Bug#972204: kdeconnect: CVE-2020-26164
Package: kdeconnect
Version: 1.3.3-2
Severity: grave
Tags: security, patch
Dear maintainers,
on the oss-security mailing list[1], severe bugs in kdeconnect were
published with links to commits that fix them. Find attached backports of
those patches fitting the version of kdeconnect in debian/stable (buster).
Please have a careful look at CVE-2020-26164_g_ssl_validation_checks.patch
and check, whether those two disconnect() calls should really be disabled;
while testing the patches I could not find any adverse effects.
best regards,
Adi Kriegisch
[1] https://www.openwall.com/lists/oss-security/2020/10/13/4
From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora
Date: Thu, 24 Sep 2020 17:01:03 +0200
Subject: [PATCH] Do not leak the local user in the device name.
Thanks Matthias Gerstner for reporting this.
---
core/kdeconnectconfig.cpp | 8 +---
1 file changed, 1 insertion(+), 1 deletions(-)
--- a/core/kdeconnectconfig.cpp 2020-10-14 08:57:39.290290968 +0200
+++ b/core/kdeconnectconfig.cpp 2020-10-14 08:57:57.650342491 +0200
@@ -148,7 +148,7 @@
QString KdeConnectConfig::name()
{
-QString defaultName = qgetenv("USER") + '@' + QHostInfo::localHostName();
+QString defaultName = QHostInfo::localHostName();
QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString();
return name;
}
From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001
From: Matthias Gerstner
Date: Thu, 24 Sep 2020 17:03:06 +0200
Subject: [PATCH] Fix use after free in LanLinkProvider::connectError()
If QSslSocket::connectToHost() hasn't finished running.
Thanks Matthias Gerstner for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: kdeconnect-1.3.3/core/backends/lan/lanlinkprovider.cpp
===
--- kdeconnect-1.3.3.orig/core/backends/lan/lanlinkprovider.cpp
+++ kdeconnect-1.3.3/core/backends/lan/lanlinkprovider.cpp
@@ -224,7 +224,7 @@ void LanLinkProvider::connectError()
//The socket we created didn't work, and we didn't manage
//to create a LanDeviceLink from it, deleting everything.
delete m_receivedIdentityPackets.take(socket).np;
-delete socket;
+socket->deleteLater();
}
//We received a UDP packet and answered by connecting to them by TCP. This gets called on a succesful connection.
From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001
From: Aleix Pol
Date: Wed, 16 Sep 2020 02:27:13 +0200
Subject: [PATCH] Don't brute-force reading the socket
The package will arrive eventually, and dataReceived will be emitted.
Otherwise we just end up calling dataReceived to no end.
Thanks Matthias Gerstner for reporting this.
---
core/backends/lan/socketlinereader.cpp | 8 ---
tests/testsocketlinereader.cpp | 31 --
2 files changed, 29 insertions(+), 10 deletions(-)
Index: kdeconnect-1.3.3/core/backends/lan/socketlinereader.cpp
===
--- kdeconnect-1.3.3.orig/core/backends/lan/socketlinereader.cpp
+++ kdeconnect-1.3.3/core/backends/lan/socketlinereader.cpp
@@ -38,14 +38,6 @@ void SocketLineReader::dataReceived()
}
}
-//If we still have things to read from the socket, call dataReceived again
-//We do this manually because we do not trust readyRead to be emitted again
-//So we call this method again just in case.
-if (m_socket->bytesAvailable() > 0) {
-QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection);
-return;
-}
-
//If we have any packets, tell it to the world.
if (!m_packets.isEmpty()) {
Q_EMIT readyRead();
Index: kdeconnect-1.3.3/tests/testsocketlinereader.cpp
===
--- kdeconnect-1.3.3.orig/tests/testsocketlinereader.cpp
+++ kdeconnect-1.3.3/tests/testsocketlinereader.cpp
@@ -24,16 +24,19 @@
#include
#include
#include
+#include
class TestSocketLineReader : public QObject
{
Q_OBJECT
public Q_SLOTS:
-void initTestCase();
+void init();
+void cleanup() { delete m_server; }
void newPacket();
private Q_SLOTS:
void socketLineReader();
+void badData();
private:
QTimer m_timer;
@@ -44,8 +47,9 @@ private:
SocketLineReader* m_reader;
};
-void TestSocketLineReader::initTestCase()
+void TestSocketLineReader::init()
{
+m_packets.clear();
m_server = new Server(this);
QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server");
@@ -96,6 +100,29 @@ void TestSocketLineReader::socketLineRea
}
}
+void TestSocketLineReader::badData()
+{
+const QList dataToSend = { "data1\n", "data" }; /
Bug#880427: tinyproxy: If tinyproxy receives SIGHUP...
