04:11 -0000 Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter State-Changed-From-To: open->closed State-Changed-By: rafan State-Changed-When: Tue Nov 18 16:04:10 UTC 2008 State-Changed-Why: Committed, with minor changes. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=128958 From owner-freebsd-security@FreeBSD.ORG Tue Nov 18 19:51:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC76E106564A; Tue, 18 Nov 2008 19:51:06 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by mx1.freebsd.org (Postfix) with ESMTP id 2EC798FC19; Tue, 18 Nov 2008 19:51:06 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAIJp2cd006793; Tue, 18 Nov 2008 14:51:05 -0500 Received: from linus.mitre.org (linus.mitre.org [129.83.10.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAIJp0MO006598; Tue, 18 Nov 2008 14:51:00 -0500 Received: from faron.mitre.org (faron.mitre.org [129.83.10.2]) by linus.mitre.org (8.12.11/8.12.10) with ESMTP id mAIJoxBn006959; Tue, 18 Nov 2008 14:50:59 -0500 (EST) Date: Tue, 18 Nov 2008 14:50:59 -0500 (EST) From: "Steven M. Christey" X-X-Sender: coley@faron.mitre.org To: Eygene Ryabinkin In-Reply-To: Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Tue, 18 Nov 2008 20:03:26 +0000 Cc: Jille Timmermans , bug-followup@freebsd.org, "Steven M. Christey" , freebsd-security@freebsd.org, mloveless@mitre.org, cve@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 19:51:06 -0000 > So, the VuXML entry should be changed accordingly. New content is > attached. Just for my own understanding, did the erroneous CVE description cause any extra work on your part? What if the desc had only said "5.2 through 5.2.6" at first? I'm asking because I'm trying to understandind how people use CVE and what impact our errors might have on others. Thanks, Steve From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 09:13:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 343B11065673; Wed, 19 Nov 2008 09:13:08 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C9FA48FC1B; Wed, 19 Nov 2008 09:13:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=JTe3nU3C2lgaQ4J+6zx/9+dM9I21e0mLjgfiYieiRXE5HbYWCckUZBstBdZBYs+kz+fC7hbiOhVaAbGophcloAjJE7zxDrWoWQud4n2Ex+6fJQ8V1wTLW/GYZoBvFUFM0Whrm3VQ2q/CKNwOyP09cx0S6N/3/Iix2I/OwQFBdUI=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2j7R-000KBw-9n; Wed, 19 Nov 2008 12:13:05 +0300 Date: Wed, 19 Nov 2008 12:13:03 +0300 From: Eygene Ryabinkin To: "Steven M. Christey" Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CSNFvL6ilyiKL/Hs" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: Jille Timmermans , bug-followup@freebsd.org, freebsd-security@freebsd.org, cve@mitre.org, mloveless@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 09:13:08 -0000 --CSNFvL6ilyiKL/Hs Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven, Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote: > > So, the VuXML entry should be changed accordingly. New content is > > attached. >=20 > Just for my own understanding, did the erroneous CVE description cause any > extra work on your part? No "extra" work. I had just copied the description from CVE and forgot to change errorneous "5.6" to something more sane. Jille was kind to point me to this. But it was not clear where in 5.x line the error was introduced. I had crawled via the PHP CVS and had found that it was there for the whole 5.x line. > What if the desc had only said "5.2 through 5.2.6" at first? I think I will ask myself something like "OK, but what about PHP 5.0 and 5.1? Are they vulnerable?" In principle, I _had_ asked myself about it and had traced the code via sources back to at least 4.x, so I had written '<=3D5.2.6_3' as the vulnerable version specification the VuXML entry. I just forgot to change the description. > I'm asking because I'm trying to understandind how people use CVE and what > impact our errors might have on others. It may vary, of course. Typically, I am trying to validate CVE descriptions via some other sources, most used are vendor changelogs and original advisories. Source code crawling is good too, but it may be unavailable or a bit uneasy. I think that generally people tend to trust CVE entries, but checking is always good ;)) --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --CSNFvL6ilyiKL/Hs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkj2J8ACgkQthUKNsbL7YgFdgCeL2yT5t85ZDSAOAcN/2gQjj6A jO4An2vGA8iC5XAGiYJaLF0wohi5Rc+z =wsRE -----END PGP SIGNATURE----- --CSNFvL6ilyiKL/Hs-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 13:21:01 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 817D1106567F for ; Wed, 19 Nov 2008 13:21:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 305AC8FC1C for ; Wed, 19 Nov 2008 13:21:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender; b=TDYrIGvAAdNfwk0AYkDXcwdJ2ERB4I7kpjWrx/9UDWnvqpjJaOnl3WrIGtAZmKK94R1EWIvBuz9k8y2iWMXOqxg8TwTT/yNTc3MW5J24dyGoizDn8uwc4zClI8Bdes8xzIsNg1K9WLezRgY5J0E5LK+FR3gdoTaN24RaHKXmv60=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2mzL-000Gh5-W0; Wed, 19 Nov 2008 16:21:00 +0300 Date: Wed, 19 Nov 2008 16:20:58 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ATYltwmfWCpDp8Ax" Content-Disposition: inline Sender: rea-fbsd@codelabs.ru Cc: openssh@openssh.com Subject: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 13:21:01 -0000 --ATYltwmfWCpDp8Ax Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Good day. Just came across the following list in the oss-security list: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt People are saying that this vulnerability was tested for Debian's ;)) OpenSSH 4.7p1, but they generally believe that any RFC-compliant implementation should have this if CBC mode is used. The advisory says that CTR mode is safe, but I see that at least for FreeBSD's OpenSSH (OpenSSH_5.1p1) still uses various ciphers in the CBC mode as the preferential ones. Perhaps we should just change the default ciphersuites order? So, it is interesting what OpenSSH developers can tell about this: I had seen no words about this at http://openssh.org/security.html and relese notes, so if you can -- please, comment on this. Thanks! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --ATYltwmfWCpDp8Ax Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkEroACgkQthUKNsbL7YiDBACeNdKt8zJg6H3mfwILDZ4nl/du m3UAmgIZct/6dCWakB3FlHhMSMUKDvjL =bmqt -----END PGP SIGNATURE----- --ATYltwmfWCpDp8Ax-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 13:23:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CD241065670 for ; Wed, 19 Nov 2008 13:23:24 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3A44A8FC12 for ; Wed, 19 Nov 2008 13:23:24 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=VqA6t4WpdcMh2giNQrXpT5Nau643+rJVnweJK2iyu6e7xTq7AjEyOuTLXd6Ydh9hFe8cS61kpEwfTVjXXOFB3AXO3IuZFLPvjLReAeW4kz71HJ7lTUMEM+Qb2JDdK3YZM2K1df8DJzonvXtDjRWRimnskE7ovYw5QJgeHVUMwsE=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2n1f-000HJ6-Ai; Wed, 19 Nov 2008 16:23:23 +0300 Date: Wed, 19 Nov 2008 16:23:22 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wl4gXchqb9PBRcq/" Content-Disposition: inline In-Reply-To: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> Sender: rea-fbsd@codelabs.ru Cc: openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 13:23:24 -0000 --wl4gXchqb9PBRcq/ Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote: > Just came across the following list in the oss-security list: ^^^^ Err, wanted to say "link" ;)) --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --wl4gXchqb9PBRcq/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkE0oACgkQthUKNsbL7YgCEgCgh3bgpmUog0Inild0n9WELUmR zMMAnRMy5cgEBTpxD20XFCJsbYxj6/ld =Sd+h -----END PGP SIGNATURE----- --wl4gXchqb9PBRcq/-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 20:50:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F8CA1065673; Wed, 19 Nov 2008 20:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4B4908FC0C; Wed, 19 Nov 2008 20:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJKo2OU055551; Wed, 19 Nov 2008 20:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJKo2AT055550; Wed, 19 Nov 2008 20:50:02 GMT (envelope-from gnats) Resent-Date: Wed, 19 Nov 2008 20:50:02 GMT Resent-Message-Id: <200811192050.mAJKo2AT055550@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: gnome@freebsd.org, freebsd-security@freebsd.org, pluknet@gmail.com, mezz@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C218106564A for ; Wed, 19 Nov 2008 20:41:04 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id E81258FC0A for ; Wed, 19 Nov 2008 20:41:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2trC-00042M-Km for FreeBSD-gnats-submit@freebsd.org; Wed, 19 Nov 2008 23:41:02 +0300 Message-Id: <20081119204101.5FBD7F181F@phoenix.codelabs.ru> Date: Wed, 19 Nov 2008 23:41:01 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: gnome@freebsd.org, freebsd-security@freebsd.org, pluknet@gmail.com, mezz@freebsd.org Cc: Subject: ports/128998: [vuxml] document vulnerabilities in textproc/libxml2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 20:50:02 -0000 >Number: 128998 >Category: ports >Synopsis: [vuxml] document vulnerabilities in textproc/libxml2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 20:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: The fix for the CVE-2008-4225 and CVE-2008-4226 was commited to the textproc/libxml2 just an hour ago, but vulnerabilities seem to be left undocumented. At least I was not able to find the corresponding PR and reporting channels are not clear from the commit comment. >How-To-Repeat: http://secunia.com/Advisories/32773/ http://www.freebsd.org/cgi/cvsweb.cgi/ports/textproc/libxml2/Makefile >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- libxml2 -- two integer overflow vulnerabilities libxml2 2.6.32_2

Secunia reports:

Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a Denial of Service or to potentially compromise an application using the library.

