Bug#972204: kdeconnect: CVE-2020-26164
Package: kdeconnect Version: 1.3.3-2 Severity: grave Tags: security, patch Dear maintainers, on the oss-security mailing list[1], severe bugs in kdeconnect were published with links to commits that fix them. Find attached backports of those patches fitting the version of kdeconnect in debian/stable (buster). Please have a careful look at CVE-2020-26164_g_ssl_validation_checks.patch and check, whether those two disconnect() calls should really be disabled; while testing the patches I could not find any adverse effects. best regards, Adi Kriegisch [1] https://www.openwall.com/lists/oss-security/2020/10/13/4 From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora Date: Thu, 24 Sep 2020 17:01:03 +0200 Subject: [PATCH] Do not leak the local user in the device name. Thanks Matthias Gerstner for reporting this. --- core/kdeconnectconfig.cpp | 8 +--- 1 file changed, 1 insertion(+), 1 deletions(-) --- a/core/kdeconnectconfig.cpp 2020-10-14 08:57:39.290290968 +0200 +++ b/core/kdeconnectconfig.cpp 2020-10-14 08:57:57.650342491 +0200 @@ -148,7 +148,7 @@ QString KdeConnectConfig::name() { -QString defaultName = qgetenv("USER") + '@' + QHostInfo::localHostName(); +QString defaultName = QHostInfo::localHostName(); QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString(); return name; } From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Thu, 24 Sep 2020 17:03:06 +0200 Subject: [PATCH] Fix use after free in LanLinkProvider::connectError() If QSslSocket::connectToHost() hasn't finished running. Thanks Matthias Gerstner for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: kdeconnect-1.3.3/core/backends/lan/lanlinkprovider.cpp === --- kdeconnect-1.3.3.orig/core/backends/lan/lanlinkprovider.cpp +++ kdeconnect-1.3.3/core/backends/lan/lanlinkprovider.cpp @@ -224,7 +224,7 @@ void LanLinkProvider::connectError() //The socket we created didn't work, and we didn't manage //to create a LanDeviceLink from it, deleting everything. delete m_receivedIdentityPackets.take(socket).np; -delete socket; +socket->deleteLater(); } //We received a UDP packet and answered by connecting to them by TCP. This gets called on a succesful connection. From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001 From: Aleix Pol Date: Wed, 16 Sep 2020 02:27:13 +0200 Subject: [PATCH] Don't brute-force reading the socket The package will arrive eventually, and dataReceived will be emitted. Otherwise we just end up calling dataReceived to no end. Thanks Matthias Gerstner for reporting this. --- core/backends/lan/socketlinereader.cpp | 8 --- tests/testsocketlinereader.cpp | 31 -- 2 files changed, 29 insertions(+), 10 deletions(-) Index: kdeconnect-1.3.3/core/backends/lan/socketlinereader.cpp === --- kdeconnect-1.3.3.orig/core/backends/lan/socketlinereader.cpp +++ kdeconnect-1.3.3/core/backends/lan/socketlinereader.cpp @@ -38,14 +38,6 @@ void SocketLineReader::dataReceived() } } -//If we still have things to read from the socket, call dataReceived again -//We do this manually because we do not trust readyRead to be emitted again -//So we call this method again just in case. -if (m_socket->bytesAvailable() > 0) { -QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection); -return; -} - //If we have any packets, tell it to the world. if (!m_packets.isEmpty()) { Q_EMIT readyRead(); Index: kdeconnect-1.3.3/tests/testsocketlinereader.cpp === --- kdeconnect-1.3.3.orig/tests/testsocketlinereader.cpp +++ kdeconnect-1.3.3/tests/testsocketlinereader.cpp @@ -24,16 +24,19 @@ #include #include #include +#include class TestSocketLineReader : public QObject { Q_OBJECT public Q_SLOTS: -void initTestCase(); +void init(); +void cleanup() { delete m_server; } void newPacket(); private Q_SLOTS: void socketLineReader(); +void badData(); private: QTimer m_timer; @@ -44,8 +47,9 @@ private: SocketLineReader* m_reader; }; -void TestSocketLineReader::initTestCase() +void TestSocketLineReader::init() { +m_packets.clear(); m_server = new Server(this); QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server"); @@ -96,6 +100,29 @@ void TestSocketLineReader::socketLineRea } } +void TestSocketLineReader::badData() +{ +const QList dataToSend = { "data1\n", "data" }; /
Bug#880427: tinyproxy: If tinyproxy receives SIGHUP...
Dear maintainer, are there any plans to release an update to Stretch? The current package without the patch requires manual intervention after every logrotate invocation... -- Adi signature.asc Description: Digital signature
Bug#844632: Drupal: SA-CORE-2016-005
Package: drupal7 Version: 7.32-1+deb8u7 Severity: grave Tags: security Hi! The Drupal Security Team publicly announced a fix for an external URL injection flaw in Drupal7: https://www.drupal.org/SA-CORE-2016-005 -- Adi signature.asc Description: Digital signature
Bug#813406: [Pkg-samba-maint] Bug#813406: ctdb, raw sockets and CVE-2015-8543
Hi! > There are two set of patches: > - yours that basically keep the same behavior as pre-CVE-2015-8543 (proto=0) I just desperately tried to get my cluster going again... ;-) > - Amitay's that restore the intented behavior (proto=255) [...] > I think I'll got for Amitay's patch which probably fixes a lot of > weird behaviors I've seen pre-CVE-2015-8543 (i.e TCP connections not > reset, Ip not properly relocated). This is -- of course -- the way better approach! > I plan to fix this for wheezy and jessie. stretch will come with next > upstream release. > > Givent the importance of the bug, I think it can go thru -security. I think so too -- especially as it is some kind of regression. Thank you very much for taking care of this! -- Adi signature.asc Description: Digital signature
Bug#813406: ctdb, raw sockets and CVE-2015-8543
Package: ctdb Severity: grave Tags: patch,upstream Hi! The kernel upgrade for CVE-2015-8543 showed a bug in CTDB that leads to a broken cluster: | s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); htons(IPPROTO_RAW) leads to 0xff00 which causes "-1 EINVAL (Invalid argument)" because of CVE-2015-8543. The fix for the issue is quite simple: remove IPPROTO_RAW; to make the fix more consistent with what was used before, use IPPROTO_IP (which is 0). Error messages related to this bug are: | We are still serving a public IP 'x.x.x.x' that we should not be serving. Removing it | common/system_common.c:89 failed to open raw socket (Invalid argument) | Could not find which interface the ip address is hosted on. can not release it and | common/system_linux.c:344 failed to open raw socket (Invalid argument) As a result, IP addresses cannot be released and multiple nodes in the cluster serve the same address, which obviously does not work. Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11705 and mailing list conversation: https://lists.samba.org/archive/samba/2016-January/197389.html -- Adi --- a/common/system_common.c2016-01-19 15:20:37.437683526 +0100 +++ b/common/system_common.c2016-01-19 15:20:50.417683526 +0100 @@ -83,7 +83,7 @@ struct ifconf ifc; char *ptr; - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_IP); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); --- a/common/system_linux.c 2016-01-19 16:06:53.021491231 +0100 +++ b/common/system_linux.c 2016-01-19 16:07:05.817491231 +0100 @@ -338,7 +338,7 @@ ip4pkt.tcp.check= tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); /* open a raw socket to send this segment from */ - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_IP); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); signature.asc Description: Digital signature
Bug#796243: SA-CORE-2015-003 -- please also fix for backports...
Package: drupal7 Version: 7.32-1+deb8u3~bpo70+1 Tags: patch,security Severity: grave Hi! As SA-CORE-2015-003[1] is already public, I extracted the patch (diff between 7.38 and 7.39 plus removed the version bumps). It would be great if you could upload to wheezy-backports too (SA-CORE-2015-002 is missing for this version too, afaik)... Thanks! -- Adi [1] https://www.drupal.org/SA-CORE-2015-003 diff -Nru drupal-7.38/includes/ajax.inc drupal-7.39/includes/ajax.inc --- drupal-7.38/includes/ajax.inc 2015-06-17 20:38:44.0 +0200 +++ drupal-7.39/includes/ajax.inc 2015-08-19 23:20:31.0 +0200 @@ -230,6 +230,10 @@ * functions. */ function ajax_render($commands = array()) { + // Although ajax_deliver() does this, some contributed and custom modules + // render Ajax responses without using that delivery callback. + ajax_set_verification_header(); + // Ajax responses aren't rendered with html.tpl.php, so we have to call // drupal_get_css() and drupal_get_js() here, in order to have new files added // during this request to be loaded by the page. We only want to send back @@ -487,6 +491,9 @@ } } + // Let ajax.js know that this response is safe to process. + ajax_set_verification_header(); + // Print the response. $commands = ajax_prepare_response($page_callback_result); $json = ajax_render($commands); @@ -577,6 +584,29 @@ } /** + * Sets a response header for ajax.js to trust the response body. + * + * It is not safe to invoke Ajax commands within user-uploaded files, so this + * header protects against those being