  1. An integer overflow error in the “xmlSAX2Characters()” function can be exploited to trigger a memory corruption via a specially crafted XML file. Successful exploitation may allow execution of arbitrary code, but requires e.g. that the user is tricked into processing an overly large XML file (2GB or more).
  2. An integer overflow error in the “xmlBufferResize()” function can be exploited to trigger the execution of an infinite loop.
 CVE-2008-4225 CVE-2008-4226 http://secunia.com/Advisories/32773/ https://bugzilla.redhat.com/show_bug.cgi?id=470466 https://bugzilla.redhat.com/show_bug.cgi?id=470480 2008-11-07 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 20:50:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2C0810656D3; Wed, 19 Nov 2008 20:50:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B8A768FC1B; Wed, 19 Nov 2008 20:50:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJKoHG3057553; Wed, 19 Nov 2008 20:50:17 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJKoHo1057543; Wed, 19 Nov 2008 20:50:17 GMT (envelope-from edwin) Date: Wed, 19 Nov 2008 20:50:17 GMT Message-Id: <200811192050.mAJKoHo1057543@freefall.freebsd.org> To: gnome@freebsd.org, freebsd-security@freebsd.org, pluknet@gmail.com, mezz@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, gnome@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Wed, 19 Nov 2008 21:05:46 +0000 Cc: Subject: Re: ports/128998: [vuxml] document vulnerabilities in textproc/libxml2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 20:50:18 -0000 Synopsis: [vuxml] document vulnerabilities in textproc/libxml2 Responsible-Changed-From-To: freebsd-ports-bugs->gnome Responsible-Changed-By: edwin Responsible-Changed-When: Wed Nov 19 20:50:17 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=128998 From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 21:30:14 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB8FA1065678; Wed, 19 Nov 2008 21:30:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8873D8FC16; Wed, 19 Nov 2008 21:30:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJLUE1d085433; Wed, 19 Nov 2008 21:30:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJLUEvP085426; Wed, 19 Nov 2008 21:30:14 GMT (envelope-from gnats) Resent-Date: Wed, 19 Nov 2008 21:30:14 GMT Resent-Message-Id: <200811192130.mAJLUEvP085426@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: ports@freebsd.org, freebsd-security@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64F11106567B for ; Wed, 19 Nov 2008 21:29:43 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 1AD0C8FC0A for ; Wed, 19 Nov 2008 21:29:42 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2ucH-0007Ym-6S for FreeBSD-gnats-submit@freebsd.org; Thu, 20 Nov 2008 00:29:41 +0300 Message-Id: <20081119212940.A0D98F181F@phoenix.codelabs.ru> Date: Thu, 20 Nov 2008 00:29:40 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: ports@freebsd.org, freebsd-security@freebsd.org Cc: Subject: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 21:30:14 -0000 >Number: 128999 >Category: ports >Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 21:30:14 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Streamripper 1.64.0 is out and this release fixes security vulnerability discovered by Secunia. >How-To-Repeat: http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196 http://secunia.com/secunia_research/2008-50/ >Fix: The following patch updates the port to 1.64.0. It works for me: MP3 streams are ripped perfectly. --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff begins here --- diff -urN ./Makefile ../streamripper/Makefile --- ./Makefile 2008-11-19 23:50:33.000000000 +0300 +++ ../streamripper/Makefile 2008-11-19 23:57:00.000000000 +0300 @@ -6,7 +6,7 @@ # PORTNAME= streamripper -PORTVERSION= 1.63.5 +PORTVERSION= 1.64.0 CATEGORIES= audio MASTER_SITES= SF \ http://gd.tuwien.ac.at/hci/cdk/:cdk diff -urN ./distinfo ../streamripper/distinfo --- ./distinfo 2008-11-19 23:50:33.000000000 +0300 +++ ../streamripper/distinfo 2008-11-19 23:57:19.000000000 +0300 @@ -1,6 +1,6 @@ -MD5 (streamripper-1.63.5.tar.gz) = 73a63383dca00615c3328cf51bf2fa56 -SHA256 (streamripper-1.63.5.tar.gz) = 877aed28880b904383c4e761c0ecb1e046dbe45126e648110c0292991d1e5b93 -SIZE (streamripper-1.63.5.tar.gz) = 1302177 +MD5 (streamripper-1.64.0.tar.gz) = f8754813ddc2bc96c4c3440e25aca8b6 +SHA256 (streamripper-1.64.0.tar.gz) = a53f50d26de3610e59a07eaf81cc9da348aaf7b35bc4a302f2e5f6defb1297ae +SIZE (streamripper-1.64.0.tar.gz) = 839535 MD5 (cdk-5.0-20060507.tgz) = 0ec2460a4484d5f5595d8faca61bc9c5 SHA256 (cdk-5.0-20060507.tgz) = e823bfcce52916727cb23d6d549a64347c45c364b3c628d6a352c407fce8f4b4 SIZE (cdk-5.0-20060507.tgz) = 396514 --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- streamripper -- user-assisted arbitrary code execution streamripper 1.64.0

Secunia Research has discovered some vulnerabilities in Streamripper, which can be exploited by malicious people to compromise a user's system:

  1. A boundary error exists within http_parse_sc_header() in lib/http.c when parsing an overly long HTTP header starting with “Zwitterion v”.
  2. A boundary error exists within http_get_pls() in lib/http.c when parsing a specially crafted pls playlist containing an overly long entry.
  3. A boundary error exists within http_get_m3u() in lib/http.c when parsing a specially crafted m3u playlist containing an overly long “File” entry.

Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into connecting to a malicious server.

 CVE-2008-4829 http://secunia.com/secunia_research/2008-50/ http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196 2008-11-19 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 22:00:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F1D61065672; Wed, 19 Nov 2008 22:00:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 197E08FC13; Wed, 19 Nov 2008 22:00:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJM0B1f007470; Wed, 19 Nov 2008 22:00:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJM0Bks007442; Wed, 19 Nov 2008 22:00:11 GMT (envelope-from gnats) Resent-Date: Wed, 19 Nov 2008 22:00:11 GMT Resent-Message-Id: <200811192200.mAJM0Bks007442@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, yds@CoolRat.org, delphij@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C31BD106564A for ; Wed, 19 Nov 2008 22:00:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 62D4B8FC13 for ; Wed, 19 Nov 2008 22:00:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2v5c-0009nP-8N for FreeBSD-gnats-submit@freebsd.org; Thu, 20 Nov 2008 01:00:00 +0300 Message-Id: <20081119215959.9FC17F181F@phoenix.codelabs.ru> Date: Thu, 20 Nov 2008 00:59:59 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, yds@CoolRat.org, delphij@freebsd.org Cc: Subject: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 22:00:12 -0000 >Number: 129000 >Category: ports >Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 22:00:10 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: There were two vulnerabilities in the ACL handling for Dovecot prior to the 1.1.4 [1]: ----- - ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working. ----- [1] http://www.dovecot.org/list/dovecot-news/2008-October/000085.html >How-To-Repeat: http://www.dovecot.org/list/dovecot-news/2008-October/000085.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578 >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- dovecot -- two ACL bypassing vulnerabilities dovecot 1.1.6

Dovecot 1.1.4 release announcement says:

ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working.

 CVE-2008-4577 http://www.dovecot.org/list/dovecot-news/2008-October/000085.html 2008-10-05 --- vuln.xml ends here --- I am putting '< 1.1.6' because FreeBSD ports version line was the following: ... -> 1.1.3 -> 1.1.6. >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 22:04:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 301311065670; Wed, 19 Nov 2008 22:04:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C7FA58FC17; Wed, 19 Nov 2008 22:04:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=l/VdnjQVje9JeWKSNqIAnVTz/3u3qCALGXq5gJhPd01IiRFIY88IMuW/xE131Vz8wL2SMr6bxROCC9ldgEueVTBC1HdiZLQpu+GGfNogPhKcpyjyYCyFLLSwV5QPe7kdWvaGcULLEg1H955sqJh8zjVEnCCRPGceFS2GFkwAeTE=; Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2vA1-000A7Q-DB; Thu, 20 Nov 2008 01:04:33 +0300 Date: Thu, 20 Nov 2008 01:04:31 +0300 From: Eygene Ryabinkin To: bug-followup@freebsd.org Message-ID: References: <20081119204101.5FBD7F181F@phoenix.codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qbvjkv9qwOGw/5Fx" Content-Disposition: inline In-Reply-To: <20081119204101.5FBD7F181F@phoenix.codelabs.ru> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, tabthorpe@freebsd.org Subject: Re: ports/128998: [vuxml] document vulnerabilities in textproc/libxml2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 22:04:35 -0000 --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Wed, Nov 19, 2008 at 11:41:01PM +0300, Eygene Ryabinkin wrote: > The fix for the CVE-2008-4225 and CVE-2008-4226 was commited to the > textproc/libxml2 just an hour ago, but vulnerabilities seem to be left > undocumented. At least I was not able to find the corresponding PR and > reporting channels are not clear from the commit comment. The entry was added shortly after this PR by tabthorpe@, so I think that this PR can be closed now. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --Qbvjkv9qwOGw/5Fx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkjW8ACgkQthUKNsbL7YiaWgCfZG6GxIlzLc2eJmTVlRAlSINr 5TUAn2/sY5m9IGybwp2ymuhsrzUxLYjV =DGME -----END PGP SIGNATURE----- --Qbvjkv9qwOGw/5Fx-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 21:57:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91EA51065672 for ; Wed, 19 Nov 2008 21:57:32 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 22E378FC0A for ; Wed, 19 Nov 2008 21:57:31 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so91504nfh.33 for ; Wed, 19 Nov 2008 13:57:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=xBwuWEJlzRXOM9DmghbnXdhSPrCasAHSlW8VqEFT0b4=; b=p91eI192eHIWKWCKlmztSBKedv8DRT50qVjnntNYoCXBkQrKY9/5Oaw23/2qNoYP43 xtJjwl/FuW6DG7Nn89ju+RZJDUm6V/+5GTJ6aoZUshwEEprp1vTBFbNm7JDk/C+9P5GL s96jxhWYR/bX+wYdVAUMebw+rzWHW5X8f8Jn4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=M0g8y8bwY49dHjX3Spa/yiXxWqFeYjFFgE/OC151BVoJQ6x/WZqwwNcmCQoIJ3IRAt +PSksoW4EzwUsTBU9ua8fc4Nj/gSE+Qpin3JC+N3RlDm10G1qMc7qCmsuOq6xWmNHxhT h7oire34gLp+ZfcqbzELMCe4OXddmn1eQL20c= Received: by 10.210.126.18 with SMTP id y18mr1338061ebc.94.1227130275117; Wed, 19 Nov 2008 13:31:15 -0800 (PST) Received: by 10.210.34.12 with HTTP; Wed, 19 Nov 2008 13:31:15 -0800 (PST) Message-ID: Date: Thu, 20 Nov 2008 00:31:15 +0300 From: pluknet To: edwin@freebsd.org In-Reply-To: <200811192050.mAJKoHo1057543@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811192050.mAJKoHo1057543@freefall.freebsd.org> X-Mailman-Approved-At: Wed, 19 Nov 2008 23:15:41 +0000 Cc: gnome@freebsd.org, freebsd-security@freebsd.org, freebsd-ports-bugs@freebsd.org, mezz@freebsd.org Subject: Re: ports/128998: [vuxml] document vulnerabilities in textproc/libxml2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 21:57:32 -0000 2008/11/19 : > Synopsis: [vuxml] document vulnerabilities in textproc/libxml2 > > Responsible-Changed-From-To: freebsd-ports-bugs->gnome > Responsible-Changed-By: edwin > Responsible-Changed-When: Wed Nov 19 20:50:17 UTC 2008 > Responsible-Changed-Why: > Over to maintainer (via the GNATS Auto Assign Tool) > > http://www.freebsd.org/cgi/query-pr.cgi?pr=128998 > Committed as r1.1758 and it can be closed. From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 22:00:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8091B1065678; Wed, 19 Nov 2008 22:00:28 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 56D068FC24; Wed, 19 Nov 2008 22:00:28 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJM0SLh009524; Wed, 19 Nov 2008 22:00:28 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJM0SUi009520; Wed, 19 Nov 2008 22:00:28 GMT (envelope-from edwin) Date: Wed, 19 Nov 2008 22:00:28 GMT Message-Id: <200811192200.mAJM0SUi009520@freefall.freebsd.org> To: freebsd-security@freebsd.org, yds@CoolRat.org, delphij@freebsd.org, rea-fbsd@codelabs.ru, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Wed, 19 Nov 2008 23:15:49 +0000 Cc: Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 22:00:28 -0000 Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 State-Changed-From-To: open->feedback State-Changed-By: edwin State-Changed-When: Wed Nov 19 22:00:27 UTC 2008 State-Changed-Why: Awaiting maintainers feedback (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129000 From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 23:16:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B02CD106567A for ; Wed, 19 Nov 2008 23:16:11 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5E4F08FC2A for ; Wed, 19 Nov 2008 23:16:11 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=N/SNoZMW3LMy/ko1KrQqJFBvJadNydtf6JRm4Ie5SaInGQoRS5oCWvUgobvLWOWoTL4Dow5dDRxpikIhrOryJB746mu9NfMtnk1UK9wI6FIgJgSQHdX4RFq3/pBgdshko4MA77ynJydUlK4nrozi4C7fRE/DiKda3/CqyBVTWrQ=; Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2wHK-000FBY-1Z; Thu, 20 Nov 2008 02:16:10 +0300 Date: Thu, 20 Nov 2008 02:16:08 +0300 From: Eygene Ryabinkin To: delphij@FreeBSD.org Message-ID: References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="P+33d92oIH25kiaB" Content-Disposition: inline In-Reply-To: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 23:16:11 -0000 --P+33d92oIH25kiaB Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Xin, good day. Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij@FreeBSD.org wrote: > Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >=20 > State-Changed-From-To: open->closed > State-Changed-By: delphij > State-Changed-When: Wed Nov 19 22:36:55 UTC 2008 > State-Changed-Why:=20 > Committed with some changes, thanks! Thanks for handling this. But I have a question: what is the general policy about versions that are to be documented within the 'range' clauses? You had changed version specification to '1.1.4', but it was never been in the FreeBSD ports tree. So, should we specify only existing port versions or we can specify vendor-specific versions as well, provided that the specification will be the same from the point of view of the port version evolution? Thanks again! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --P+33d92oIH25kiaB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkknjgACgkQthUKNsbL7Yj2KQCeLZfzuBsnr8nls+xVwiwGaMoP z+cAn2rbhE7E06TwWqhTbkYKIAC0vN3g =oO1+ -----END PGP SIGNATURE----- --P+33d92oIH25kiaB-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 22:07:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3779F1065674; Wed, 19 Nov 2008 22:07:38 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0D6038FC16; Wed, 19 Nov 2008 22:07:38 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAJM7bxU014476; Wed, 19 Nov 2008 22:07:37 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAJM7bqt014472; Wed, 19 Nov 2008 22:07:37 GMT (envelope-from linimon) Date: Wed, 19 Nov 2008 22:07:37 GMT Message-Id: <200811192207.mAJM7bqt014472@freefall.freebsd.org> To: gnome@freebsd.org, freebsd-security@freebsd.org, pluknet@gmail.com, mezz@freebsd.org, rea-fbsd@codelabs.ru, linimon@FreeBSD.org, gnome@FreeBSD.org From: linimon@FreeBSD.org X-Mailman-Approved-At: Wed, 19 Nov 2008 23:42:42 +0000 Cc: Subject: Re: ports/128998: [vuxml] document vulnerabilities in textproc/libxml2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 22:07:38 -0000 Synopsis: [vuxml] document vulnerabilities in textproc/libxml2 State-Changed-From-To: open->closed State-Changed-By: linimon State-Changed-When: Wed Nov 19 22:07:06 UTC 2008 State-Changed-Why: Already committed. http://www.freebsd.org/cgi/query-pr.cgi?pr=128998 From owner-freebsd-security@FreeBSD.ORG Wed Nov 19 23:46:20 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58E681065677; Wed, 19 Nov 2008 23:46:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 002D18FC1A; Wed, 19 Nov 2008 23:46:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 242E128448; Thu, 20 Nov 2008 07:46:19 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id BF44DEB1833; Thu, 20 Nov 2008 07:46:18 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id GVJzApjzFLtd; Thu, 20 Nov 2008 07:46:14 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 81524EB17A9; Thu, 20 Nov 2008 07:46:11 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=puhEYWIekebmekCoY4gqEoSfLREjl8QkNZrWe7keJHPOZR97PElWEJyuZr+See82B KElPcMoy0UfQzQz6s6XNw== Message-ID: <4924A53F.10400@delphij.net> Date: Wed, 19 Nov 2008 15:46:07 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20080928) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 19 Nov 2008 23:49:53 +0000 Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 23:46:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Xin, good day. > > Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij@FreeBSD.org wrote: >> Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >> >> State-Changed-From-To: open->closed >> State-Changed-By: delphij >> State-Changed-When: Wed Nov 19 22:36:55 UTC 2008 >> State-Changed-Why: >> Committed with some changes, thanks! > > Thanks for handling this. But I have a question: what is the general > policy about versions that are to be documented within the 'range' > clauses? You had changed version specification to '1.1.4', but it was > never been in the FreeBSD ports tree. So, should we specify only > existing port versions or we can specify vendor-specific versions as > well, provided that the specification will be the same from the point of > view of the port version evolution? The '1.1.4' was chosen because that the official release notes said so, and it is the exact minimum version of the port, if it ever got into the tree. Personally I think it's a bad idea to cover versions that we are known not to be vulnerable, for instance, the user might be running 1.1.4 or 1.1.5 with their local patched versions and does not want to upgrade, making false positives would actually hurt the credibility of vuxml. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkpT8ACgkQi+vbBBjt66BfdQCgvaViet3vX/oDTITgj0nP099r yyIAn05iXdtYM0uU5oNBWBXcHEcHFFiF =T4Wi -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 00:40:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F3E61065673; Thu, 20 Nov 2008 00:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0D5FA8FC17; Thu, 20 Nov 2008 00:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAK0e1W9030133; Thu, 20 Nov 2008 00:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAK0e1RC030132; Thu, 20 Nov 2008 00:40:01 GMT (envelope-from gnats) Resent-Date: Thu, 20 Nov 2008 00:40:01 GMT Resent-Message-Id: <200811200040.mAK0e1RC030132@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, dinoex@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC3B31065672 for ; Thu, 20 Nov 2008 00:36:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 82C1D8FC13 for ; Thu, 20 Nov 2008 00:36:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2xWa-00023g-Jb for FreeBSD-gnats-submit@freebsd.org; Thu, 20 Nov 2008 03:36:00 +0300 Message-Id: <20081120003600.6DB2F1AF41B@void.codelabs.ru> Date: Thu, 20 Nov 2008 03:36:00 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, dinoex@freebsd.org Cc: Subject: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 00:40:02 -0000 >Number: 129001 >Category: ports >Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 20 00:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: It was discovered [1] that CUPS up to 1.3.9 has code path that will dereference NULL pointer and it is trivially reproducible when user hits the subscription limit, for example via repeated commands 'lpr -m '. [1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and the rest of the thread. >How-To-Repeat: Set 'MaxSubscriptions' in the cupsd.conf to some small value and invoke 'lpr -m ' multiple times. You'll see that after some attempt server will be unreachable due to its crash. Default value of 100 for MaxSubscription does not prevent the DoS, because many big files could be feeded to CUPS daemon. >Fix: There is no official fix yet -- I had just informed CUPS developer and posted the simple patch to the oss-security mailing list. Here is the patch that will introduce checks for the values returned by cupsdAddSubscription() and bump port version: --- 1.3.9-to-1.3.9_1-fix-null-deference.patch begins here --- diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 1 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/files/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.000000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 03:11:26.000000000 +0300 @@ -0,0 +1,48 @@ +--- scheduler/subscriptions.c.orig 2008-11-20 02:57:17.000000000 +0300 ++++ scheduler/subscriptions.c 2008-11-20 03:02:06.000000000 +0300 +@@ -728,6 +728,13 @@ + { + sub = cupsdAddSubscription(CUPSD_EVENT_NONE, NULL, NULL, NULL, + atoi(value)); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Unable to add new subscription. Was parsing line %d of subscriptions.conf.", ++ linenum); ++ break; ++ } + } + else + { +--- scheduler/ipp.c.orig 2008-11-20 02:55:59.000000000 +0300 ++++ scheduler/ipp.c 2008-11-20 02:56:03.000000000 +0300 +@@ -2121,6 +2121,14 @@ + + sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient, + 0); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Failed to create subscription for job %d", job->id); ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("Unable to add new subscription")); ++ return; ++ } + + sub->interval = interval; + +@@ -5591,6 +5599,14 @@ + job = NULL; + + sub = cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Failed to create subscription for job %d", job->id); ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("Unable to add new subscription")); ++ return; ++ } + + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --- 1.3.9-to-1.3.9_1-fix-null-deference.patch ends here --- The preliminary VuXML entry follows: --- vuln.xml begins here --- cups -- Denial of Service by authenticated client cups-base 1.3.9_1

Josh Bressers discovered that CUPS daemon can be crashed via trivial NULL-pointer dereference:

The upstream fix could still obviously let a local authenticated user crash the server.