invoked. + * + * @see Drupal.ajax.options.success() + */ +function ajax_set_verification_header() { + $added = &drupal_static(__FUNCTION__); + + // User-uploaded files cannot set any response headers, so a custom header is + // used to indicate to ajax.js that this response is safe. Note that most + // Ajax requests bound using the Form API will be protected by having the URL + // flagged as trusted in Drupal.settings, so this header is used only for + // things like custom markup that gets Ajax behaviors attached. + if (empty($added)) { +drupal_add_http_header('X-Drupal-Ajax-Token', '1'); +// Avoid sending the header twice. +$added = TRUE; + } +} + +/** * Performs end-of-Ajax-request tasks. * * This function is the equivalent of drupal_page_footer(), but for Ajax @@ -764,7 +794,12 @@ $element['#attached']['js'][] = array( 'type' => 'setting', - 'data' => array('ajax' => array($element['#id'] => $settings)), + 'data' => array( +'ajax' => array($element['#id'] => $settings), +'urlIsAjaxTrusted' => array( + $settings['url'] => TRUE, +), + ), ); // Indicate that Ajax processing was successful. diff -Nru drupal-7.38/includes/database/database.inc drupal-7.39/includes/database/database.inc --- drupal-7.38/includes/database/database.inc 2015-06-17 20:38:44.0 +0200 +++ drupal-7.39/includes/database/database.inc 2015-08-19 23:20:31.0 +0200 @@ -626,7 +626,7 @@ * A sanitized version of the query comment string. */ protected function filterComment($comment = '') { -return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment); +return strtr($comment, array('*' => ' * ')); } /** diff -Nru drupal-7.38/includes/form.inc drupal-7.39/includes/form.inc --- drupal-7.38/includes/form.inc 2015-06-17 20:38:44.0 +0200 +++ drupal-7.39/includes/form.inc 2015-08-19 23:20:31.0 +0200 @@ -1128,6 +1128,17 @@ drupal_alter($hooks, $form, $form_state, $form_id); } +/** + * Helper function to call form_set_error() if there is a token error. + */ +function _drupal_invalid_token_set_form_error() { + $path = current_path(); + $query = drupal_get_query_parameters(); + $url = url($path, array('query' => $query)); + + // Setting this error will cause the form to fail validation. + form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then reload this page.', array('@link' => $url))); +} /** * Validates user-submitted form data in the $form_state array. @@ -1162,16 +1173,11 @@ } // If the session token was set by drupal_prepare_form(), ensure that it - // matches the current user's session. + // matches the current user's session. This is duplicate to code in + // form_builder() but left to protect any custom form handling code. if (isset($form['#token'])) { -if (!drupal_valid_token($form_state['values']['form_token'], $form['#token'])) { - $path = current_path(); - $query = drupal_get_query_parameters(); - $url = url($path, array('query' => $query)); - - // Setting this error will cause the form to fail validation. - form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then reload this page.', array('@link' => $url))); - +if (!drupal_valid_token($form_state['values'
Bug#789165: SA-CORE-2015-002 -- please also fix for backports...
Package: drupal7 Version: 7.32-1+deb8u3~bpo70+1 Tags: patch,security Severity: grave Hi! As SA-CORE-2015-002[1] is already public, I extracted the patch (diff between 7.37 and 7.38 plus removed the version bumps). It would be great if you could upload to wheezy-backports too... Thanks! -- Adi [1] https://www.drupal.org/SA-CORE-2015-002 diff -Nru drupal-7.37/includes/common.inc drupal-7.38/includes/common.inc --- drupal-7.37/includes/common.inc 2015-05-07 06:13:18.0 +0200 +++ drupal-7.38/includes/common.inc 2015-06-17 20:38:44.0 +0200 @@ -6329,13 +6329,21 @@ } if (!empty($granularity)) { +$cache_per_role = $granularity & DRUPAL_CACHE_PER_ROLE; +$cache_per_user = $granularity & DRUPAL_CACHE_PER_USER; +// User 1 has special permissions outside of the role system, so when +// caching per role is requested, it should cache per user instead. +if ($user->uid == 1 && $cache_per_role) { + $cache_per_user = TRUE; + $cache_per_role = FALSE; +} // 'PER_ROLE' and 'PER_USER' are mutually exclusive. 'PER_USER' can be a // resource drag for sites with many users, so when a module is being // equivocal, we favor the less expensive 'PER_ROLE' pattern. -if ($granularity & DRUPAL_CACHE_PER_ROLE) { +if ($cache_per_role) { $cid_parts[] = 'r.' . implode(',', array_keys($user->roles)); } -elseif ($granularity & DRUPAL_CACHE_PER_USER) { +elseif ($cache_per_user) { $cid_parts[] = "u.