 http://www.openwall.com/lists/oss-security/2008/11/19/4/ 2008-11-19 --- vuln.xml ends here --- Please, note that this vulnerability was already disclosed in the oss-security mailing list, so there is no much sense in hiding this discussion. >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 00:44:05 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C5851065679; Thu, 20 Nov 2008 00:44:05 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DF3148FC1A; Thu, 20 Nov 2008 00:44:04 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=EEDPsF/eb5i0foVz6xZF4BJwmPoq1ETI38ZIpuaxHThR5qzLNvmnIHDgoPCQHOqNrfpdeK5h9btOccVdVgNYgve78QrB+fMKkMe/x5JUuMTUuobvA+1fOtR9zpLrI/e1PwH6xT95Cf7Uu/D5NPiNROi35b8dxfloYvv9lZivYqg=; Received: from phoenix.codelabs.ru (ppp85-141-163-250.pppoe.mtu-net.ru [85.141.163.250]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L2xeN-0002cM-KE; Thu, 20 Nov 2008 03:44:03 +0300 Date: Thu, 20 Nov 2008 03:44:01 +0300 From: Eygene Ryabinkin To: d@delphij.net Message-ID: References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <4924A53F.10400@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="t0UkRYy7tHLRMCai" Content-Disposition: inline In-Reply-To: <4924A53F.10400@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 00:44:05 -0000 --t0UkRYy7tHLRMCai Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Xin, Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: > > Thanks for handling this. But I have a question: what is the general > > policy about versions that are to be documented within the 'range' > > clauses? You had changed version specification to '1.1.4', but it was > > never been in the FreeBSD ports tree. So, should we specify only > > existing port versions or we can specify vendor-specific versions as > > well, provided that the specification will be the same from the point of > > view of the port version evolution? >=20 > The '1.1.4' was chosen because that the official release notes said so, > and it is the exact minimum version of the port, if it ever got into the > tree. Personally I think it's a bad idea to cover versions that we are > known not to be vulnerable, for instance, the user might be running > 1.1.4 or 1.1.5 with their local patched versions and does not want to > upgrade, making false positives would actually hurt the credibility of > vuxml. OK, I expected such answer. But then, what you'll say after reading the history of ports/128698: http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/128698 I understand that the mentioned PR is the another case and there were no vulnerable version in the official ports tree. But two PRs are a bit inconsistent in their treatment of the locally patched versions, so I am just curious -- may be there should be some general understanding about this? Sorry for being so chatty, but I am just trying to understand the policy and best practices for VuXML. Thanks! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --t0UkRYy7tHLRMCai Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkstEACgkQthUKNsbL7YhvuQCfUHVBnCe0qN0JrQO5yNFHEBvt H3AAoKyO9iAPwFF79gakg/OLNkMAZPw+ =FkyV -----END PGP SIGNATURE----- --t0UkRYy7tHLRMCai-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 00:40:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6B5D106564A; Thu, 20 Nov 2008 00:40:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BE1698FC1D; Thu, 20 Nov 2008 00:40:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAK0eHC9032099; Thu, 20 Nov 2008 00:40:17 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAK0eHxN032089; Thu, 20 Nov 2008 00:40:17 GMT (envelope-from edwin) Date: Thu, 20 Nov 2008 00:40:17 GMT Message-Id: <200811200040.mAK0eHxN032089@freefall.freebsd.org> To: freebsd-security@freebsd.org, dinoex@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, dinoex@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Thu, 20 Nov 2008 00:59:36 +0000 Cc: Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 00:40:18 -0000 Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference Responsible-Changed-From-To: freebsd-ports-bugs->dinoex Responsible-Changed-By: edwin Responsible-Changed-When: Thu Nov 20 00:40:17 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129001 From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 05:31:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E1DA106564A; Thu, 20 Nov 2008 05:31:50 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 472168FC08; Thu, 20 Nov 2008 05:31:50 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (miwi@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAK5VomY059613; Thu, 20 Nov 2008 05:31:50 GMT (envelope-from miwi@freefall.freebsd.org) Received: (from miwi@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAK5VoML059609; Thu, 20 Nov 2008 05:31:50 GMT (envelope-from miwi) Date: Thu, 20 Nov 2008 05:31:50 GMT Message-Id: <200811200531.mAK5VoML059609@freefall.freebsd.org> To: ports@freebsd.org, freebsd-security@freebsd.org, miwi@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, miwi@FreeBSD.org From: miwi@FreeBSD.org Cc: Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 05:31:50 -0000 Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Thu Nov 20 05:31:49 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128999 From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 08:58:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 073471065673; Thu, 20 Nov 2008 08:58:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5DF568FC22; Thu, 20 Nov 2008 08:58:28 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=eqaeNoil7nouZVGMuJl/fTufDt6SU/3MK4M85SNOgfl2DO3l8QjtoodTchk8SeRmU+xI4tna/IjK8fSVItzPS5kTvSskU/uGeE/5+pthNtWZIQ2WQWJFBKwNwNzfj++63bVlwBAUH8tnHDUcchmpKcWO132CNdJ34uI6qnlUzk8=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L35Mo-000EoC-Uq; Thu, 20 Nov 2008 11:58:27 +0300 Date: Thu, 20 Nov 2008 11:58:25 +0300 From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org Message-ID: References: <20081120003600.6DB2F1AF41B@void.codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <20081120003600.6DB2F1AF41B@void.codelabs.ru> Sender: rea-fbsd@codelabs.ru Cc: dinoex@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 08:58:29 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Me again. Thu, Nov 20, 2008 at 03:36:00AM +0300, Eygene Ryabinkin wrote: > It was discovered [1] that CUPS up to 1.3.9 has code path that will > dereference NULL pointer and it is trivially reproducible when user hits > the subscription limit, for example via repeated commands 'lpr -m > '. >=20 > [1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and > the rest of the thread. Michael Sweet provided more complete patch [2] that is already in the 1.3.x Subversion repository. [2] http://www.openwall.com/lists/oss-security/2008/11/20/2 Had tested the patch -- it works too. Attaching modified port patch and reworked VuXML entry. --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch begins here --- diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ =20 PORTNAME=3D cups PORTVERSION=3D 1.3.9 +PORTREVISION=3D 1 DISTVERSIONSUFFIX=3D -source CATEGORIES=3D print MASTER_SITES=3D EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= es/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= 0000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = 11:33:59.000000000 +0300 @@ -0,0 +1,179 @@ +Obtained from: Michael Sweet, via oss-security list, + http://www.openwall.com/lists/oss-security/2008/11/20/2 + +Index: test/run-stp-tests.sh +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/run-stp-tests.sh (revision 8145) ++++ test/run-stp-tests.sh (revision 8146) +@@ -307,6 +307,7 @@ + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log +Index: test/4.4-subscription-ops.test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/4.4-subscription-ops.test (revision 8145) ++++ test/4.4-subscription-ops.test (revision 8146) +@@ -116,7 +116,33 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" +=20 ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} ++ + # + # End of "$Id$" + # +Index: scheduler/subscriptions.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/subscriptions.c (revision 8145) ++++ scheduler/subscriptions.c (revision 8146) +@@ -341,9 +341,55 @@ + * Limit the number of subscriptions... + */ +=20 +- if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc= riptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } +=20 ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job =3D=3D job) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest =3D=3D dest) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } ++ + /* + * Allocate memory for this subscription... + */ +@@ -758,7 +804,6 @@ + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +Index: scheduler/ipp.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/ipp.c (revision 8145) ++++ scheduler/ipp.c (revision 8146) +@@ -2119,24 +2119,25 @@ + if (mask =3D=3D CUPSD_EVENT_NONE) + mask =3D CUPSD_EVENT_JOB_COMPLETED; +=20 +- sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec= ipient, +- 0); ++ if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) !=3D NULL) ++ { ++ sub->interval =3D interval; +=20 +- sub->interval =3D interval; ++ cupsdSetString(&sub->owner, job->username); +=20 +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len =3D user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } +=20 +- if (user_data) +- { +- sub->user_data_len =3D user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } +=20 +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr =3D attr->next; + } +@@ -5590,7 +5591,12 @@ + else + job =3D NULL; +=20 +- sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) = =3D=3D NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } +=20 + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch ends here --- --- vuln.xml begins here --- cups scheduler -- Denial of Service by authorized client cups-base 1.3.9_1

ChangeLog for CUPS 1.3.10 says:

The scheduler would crash if you exceeded the MaxSubscriptions limit.

 http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt http://www.openwall.com/lists/oss-security/2008/11/19/4/ 2008-11-19 --- vuln.xml ends here --- --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklJrEACgkQthUKNsbL7YivfwCfW8aGtLdJgzEbABU9n6tg72+o wj4AoIIBOJczQhYJajVsdsCpuHSTcd+u =sN47 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 20:01:32 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 123411065673; Thu, 20 Nov 2008 20:01:32 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6FF158FC14; Thu, 20 Nov 2008 20:01:31 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id C03D328448; Fri, 21 Nov 2008 04:01:29 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 6C844EB2DC2; Fri, 21 Nov 2008 04:01:29 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id Po3l-Inmsvwv; Fri, 21 Nov 2008 04:01:24 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 1B07AEB2C60; Fri, 21 Nov 2008 04:01:20 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=g3ubjmG7E/VSp04CAvJWAtJKiGvUv3/uek5IY6W1d98WM67MYZRN5WFifurWE/r6U PG3jSpYfa8W10QQXlGKog== Message-ID: <4925C20C.5020107@delphij.net> Date: Thu, 20 Nov 2008 12:01:16 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20080928) MIME-Version: 1.0 To: Eygene Ryabinkin References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <4924A53F.10400@delphij.net> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Stanislav Sedov , delphij@FreeBSD.ORG, Martin Wilke , d@delphij.net, freebsd-security@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 20:01:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Eygene, Eygene Ryabinkin wrote: > Xin, > > Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: >>> Thanks for handling this. But I have a question: what is the general >>> policy about versions that are to be documented within the 'range' >>> clauses? You had changed version specification to '1.1.4', but it was >>> never been in the FreeBSD ports tree. So, should we specify only >>> existing port versions or we can specify vendor-specific versions as >>> well, provided that the specification will be the same from the point of >>> view of the port version evolution? >> The '1.1.4' was chosen because that the official release notes said so, >> and it is the exact minimum version of the port, if it ever got into the >> tree. Personally I think it's a bad idea to cover versions that we are >> known not to be vulnerable, for instance, the user might be running >> 1.1.4 or 1.1.5 with their local patched versions and does not want to >> upgrade, making false positives would actually hurt the credibility of >> vuxml. > > OK, I expected such answer. But then, what you'll say after reading > the history of ports/128698: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698 > > I understand that the mentioned PR is the another case and there were no > vulnerable version in the official ports tree. But two PRs are a bit > inconsistent in their treatment of the locally patched versions, so I am > just curious -- may be there should be some general understanding about > this? > > Sorry for being so chatty, but I am just trying to understand the policy > and best practices for VuXML. Ok I understood what you mean. I have cc'ed miwi@ and stas@, it looks like that the PR 128698 should be committed and not be closed from my understanding, but that's my personal opinion. In my opinion, there is nothing wrong to inform our user community about a problem that may affect FreeBSD with the third party software. The concept of "we protect users who use official FreeBSD tree" is good, but the long freeze/slush time could cause users to derive their own variants to the tree, maybe by applying the patches in PR (that is usually seen in replies to -ports@) themselves. Moreover, I think it's wrong to close ticket 128698 if no update to 1.1.6 has been committed, because committer is a large team and this one should have followed the better safe than sorry rule. Now that the mail/dovecot has been updated to 1.1.6 and it's true that 1.1.5 and 1.1.4 (affected by 128698) never hit the tree. Because CVE-2008-4577 and CVE-2008-4578 affects only < 1.1.4 versions, it's wrong to document it as < 1.1.6. However, if the entry has been amended to cover CVE-2008-4907 as a multiple vulnerabilities issue for dovecot then I don't think covering < 1.1.6 would be a wrong thing to do. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklwf0ACgkQi+vbBBjt66Cf5ACeKxd7Kb8nwctJ5lVA2JoMUXH7 BRsAoLMZ56EQCpZ77u0cbbwVXu5u1NMa =PnV2 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 00:04:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E27311065670; Fri, 21 Nov 2008 00:04:27 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by mx1.freebsd.org (Postfix) with ESMTP id 7D6FA8FC14; Fri, 21 Nov 2008 00:04:27 +0000 (UTC) (envelope-from coley@linus.mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAL04OgQ009450; Thu, 20 Nov 2008 19:04:26 -0500 Received: from linus.mitre.org (rcf-smtp.mitre.org [129.83.10.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id mAL04Lrw009294; Thu, 20 Nov 2008 19:04:21 -0500 Received: from faron.mitre.org (faron.mitre.org [129.83.10.2]) by linus.mitre.org (8.12.11/8.12.10) with ESMTP id mAL04Lhk021766; Thu, 20 Nov 2008 19:04:21 -0500 (EST) Date: Thu, 20 Nov 2008 19:04:21 -0500 (EST) From: "Steven M. Christey" X-X-Sender: coley@faron.mitre.org To: Eygene Ryabinkin In-Reply-To: Message-ID: References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <4922B6F9.2000408@quis.cx> <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Fri, 21 Nov 2008 00:09:00 +0000 Cc: Jille Timmermans , bug-followup@freebsd.org, "Steven M. Christey" , freebsd-security@freebsd.org, cve@mitre.org, mloveless@mitre.org, coley@mitre.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 00:04:28 -0000 Thank you for answering, Eygene. - Steve From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 05:50:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 602551065670; Fri, 21 Nov 2008 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 371378FC18; Fri, 21 Nov 2008 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAL5o1qd085687; Fri, 21 Nov 2008 05:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAL5o1wM085686; Fri, 21 Nov 2008 05:50:01 GMT (envelope-from gnats) Resent-Date: Fri, 21 Nov 2008 05:50:01 GMT Resent-Message-Id: <200811210550.mAL5o1wM085686@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, stas@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7341B1065672 for ; Fri, 21 Nov 2008 05:41:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 23E858FC16 for ; Fri, 21 Nov 2008 05:41:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L3Olg-0002qz-Uf for FreeBSD-gnats-submit@freebsd.org; Fri, 21 Nov 2008 08:41:25 +0300 Message-Id: <20081121054124.C219F1AF41B@void.codelabs.ru> Date: Fri, 21 Nov 2008 08:41:24 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, stas@freebsd.org Cc: Subject: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 05:50:02 -0000 >Number: 129037 >Category: ports >Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 05:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Secunia discovered imlib2 vulnerability that can be used to execute arbitrary code within the application that uses this library: ----- The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. ----- >How-To-Repeat: http://secunia.com/Advisories/32796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187 >Fix: The following patch adds the patch from Debian developers. It is supposed to fix the issue. --- fix-imlib2-1.4.1.000.diff begins here --- diff -urN ./Makefile ../imlib2/Makefile --- ./Makefile 2008-11-20 20:30:31.000000000 +0300 +++ ../imlib2/Makefile 2008-11-21 08:28:40.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= imlib2 PORTVERSION= 1.4.1.000 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.springdaemons.com/pub/snapshots/e17/ \ diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187 --- ./files/patch-CVE-2008-5187 1970-01-01 03:00:00.000000000 +0300 +++ ../imlib2/files/patch-CVE-2008-5187 2008-11-21 08:24:16.000000000 +0300 @@ -0,0 +1,14 @@ +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 + +--- src/modules/loaders/loader_xpm.c ++++ src/modules/loaders/loader_xpm.c +@@ -246,8 +246,8 @@ + return 0; + } + ptr = im->data; +- end = ptr + (sizeof(DATA32) * w * h); + pixels = w * h; ++ end = ptr + pixels; + } + else + { --- fix-imlib2-1.4.1.000.diff ends here --- The following VuXML entry should be validated and added: --- vuln.xml begins here --- imlib2 -- XPM processing buffer overflow vulnerability imlib2 imlib2-nox11 1.4.1.000_1,2

Secunia reports:

A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 1.4.2. Other versions may also be affected.