$user->uid"; } diff -Nru drupal-7.37/modules/field_ui/field_ui.admin.inc drupal-7.38/modules/field_ui/field_ui.admin.inc --- drupal-7.37/modules/field_ui/field_ui.admin.inc 2015-05-07 06:13:18.0 +0200 +++ drupal-7.38/modules/field_ui/field_ui.admin.inc 2015-06-17 20:38:44.0 +0200 @@ -2105,6 +2105,10 @@ $destinations = !empty($_REQUEST['destinations']) ? $_REQUEST['destinations'] : array(); if (!empty($destinations)) { unset($_REQUEST['destinations']); + } + // Remove any external URLs. + $destinations = array_diff($destinations, array_filter($destinations, 'url_is_external')); + if ($destinations) { return field_ui_get_destinations($destinations); } $admin_path = _field_ui_bundle_admin_path($entity_type, $bundle); diff -Nru drupal-7.37/modules/field_ui/field_ui.test drupal-7.38/modules/field_ui/field_ui.test --- drupal-7.37/modules/field_ui/field_ui.test 2015-05-07 06:13:18.0 +0200 +++ drupal-7.38/modules/field_ui/field_ui.test 2015-06-17 20:38:44.0 +0200 @@ -445,6 +445,19 @@ $this->assertText(t('The machine-readable name is already in use. It must be unique.')); $this->assertUrl($url, array(), 'Stayed on the same page.'); } + + /** + * Tests that external URLs in the 'destinations' query parameter are blocked. + */ + function testExternalDestinations() { +$path = 'admin/structure/types/manage/article/fields/field_tags/field-settings'; +$options = array( + 'query' => array('destinations' => array('http://example.com')), +); +$this->drupalPost($path, NULL, t('Save field settings'), $options); + +$this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.'); + } } /** diff -Nru drupal-7.37/modules/openid/openid.module drupal-7.38/modules/openid/openid.module --- drupal-7.37/modules/openid/openid.module 2015-05-07 06:13:18.0 +0200 +++ drupal-7.38/modules/openid/openid.module 2015-06-17 20:38:44.0 +0200 @@ -365,14 +365,20 @@ // to the OpenID Provider, we need to do discovery on the returned // identififer to make sure that the provider is authorized to // respond on behalf of this. -if ($response_claimed_id != $claimed_id) { +if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) { $discovery = openid_discovery($response['openid.claimed_id']); + $uris = array(); if ($discovery && !empty($discovery['services'])) { -$uris = array(); foreach ($discovery['services'] as $discovered_service) { - if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) { -$uris[] = $discovered_service['uri']; + if (!in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) && !in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) { +continue; } + // The OP-Local Identifier (if different than the Claimed + // Identifier) must be present in the XRDS document. + if ($response_claimed_id != $response['openid.identity'] && (!isset($discovered_service['identity']) || $discovered_service['identity'] != $response['openid.identit
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Tags: security, patch find the Ubuntu patch attached. best regards, Adi Kriegisch === modified file 'bin/named/query.c' --- bin/named/query.c 2011-11-16 14:22:11 + +++ bin/named/query.c 2012-10-05 09:45:39 + @@ -1024,13 +1024,6 @@ mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1228,6 +1221,7 @@ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1288,11 +1282,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { -if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1331,11 +1327,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_, &mname)) { -if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1846,22 +1844,24 @@ crdataset->type == dns_rdatatype_) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { -if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname->link could - * leak below. - */ - INSIST(mname0 == NULL); +if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); - query_releasename(client, &fname); - fname = mname; - mname0 = mname; -} else - need_addname = ISC_TRUE; + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; === modified file 'debian/changelog' --- debian/changelog 2012-09-12 16:16:57 + +++ debian/changelog 2012-10-05 09:45:39 + @@ -1,3 +1,12 @@ +bind9 (1:9.7.3.dfsg-1ubuntu4.5) oneiric-security; urgency=low + + * SECURITY UPDATE: denial of service via specific combinations of RDATA +- bin/named/query.c: fix logic +- Patch backported from 9.8.3-P4 +- CVE-2012-5166 + + -- Marc Deslauriers Fri, 05 Oct 2012 09:45:39 -0400 + bind9 (1:9.7.3.dfsg-1ubuntu4.4) oneiric-security; urgency=low * SECURITY UPDATE: denial of service via large crafted resource record signature.asc Description: Digital signature
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9 Tags: security Severity: grave A security relevant bug on all versions of bind9 has been discovered. Only recursive servers are vulnerable. To mitigate the effects of a possible attack it should be sufficient to set "minimal-responses yes;" in the global "options {}" section. As information on that bug already leaked (and even got mailed to full-disclosure by Mandriva), I am reporting to the Debian bugtracker. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 and https://kb.isc.org/article/AA-00801 for details. best regards, Adi Kriegisch signature.asc Description: Digital signature