 CVE-2008-5187 http://secunia.com/Advisories/32796 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 http://bugzilla.enlightenment.org/show_bug.cgi?id=547 2008-11-20 --- vuln.xml ends here --- I see that XPM loader is built and installed even for the nox11 version, so I am including it to the vulnerable port. imlib-1.9.15 seem to be unaffected: it has the code in question, but it does memory manipulations properly. >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 05:50:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66D251065670 for ; Fri, 21 Nov 2008 05:50:50 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 130BF8FC22 for ; Fri, 21 Nov 2008 05:50:50 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=FVxtaYSagpEuyg87dFe+qRexT/zLtBSN0pgIZzZCHDCbpklgG5I/cFdkmcqFSyrFQ4tf2WVEfJd//X3UusSVwpS2zI4bkOo44dMjKB/dGb0cVxeL0jjoasxNrh3NTiL+E0Sp0hQVsNN9VWA17+0R83e03vSSjIGerUvhsGmGwTA=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L3Oum-0003em-HY; Fri, 21 Nov 2008 08:50:48 +0300 Date: Fri, 21 Nov 2008 08:50:47 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="o7gdRJTuwFmWapyH" Content-Disposition: inline In-Reply-To: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> Sender: rea-fbsd@codelabs.ru Cc: openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 05:50:50 -0000 --o7gdRJTuwFmWapyH Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Me again. Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote: > Just came across the following list in the oss-security list: > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt For you interest, CVE was created and it has some interesting links inside (SANS one explains some general trends): http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-5161 It seems that some vendors are moving to the CTR encryption mode as the default one. Does anyone has something to say about this? As I understand, the advisory from CPNI is public, so there is no point to refraining from discuissing this in the open lists. OpenSSH people, I understand that this is not just "two day business", but can you at least drop a mail that you're investigating this? Thanks a lot. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --o7gdRJTuwFmWapyH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkmTDcACgkQthUKNsbL7Yib9ACeLXYHttvIidCKvsq4guYfBHTf iYgAn1pw1j6x0kLrCxDqaUaFZDVNfL6K =KujY -----END PGP SIGNATURE----- --o7gdRJTuwFmWapyH-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 05:50:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 530F7106564A; Fri, 21 Nov 2008 05:50:18 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 231CA8FC13; Fri, 21 Nov 2008 05:50:18 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAL5oIGM087559; Fri, 21 Nov 2008 05:50:18 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAL5oH16087548; Fri, 21 Nov 2008 05:50:17 GMT (envelope-from edwin) Date: Fri, 21 Nov 2008 05:50:17 GMT Message-Id: <200811210550.mAL5oH16087548@freefall.freebsd.org> To: freebsd-security@freebsd.org, stas@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, stas@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Fri, 21 Nov 2008 05:56:10 +0000 Cc: Subject: Re: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 05:50:18 -0000 Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 Responsible-Changed-From-To: freebsd-ports-bugs->stas Responsible-Changed-By: edwin Responsible-Changed-When: Fri Nov 21 05:50:17 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129037 From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 11:28:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7C381065672 for ; Fri, 21 Nov 2008 11:28:11 +0000 (UTC) (envelope-from djm@mindrot.org) Received: from natsu.mindrot.org (natsu.mindrot.org [116.66.166.108]) by mx1.freebsd.org (Postfix) with ESMTP id 71B078FC1B for ; Fri, 21 Nov 2008 11:28:11 +0000 (UTC) (envelope-from djm@mindrot.org) Received: by natsu.mindrot.org (Postfix, from userid 506) id 13A3EC4B54; Fri, 21 Nov 2008 22:10:38 +1100 (EST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on natsu.mindrot.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 Received: from fuyu.mindrot.org (fuyu.mindrot.org [203.217.30.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "fuyu.mindrot.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by natsu.mindrot.org (Postfix) with ESMTPS id 23EC8C4AB0; Fri, 21 Nov 2008 22:10:33 +1100 (EST) Received: by fuyu.mindrot.org (Postfix, from userid 1000) id A5F15A4F6B; Fri, 21 Nov 2008 22:10:32 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by fuyu.mindrot.org (Postfix) with ESMTP id A3D45A4F25; Fri, 21 Nov 2008 22:10:32 +1100 (EST) Date: Fri, 21 Nov 2008 22:10:32 +1100 (EST) From: Damien Miller To: Eygene Ryabinkin In-Reply-To: Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> User-Agent: Alpine 1.10 (BSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Fri, 21 Nov 2008 12:34:30 +0000 Cc: freebsd-security@freebsd.org, openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 11:28:11 -0000 see http://www.openssh.com/txt/cbc.adv On Fri, 21 Nov 2008, Eygene Ryabinkin wrote: > Me again. > > Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote: > > Just came across the following list in the oss-security list: > > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt > > For you interest, CVE was created and it has some interesting > links inside (SANS one explains some general trends): > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161 > > It seems that some vendors are moving to the CTR encryption mode as the > default one. Does anyone has something to say about this? As I > understand, the advisory from CPNI is public, so there is no point to > refraining from discuissing this in the open lists. OpenSSH people, I > understand that this is not just "two day business", but can you at > least drop a mail that you're investigating this? > > Thanks a lot. > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # > From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 13:13:48 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E59A91065670 for ; Fri, 21 Nov 2008 13:13:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 99BCC8FC16 for ; Fri, 21 Nov 2008 13:13:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=GR12Ab6Ip3gZSM/kbPJo6l+DGcAXKN70I0ojy4qcPc/+kKsCJR86LeVlHgvSNxhcirS9+whcPhxGvD5ZXGN+n/O7P4xu4ELuAiM1u1s5UTh4UFveyuoy7maFHtTikovBH2g8Sj4jX1aJkPv6v/Ef/U+vqsN5V7//5ysnRUNaHyU=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L3VpQ-00099o-P6; Fri, 21 Nov 2008 16:13:44 +0300 Date: Fri, 21 Nov 2008 16:13:43 +0300 From: Eygene Ryabinkin To: Damien Miller Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NZtAI5QFBF0GmLcW" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 13:13:49 -0000 --NZtAI5QFBF0GmLcW Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Damien, good day. Fri, Nov 21, 2008 at 10:10:32PM +1100, Damien Miller wrote: > see http://www.openssh.com/txt/cbc.adv Thanks! Is there some secret place that links to this (and other) advisory or I should just poll http://openssh.org/txt/? ;)) --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --NZtAI5QFBF0GmLcW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkmtAcACgkQthUKNsbL7Yh0iACdG105NrjfVDyxLskemQSZjIg2 dNwAoI4oZsehYqYjArwVT+zBwhqmVVCx =/+mH -----END PGP SIGNATURE----- --NZtAI5QFBF0GmLcW-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 13:26:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BABF1106564A for ; Fri, 21 Nov 2008 13:26:32 +0000 (UTC) (envelope-from mailnull@mips.inka.de) Received: from mail-in-16.arcor-online.net (mail-in-16.arcor-online.net [151.189.21.56]) by mx1.freebsd.org (Postfix) with ESMTP id 717998FC08 for ; Fri, 21 Nov 2008 13:26:32 +0000 (UTC) (envelope-from mailnull@mips.inka.de) Received: from mail-in-16-z2.arcor-online.net (mail-in-16-z2.arcor-online.net [151.189.8.33]) by mail-in-16.arcor-online.net (Postfix) with ESMTP id 836ED1F7352 for ; Fri, 21 Nov 2008 13:53:38 +0100 (CET) Received: from mail-in-14.arcor-online.net (mail-in-14.arcor-online.net [151.189.21.54]) by mail-in-16-z2.arcor-online.net (Postfix) with ESMTP id 5FC57254253 for ; Fri, 21 Nov 2008 13:53:38 +0100 (CET) Received: from lorvorc.mips.inka.de (dslb-092-075-214-094.pools.arcor-ip.net [92.75.214.94]) by mail-in-14.arcor-online.net (Postfix) with ESMTP id F1A55187DEE for ; Fri, 21 Nov 2008 13:53:37 +0100 (CET) Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.14.3/8.14.3) with ESMTP id mALCrYqM041185 for ; Fri, 21 Nov 2008 13:53:34 +0100 (CET) (envelope-from mailnull@lorvorc.mips.inka.de) Received: (from mailnull@localhost) by lorvorc.mips.inka.de (8.14.3/8.14.3/Submit) id mALCrYdH041184 for freebsd-security@freebsd.org; Fri, 21 Nov 2008 13:53:34 +0100 (CET) (envelope-from mailnull) From: naddy@mips.inka.de (Christian Weisgerber) Date: Fri, 21 Nov 2008 12:53:34 +0000 (UTC) Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org X-Virus-Scanned: ClamAV 0.94.1/8658/Fri Nov 21 11:54:22 2008 on mail-in-14.arcor-online.net X-Virus-Status: Clean Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 13:26:32 -0000 Eygene Ryabinkin wrote: > So, it is interesting what OpenSSH developers can tell about this: > I had seen no words about this at http://openssh.org/security.html > and relese notes, so if you can -- please, comment on this. http://www.openssh.com/txt/cbc.adv -- Christian "naddy" Weisgerber naddy@mips.inka.de From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 13:26:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07E341065672 for ; Fri, 21 Nov 2008 13:26:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 9FF848FC12 for ; Fri, 21 Nov 2008 13:26:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=Y4wENKnvaU6BVBoTexw4fJW06y3hp3IDa0YcAJ3e+hl72pIx28bQ4HKaG+2+Hrrhf8UKgvooWcMCCgAmzR1lpZB4dv+SN4OUpnb9sPsYhJMWYS6VPsw+O9wHWoh3L9iEK5HXWC545u7wobfgIEyUcnLRyQpybNeFJcitZcEwxAs=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L3W1o-000A2s-Lv; Fri, 21 Nov 2008 16:26:32 +0300 Date: Fri, 21 Nov 2008 16:26:31 +0300 From: Eygene Ryabinkin To: Damien Miller Message-ID: References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD+RQ1Yhx+24IxLk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="l3ej7W/Jb2pB3qL2" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 13:26:35 -0000 --l3ej7W/Jb2pB3qL2 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Damien, Fri, Nov 21, 2008 at 04:13:43PM +0300, Eygene Ryabinkin wrote: > Fri, Nov 21, 2008 at 10:10:32PM +1100, Damien Miller wrote: > > see http://www.openssh.com/txt/cbc.adv >=20 > Thanks! Is there some secret place that links to this (and other) > advisory or I should just poll http://openssh.org/txt/? ;)) I am sorry -- I was not aware that you're in the OpenSSH development team ;)) The question seems to be a bit stupid ;-/ But still, if there are some secret places... --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --l3ej7W/Jb2pB3qL2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkmtwcACgkQthUKNsbL7YivDwCfeKE2i2Pd3TgsNI+ZZi+S/O00 SXkAniLSHqVRZYqtqsJ3In+OQbF3T00c =VIPn -----END PGP SIGNATURE----- --l3ej7W/Jb2pB3qL2-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 15:20:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50BCA1065670; Fri, 21 Nov 2008 15:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2F7BD8FC1C; Fri, 21 Nov 2008 15:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mALFK1N9035362; Fri, 21 Nov 2008 15:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mALFK1qP035361; Fri, 21 Nov 2008 15:20:01 GMT (envelope-from gnats) Resent-Date: Fri, 21 Nov 2008 15:20:01 GMT Resent-Message-Id: <200811211520.mALFK1qP035361@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, novel@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36AFB1065670 for ; Fri, 21 Nov 2008 15:17:53 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C40B68FC14 for ; Fri, 21 Nov 2008 15:17:52 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L3XlW-000INx-Qg for FreeBSD-gnats-submit@freebsd.org; Fri, 21 Nov 2008 18:17:50 +0300 Message-Id: <20081121151750.A37A11AF41B@void.codelabs.ru> Date: Fri, 21 Nov 2008 18:17:50 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, novel@freebsd.org Cc: Subject: ports/129050: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 15:20:02 -0000 >Number: 129050 >Category: ports >Synopsis: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 15:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: There are at least two issues with libcdaudio's CDDB stuff: http://www.securityfocus.com/bid/12770 http://www.securityfocus.com/bid/32122 ----- Heap-based buffer overflow in the cddb_read_disc_data function in cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute arbitrary code via long CDDB data. Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. ----- The latter programming error also lives inside libcdaudio's code. >How-To-Repeat: See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5030 >Fix: The following patch brings the fixes to the FreeBSD port: --- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff begins here --- diff -urN ./Makefile ../libcdaudio/Makefile --- ./Makefile 2008-11-21 17:04:39.000000000 +0300 +++ ../libcdaudio/Makefile 2008-11-21 17:04:52.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= libcdaudio PORTVERSION= 0.99.12p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff -urN ./files/patch-CVE-2008-5030.2005-0706 ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 --- ./files/patch-CVE-2008-5030.2005-0706 1970-01-01 03:00:00.000000000 +0300 +++ ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 2008-11-21 17:45:03.000000000 +0300 @@ -0,0 +1,58 @@ +CVE-2008-5030 fix +================= + +Fix contents: second hunk for src/cddb.c +Obtained from: http://sourceforge.net/tracker/download.php?group_id=27134&atid=389442&file_id=148743&aid=1288043 + + +CVE-2005-0706 fix +================= + +Fix contents: first hunk for src/cddb.c and complete diff for src/coverart.c +Based on: http://sourceforge.net/tracker/download.php?group_id=3714&atid=303714&file_id=124892&aid=1160134 + +--- src/cddb.c.orig 2004-09-09 05:26:39.000000000 +0400 ++++ src/cddb.c 2008-11-21 17:33:50.000000000 +0300 +@@ -1052,7 +1052,8 @@ + } + + query->query_matches = 0; +- while(!cddb_read_line(sock, inbuffer, 256)) { ++ while(query->query_matches < MAX_INEXACT_MATCHES && ++ !cddb_read_line(sock, inbuffer, 256)) { + slashed = 0; + if(strchr(inbuffer, '/') != NULL && parse_disc_artist) { + index = 0; +@@ -1601,7 +1602,7 @@ + return -1; + } + +- if((inbuffer = malloc(256)) == NULL) { ++ if((inbuffer = malloc(512)) == NULL) { + free(root_dir); + free(file); + return -1; +--- src/coverart.c.orig 2008-11-21 17:36:39.000000000 +0300 ++++ src/coverart.c 2008-11-21 17:39:41.000000000 +0300 +@@ -131,7 +131,9 @@ + } + } else if(strncmp(line, "Album", 5) == 0) { + long n = strtol((char *)line + 5, NULL, 10); +- if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { ++ if(n >= MAX_INEXACT_MATCHES) { ++ // Too much data, can't store it ++ } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { + strtok(procbuffer, "/"); + strncpy(query->query_list[n].list_artist, procbuffer, + (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); +@@ -143,7 +145,9 @@ + } + } else if(strncmp(line, "Url", 3) == 0) { + long n = strtol((char *)line + 3, NULL, 10); +- cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ if (n < MAX_INEXACT_MATCHES) { ++ cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ } + } + + return; --- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff ends here --- The fix for CVE-2005-0706 was based on the Grip's original fix [1], but I had found that the same programming error exists in the coverart.c. Now I am trying to investigate if this error is known (with the Mandriva security officer, since I had initially found this issue via reading MDVSA-2008:233 [2]). Still, issue in coverart.c seem to be of a same kind as the cddb.c's one. [1] http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714 [2] http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:233 The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- libcdaudio -- remote buffer overflow and code execution libcdaudio 0.99.12p2_2

SecurityFocus vulnerability database says:

The 'libcdaudio' library is prone to a remote heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.

This issue affects libcdaudio 0.99.12p2; other versions may also be affected.

A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.

To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.

The same code as for the Grip vulnerability was found in the libcdaudio library, so it is affected by the simular issues.

 CVE-2008-5030 CVE-2005-0706 32122 12770 http://sourceforge.net/tracker/index.php?func=detail&aid=1288043&group_id=27134&atid=389442 http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714 2008-11-05 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 15:20:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB37C1065686; Fri, 21 Nov 2008 15:20:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B41968FC23; Fri, 21 Nov 2008 15:20:17 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (edwin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mALFKHne037172; Fri, 21 Nov 2008 15:20:17 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mALFKHWq037161; Fri, 21 Nov 2008 15:20:17 GMT (envelope-from edwin) Date: Fri, 21 Nov 2008 15:20:17 GMT Message-Id: <200811211520.mALFKHWq037161@freefall.freebsd.org> To: freebsd-security@freebsd.org, novel@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, novel@FreeBSD.org From: edwin@FreeBSD.org X-Mailman-Approved-At: Fri, 21 Nov 2008 16:47:07 +0000 Cc: Subject: Re: ports/129050: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 15:20:18 -0000 Synopsis: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 Responsible-Changed-From-To: freebsd-ports-bugs->novel Responsible-Changed-By: edwin Responsible-Changed-When: Fri Nov 21 15:20:17 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129050 From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 18:46:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C1C91065673; Fri, 21 Nov 2008 18:46:13 +0000 (UTC) (envelope-from dinoex@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 202FB8FC16; Fri, 21 Nov 2008 18:46:13 +0000 (UTC) (envelope-from dinoex@FreeBSD.org) Received: from freefall.freebsd.org (dinoex@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mALIkDQw092825; Fri, 21 Nov 2008 18:46:13 GMT (envelope-from dinoex@freefall.freebsd.org) Received: (from dinoex@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mALIkCQK092821; Fri, 21 Nov 2008 19:46:12 +0100 (CET) (envelope-from dinoex) Date: Fri, 21 Nov 2008 19:46:12 +0100 (CET) Message-Id: <200811211846.mALIkCQK092821@freefall.freebsd.org> To: freebsd-security@freebsd.org, dinoex@freebsd.org, rea-fbsd@codelabs.ru, dinoex@FreeBSD.org, dinoex@FreeBSD.org From: dinoex@FreeBSD.org X-Mailman-Approved-At: Fri, 21 Nov 2008 22:25:09 +0000 Cc: Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 18:46:13 -0000 Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference State-Changed-From-To: open->feedback State-Changed-By: dinoex State-Changed-When: Fri Nov 21 19:45:23 CET 2008 State-Changed-Why: The patch do not apply. patch <1 Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -urN ./Makefile ../cups-base/Makefile |--- ./Makefile 2008-11-20 02:48:10.000000000 +0300 |+++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 -------------------------- Patching file ./Makefile using Plan A... Hunk #1 failed at 7. 1 out of 1 hunks failed--saving rejects to ./Makefile.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= |es/patch-fix-subscriptions-null-dereference |--- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= |0000000 +0300 |+++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = |11:33:59.000000000 +0300 -------------------------- (Creating file ./files/patch-fix-subscriptions-null-dereference...) Patching file ./files/patch-fix-subscriptions-null-dereference using Plan A... patch: **** malformed patch at line 24: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= dm@home3:/usr/ports/current/cups-base$ ls -tlr total 430 http://www.freebsd.org/cgi/query-pr.cgi?pr=129001 From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 07:18:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61CE01065672; Sat, 22 Nov 2008 07:18:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DC4208FC0C; Sat, 22 Nov 2008 07:18:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=V68/oi1dYonRM2wm1gzem+79sNOtDH/QmWb8vX3fZJBoIZdL1Sh8O+6tPwySGqW9iIDQt3ZGcehAdgDtWuwwgmasW20RvY+1zKZ2ujWHtIe2P04v3DyLX93J35MhvY1v8ML1W9MKoC/HQi6dcg1XZ7GO3RZ6azGz3MNExerVi8U=; Received: from phoenix.codelabs.ru (ppp91-78-248-208.pppoe.mtu-net.ru [91.78.248.208]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L3mki-000CJC-P4; Sat, 22 Nov 2008 10:18:01 +0300 Date: Sat, 22 Nov 2008 10:17:59 +0300 From: Eygene Ryabinkin To: dinoex@FreeBSD.org Message-ID: References: <200811211846.mALIkCQK092821@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZoaI/ZTpAVc4A5k6" Content-Disposition: inline In-Reply-To: <200811211846.mALIkCQK092821@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 07:18:03 -0000 --ZoaI/ZTpAVc4A5k6 Content-Type: multipart/mixed; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline --jI8keyz6grp/JLjh Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dirk, good day. Fri, Nov 21, 2008 at 07:46:12PM +0100, dinoex@FreeBSD.org wrote: > Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference >=20 > State-Changed-From-To: open->feedback > State-Changed-By: dinoex > State-Changed-When: Fri Nov 21 19:45:23 CET 2008 > State-Changed-Why:=20 >=20 > The patch do not apply. [...] > (Creating file ./files/patch-fix-subscriptions-null-dereference...) > Patching file ./files/patch-fix-subscriptions-null-dereference using Plan= A... > patch: **** malformed patch at line 24: =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D=3D3D=3D3D=3D3D=3D Yeah, I think that you run into issue with query-pr.cgi and line continuations quoted-printable encoding. I have www/127898, but it seems to be incomplete in respect to the attachments. Will try to extend the patch and post followup to the mentioned PR. The patch for CUPS is attached, hope it will be delivered in the unbroken form now. Sorry for confusion. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --jI8keyz6grp/JLjh Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="1.3.9-to-1.3.9_1-fix-null-deference-upstream.diff" Content-Transfer-Encoding: quoted-printable diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ =20 PORTNAME=3D cups PORTVERSION=3D 1.3.9 +PORTREVISION=3D 1 DISTVERSIONSUFFIX=3D -source CATEGORIES=3D print MASTER_SITES=3D EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= es/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= 0000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = 11:33:59.000000000 +0300 @@ -0,0 +1,179 @@ +Obtained from: Michael Sweet, via oss-security list, + http://www.openwall.com/lists/oss-security/2008/11/20/2 + +Index: test/run-stp-tests.sh +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/run-stp-tests.sh (revision 8145) ++++ test/run-stp-tests.sh (revision 8146) +@@ -307,6 +307,7 @@ + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log +Index: test/4.4-subscription-ops.test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/4.4-subscription-ops.test (revision 8145) ++++ test/4.4-subscription-ops.test (revision 8146) +@@ -116,7 +116,33 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" +=20 ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} ++ + # + # End of "$Id$" + # +Index: scheduler/subscriptions.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/subscriptions.c (revision 8145) ++++ scheduler/subscriptions.c (revision 8146) +@@ -341,9 +341,55 @@ + * Limit the number of subscriptions... + */ +=20 +- if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc= riptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } +=20 ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job =3D=3D job) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest =3D=3D dest) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } ++ + /* + * Allocate memory for this subscription... + */ +@@ -758,7 +804,6 @@ + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +Index: scheduler/ipp.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/ipp.c (revision 8145) ++++ scheduler/ipp.c (revision 8146) +@@ -2119,24 +2119,25 @@ + if (mask =3D=3D CUPSD_EVENT_NONE) + mask =3D CUPSD_EVENT_JOB_COMPLETED; +=20 +- sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec= ipient, +- 0); ++ if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) !=3D NULL) ++ { ++ sub->interval =3D interval; +=20 +- sub->interval =3D interval; ++ cupsdSetString(&sub->owner, job->username); +=20 +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len =3D user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } +=20 +- if (user_data) +- { +- sub->user_data_len =3D user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } +=20 +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr =3D attr->next; + } +@@ -5590,7 +5591,12 @@ + else + job =3D NULL; +=20 +- sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) = =3D=3D NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } +=20 + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --jI8keyz6grp/JLjh-- --ZoaI/ZTpAVc4A5k6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkknsicACgkQthUKNsbL7YirpACeO5bSamJHFBMfGM2rSUboKdB0 i/MAn05pqGEo34lcfWwllGvbyEFU8J6W =6nyM -----END PGP SIGNATURE----- --ZoaI/ZTpAVc4A5k6-- From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 20:01:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FE71106564A; Sat, 22 Nov 2008 20:01:40 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 1C25A8FC13; Sat, 22 Nov 2008 20:01:40 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=ODra5uobpGGEDZr8pAdyR8xwv3nPvVFEutvz5ZIVad6rM86f4bkqOLcoYE2ogMk9MI1mhLESS7krP6Zx8L+4LRMHcZvXW1b/1A2lMch/fDSabwMqLlyBFzq+5SJF5TaijyfrHeYUy2eISj3noPF9r+tMTPwn2ccejs22Ni30wrU=; Received: from phoenix.codelabs.ru (ppp91-78-248-208.pppoe.mtu-net.ru [91.78.248.208]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L3yfj-000FWP-1j; Sat, 22 Nov 2008 23:01:39 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: tom@hur.st Message-Id: <20081122200136.432B3F181F@phoenix.codelabs.ru> Date: Sat, 22 Nov 2008 23:01:36 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: [vuxml] graphics/optipng: document CVE-2008-5101 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 20:01:40 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] graphics/optipng: document CVE-2008-5101 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Buffer overflow in the OptiPNG BMP file handling was discovered. The code in question exists even in the 0.5.4, so, while it is questionable if such an old version can be attacked with the original exploit, I think that 0.5.4 has this vulnerability too. Have no direct evidence though. >How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5101 http://secunia.com/advisories/32651 >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- optipng -- arbitrary code execution via crafted BMP image optipng 1.6.2

Secunia reports:

A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.6.2.

 CVE-2008-5101 http://secunia.com/advisories/32651 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505399 http://optipng.sourceforge.net/ 2008-11-11 --- vuln.xml ends here --- Please, note that there is PR ports/128877 that updates port to 0.6.2 and this version isn't vulnerable. I feel that the PR severity can be raised due to the found vulnerability. From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 22:50:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4891D106567B; Sat, 22 Nov 2008 22:50:28 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1DAD18FC21; Sat, 22 Nov 2008 22:50:28 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from freefall.freebsd.org (miwi@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAMMoSbs000306; Sat, 22 Nov 2008 22:50:28 GMT (envelope-from miwi@freefall.freebsd.org) Received: (from miwi@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAMMoSA0000296; Sat, 22 Nov 2008 22:50:28 GMT (envelope-from miwi) Date: Sat, 22 Nov 2008 22:50:28 GMT Message-Id: <200811222250.mAMMoSA0000296@freefall.freebsd.org> To: freebsd-security@freebsd.org, ale@freebsd.org, miwi@FreeBSD.org, miwi@FreeBSD.org, ale@FreeBSD.org From: miwi@FreeBSD.org Cc: Subject: Re: ports/128956: [patch] [vuxml] lang/php5 - multiple vulnerabilities in PHP 5.2.6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 22:50:28 -0000 Synopsis: [patch] [vuxml] lang/php5 - multiple vulnerabilities in PHP 5.2.6 Responsible-Changed-From-To: miwi->ale Responsible-Changed-By: miwi Responsible-Changed-When: Sat Nov 22 22:49:56 UTC 2008 Responsible-Changed-Why: Over to maintainer, please let me know when you commit this patches I will prepare a vuxml entry. - Martin http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 23:18:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51E151065673; Sat, 22 Nov 2008 23:18:23 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id B5C4D8FC08; Sat, 22 Nov 2008 23:18:22 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=AjF812PlWhFIjNU3rmp6ruPZIrQCEv+/M7irNl7bpzzLKmPlb++r/n/m9rM9JiItG7VBr0eEWHP93YQVhDAnL0oLnMInPkmqPiffK+AsAhwlKtHRrXAd/ASmkq5G0FmW5I+wqzshTRxSWx2Q5G0bT8Nq8AvGIOSWdbkbigSX1UE=; Received: from phoenix.codelabs.ru (ppp91-78-248-208.pppoe.mtu-net.ru [91.78.248.208]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L41k5-0003gu-B9; Sun, 23 Nov 2008 02:18:21 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: marcus@FreeBSD.org Message-Id: <20081122231819.50846F181F@phoenix.codelabs.ru> Date: Sun, 23 Nov 2008 02:18:19 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: [patch] [vuxml] net/wireshark: fix DoS in SMTP dissector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 23:18:23 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [patch] [vuxml] net/wireshark: fix DoS in SMTP dissector >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Today the DoS possibility for Wireshark was disclosed via BugTraq list: http://www.securityfocus.com/archive/1/498562/30/0/threaded Vendor acknowledged the existence of this issue and had already patched it in Subversion repository: ----- http://wiki.wireshark.org/Development/Roadmap Complete: * Rev 24989 & Rev 24994 - Support for RFC 2920 SMTP Command Pipelining, which also happens to fix a DoS found by researchers at Bkis ----- >How-To-Repeat: Look at http://www.securityfocus.com/archive/1/498562/30/0/threaded and http://wiki.wireshark.org/Development/Roadmap >Fix: The following patch will apply the vendor fix from the trunk to the 1.0.4: --- fix-DoS-in-SMTP-dissector.diff begins here --- >From 676903bce0030930fa99ce4a9692057c2020c319 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sun, 23 Nov 2008 02:04:51 +0300 See http://www.securityfocus.com/archive/1/498562/30/0/threaded for the description of the vulnerability. The patch was taken from the Subversion repository of wireshark. Signed-off-by: Eygene Ryabinkin --- net/wireshark/Makefile | 2 +- net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 | 356 ++++++++++++++++++++++++++ 2 files changed, 357 insertions(+), 1 deletions(-) create mode 100644 net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 diff --git a/net/wireshark/Makefile b/net/wireshark/Makefile index 49de12c..2e21104 100644 --- a/net/wireshark/Makefile +++ b/net/wireshark/Makefile @@ -7,7 +7,7 @@ PORTNAME?= wireshark PORTVERSION= 1.0.4 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= net ipv6 MASTER_SITES= http://www.wireshark.org/download/src/ \ http://wireshark.osmirror.nl/download/src/ \ diff --git a/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 b/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 new file mode 100644 index 0000000..e5d2e9e --- /dev/null +++ b/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 @@ -0,0 +1,356 @@ +Fix for the SMTP dissector DoS + +See: http://www.securityfocus.com/archive/1/498562/30/0/threaded +Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24989&r2=24988&pathrev=24989&view=patch +Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24994&r2=24993&pathrev=24994&view=patch + +--- epan/dissectors/packet-smtp.c 2008/04/13 16:21:22 24988 ++++ epan/dissectors/packet-smtp.c 2008/04/13 16:33:44 24989 +@@ -97,10 +97,6 @@ + "DATA fragments" + }; + +-/* Define media_type/Content type table */ +-static dissector_table_t media_type_dissector_table; +- +- + static dissector_handle_t imf_handle = NULL; + + /* +@@ -175,6 +171,7 @@ + gint length_remaining; + gboolean eom_seen = FALSE; + gint next_offset; ++ gint loffset; + gboolean is_continuation_line; + int cmdlen; + fragment_data *frag_msg = NULL; +@@ -217,21 +214,6 @@ + * longer than what's in the buffer, so the "tvb_get_ptr()" call + * won't throw an exception. + */ +- linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, +- smtp_desegment && pinfo->can_desegment); +- if (linelen == -1) { +- /* +- * We didn't find a line ending, and we're doing desegmentation; +- * tell the TCP dissector where the data for this message starts +- * in the data it handed us, and tell it we need one more byte +- * (we may need more, but we'll try again if what we get next +- * isn't enough), and return. +- */ +- pinfo->desegment_offset = offset; +- pinfo->desegment_len = 1; +- return; +- } +- line = tvb_get_ptr(tvb, offset, linelen); + + frame_data = p_get_proto_data(pinfo->fd, proto_smtp); + +@@ -267,6 +249,42 @@ + + } + ++ if(request) { ++ frame_data = se_alloc(sizeof(struct smtp_proto_data)); ++ ++ frame_data->conversation_id = conversation->index; ++ frame_data->more_frags = TRUE; ++ ++ p_add_proto_data(pinfo->fd, proto_smtp, frame_data); ++ ++ } ++ ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, ++ smtp_desegment && pinfo->can_desegment); ++ if (linelen == -1) { ++ ++ if(offset == loffset) { ++ /* ++ * We didn't find a line ending, and we're doing desegmentation; ++ * tell the TCP dissector where the data for this message starts ++ * in the data it handed us, and tell it we need one more byte ++ * (we may need more, but we'll try again if what we get next ++ * isn't enough), and return. ++ */ ++ pinfo->desegment_offset = loffset; ++ pinfo->desegment_len = 1; ++ return; ++ } ++ else { ++ linelen = tvb_length_remaining(tvb, loffset); ++ next_offset = loffset + linelen; ++ } ++ } ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ + /* + * Check whether or not this packet is an end of message packet + * We should look for CRLF.CRLF and they may be split. +@@ -282,16 +300,16 @@ + * .CRLF at the begining of the same packet. + */ + +- if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) || +- tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) { ++ if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) || ++ tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) { + + eom_seen = TRUE; + +- } ++ } + +- length_remaining = tvb_length_remaining(tvb, offset); +- if (length_remaining == tvb_reported_length_remaining(tvb, offset) && +- tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) { ++ length_remaining = tvb_length_remaining(tvb, loffset); ++ if (length_remaining == tvb_reported_length_remaining(tvb, loffset) && ++ tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) { + + request_val->crlf_seen = TRUE; + +@@ -310,11 +328,6 @@ + + if (request) { + +- frame_data = se_alloc(sizeof(struct smtp_proto_data)); +- +- frame_data->conversation_id = conversation->index; +- frame_data->more_frags = TRUE; +- + if (request_val->reading_data) { + /* + * This is message data. +@@ -329,6 +342,9 @@ + */ + frame_data->pdu_type = SMTP_PDU_EOM; + request_val->reading_data = FALSE; ++ ++ break; ++ + } else { + /* + * Message data with no EOM. +@@ -340,7 +356,7 @@ + * We are handling a BDAT message. + * Check if we have reached end of the data chunk. + */ +- request_val->msg_read_len += tvb_length_remaining(tvb, offset); ++ request_val->msg_read_len += tvb_length_remaining(tvb, loffset); + + if (request_val->msg_read_len == request_val->msg_tot_len) { + /* +@@ -356,6 +372,8 @@ + */ + frame_data->more_frags = FALSE; + } ++ ++ break; /* no need to go through the remaining lines */ + } + } + } +@@ -446,12 +464,15 @@ + frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD; + + } +- + } ++ } + +- p_add_proto_data(pinfo->fd, proto_smtp, frame_data); ++ /* ++ * Step past this line. ++ */ ++ loffset = next_offset; + +- } ++ } + } + + /* +@@ -463,6 +484,7 @@ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP"); + + if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */ ++ col_clear(pinfo->cinfo, COL_INFO); + + /* + * If it is a request, we have to look things up, otherwise, just +@@ -477,21 +499,38 @@ + case SMTP_PDU_MESSAGE: + + length_remaining = tvb_length_remaining(tvb, offset); +- col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body"); ++ col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body"); + col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining, + plurality (length_remaining, "", "s")); + break; + + case SMTP_PDU_EOM: + +- col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s", +- format_text(line, linelen)); ++ col_set_str(pinfo->cinfo, COL_INFO, "C: ."); ++ + break; + + case SMTP_PDU_CMD: + +- col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s", +- format_text(line, linelen)); ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ ++ if(loffset == offset) ++ col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s", ++ format_text(line, linelen)); ++ else { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", ++ format_text(line, linelen)); ++ } ++ ++ loffset = next_offset; ++ ++ } + break; + + } +@@ -499,9 +538,24 @@ + } + else { + +- col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s", +- format_text(line, linelen)); ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ ++ if(loffset == offset) ++ col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s", ++ format_text(line, linelen)); ++ else { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", ++ format_text(line, linelen)); ++ } + ++ loffset = next_offset; ++ } + } + } + +@@ -556,8 +610,7 @@ + * DATA command this terminates before sending another + * request, but we should probably handle it. + */ +- proto_tree_add_text(smtp_tree, tvb, offset, linelen, +- "EOM: %s", format_text(line, linelen)); ++ proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: ."); + + if(smtp_data_desegment) { + +@@ -578,6 +631,15 @@ + * previous command before sending another request, but we + * should probably handle it. + */ ++ ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ + if (linelen >= 4) + cmdlen = 4; + else +@@ -587,16 +649,16 @@ + /* + * Put the command line into the protocol tree. + */ +- ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset, ++ ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset, + "Command: %s", +- tvb_format_text(tvb, offset, next_offset - offset)); ++ tvb_format_text(tvb, loffset, next_offset - loffset)); + cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); + + proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb, +- offset, cmdlen, FALSE); ++ loffset, cmdlen, FALSE); + if (linelen > 5) { + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, +- offset + 5, linelen - 5, FALSE); ++ loffset + 5, linelen - 5, FALSE); + } + + if (smtp_data_desegment && !frame_data->more_frags) { +@@ -605,6 +667,13 @@ + frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table, + smtp_data_reassembled_table); + } ++ ++ /* ++ * Step past this line. ++ */ ++ loffset = next_offset; ++ ++ } + } + + if (smtp_data_desegment) { +@@ -689,8 +758,8 @@ + /* + * If it's not a continuation line, quit. + */ +- if (!is_continuation_line) +- break; ++ /* if (!is_continuation_line) ++ break; */ + + } + +@@ -771,7 +840,6 @@ + }; + module_t *smtp_module; + +- + proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol", + "SMTP", "smtp"); + +@@ -808,11 +876,6 @@ + dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle); + dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle); + +- /* +- * Get the content type and Internet media type table +- */ +- media_type_dissector_table = find_dissector_table("media_type"); +- + /* find the IMF dissector */ + imf_handle = find_dissector("imf"); + +--- epan/dissectors/packet-smtp.c 2008/04/13 16:55:56 24993 ++++ epan/dissectors/packet-smtp.c 2008/04/13 16:58:57 24994 +@@ -167,7 +167,7 @@ + struct smtp_request_val *request_val; + const guchar *line; + guint32 code; +- int linelen; ++ int linelen = 0; + gint length_remaining; + gboolean eom_seen = FALSE; + gint next_offset; -- 1.6.0.4 --- fix-DoS-in-SMTP-dissector.diff ends here --- I had briefly tested it and it works for me. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- wireshark -- DoS in the SMTP dissector module wireshark wireshark-lite 1.0.4_1

Bach Khoa from Internetwork Security Center reports:

On Nov 2008, Security Vulnerability Research Team of Bkis (SVRT-Bkis) has detected a vulnerability underlying WireShark 1.0.4 (lastest version).

The flaw is in the function processing SMTP protocol and enables hacker to perform a DoS attack by sending a SMTP request with large content to port 25. The application then enter a large loop and cannot do anything else.

 http://www.securityfocus.com/archive/1/498562/30/0/threaded http://wiki.wireshark.org/Development/Roadmap 2008-11-22 --- vuln.xml ends here ---