Dear maintainer, are there any plans to release an update to Stretch? The current package without the patch requires manual intervention after every logrotate invocation... -- Adi signature.asc Description: Digital signature
Bug#844632: Drupal: SA-CORE-2016-005
Package: drupal7 Version: 7.32-1+deb8u7 Severity: grave Tags: security Hi! The Drupal Security Team publicly announced a fix for an external URL injection flaw in Drupal7: https://www.drupal.org/SA-CORE-2016-005 -- Adi signature.asc Description: Digital signature
Bug#813406: [Pkg-samba-maint] Bug#813406: ctdb, raw sockets and CVE-2015-8543
Hi! > There are two set of patches: > - yours that basically keep the same behavior as pre-CVE-2015-8543 (proto=0) I just desperately tried to get my cluster going again... ;-) > - Amitay's that restore the intented behavior (proto=255) [...] > I think I'll got for Amitay's patch which probably fixes a lot of > weird behaviors I've seen pre-CVE-2015-8543 (i.e TCP connections not > reset, Ip not properly relocated). This is -- of course -- the way better approach! > I plan to fix this for wheezy and jessie. stretch will come with next > upstream release. > > Givent the importance of the bug, I think it can go thru -security. I think so too -- especially as it is some kind of regression. Thank you very much for taking care of this! -- Adi signature.asc Description: Digital signature
Bug#813406: ctdb, raw sockets and CVE-2015-8543
Package: ctdb
Severity: grave
Tags: patch,upstream
Hi!
The kernel upgrade for CVE-2015-8543 showed a bug in CTDB that leads to a
broken cluster:
| s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
htons(IPPROTO_RAW) leads to 0xff00 which causes "-1 EINVAL (Invalid
argument)" because of CVE-2015-8543.
The fix for the issue is quite simple: remove IPPROTO_RAW; to make the fix
more consistent with what was used before, use IPPROTO_IP (which is 0).
Error messages related to this bug are:
| We are still serving a public IP 'x.x.x.x' that we should not be serving.
Removing it
| common/system_common.c:89 failed to open raw socket (Invalid argument)
| Could not find which interface the ip address is hosted on. can not release
it
and
| common/system_linux.c:344 failed to open raw socket (Invalid argument)
As a result, IP addresses cannot be released and multiple nodes in the
cluster serve the same address, which obviously does not work.
Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11705 and mailing
list conversation:
https://lists.samba.org/archive/samba/2016-January/197389.html
-- Adi
--- a/common/system_common.c2016-01-19 15:20:37.437683526 +0100
+++ b/common/system_common.c2016-01-19 15:20:50.417683526 +0100
@@ -83,7 +83,7 @@
struct ifconf ifc;
char *ptr;
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
--- a/common/system_linux.c 2016-01-19 16:06:53.021491231 +0100
+++ b/common/system_linux.c 2016-01-19 16:07:05.817491231 +0100
@@ -338,7 +338,7 @@
ip4pkt.tcp.check= tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
signature.asc
Description: Digital signature
Bug#796243: SA-CORE-2015-003 -- please also fix for backports...
Package: drupal7
Version: 7.32-1+deb8u3~bpo70+1
Tags: patch,security
Severity: grave
Hi!
As SA-CORE-2015-003[1] is already public, I extracted the patch (diff
between 7.38 and 7.39 plus removed the version bumps).
It would be great if you could upload to wheezy-backports too
(SA-CORE-2015-002 is missing for this version too, afaik)...
Thanks!
-- Adi
[1] https://www.drupal.org/SA-CORE-2015-003
diff -Nru drupal-7.38/includes/ajax.inc drupal-7.39/includes/ajax.inc
--- drupal-7.38/includes/ajax.inc 2015-06-17 20:38:44.0 +0200
+++ drupal-7.39/includes/ajax.inc 2015-08-19 23:20:31.0 +0200
@@ -230,6 +230,10 @@
* functions.
*/
function ajax_render($commands = array()) {
+ // Although ajax_deliver() does this, some contributed and custom modules
+ // render Ajax responses without using that delivery callback.
+ ajax_set_verification_header();
+
// Ajax responses aren't rendered with html.tpl.php, so we have to call
// drupal_get_css() and drupal_get_js() here, in order to have new files added
// during this request to be loaded by the page. We only want to send back
@@ -487,6 +491,9 @@
}
}
+ // Let ajax.js know that this response is safe to process.
+ ajax_set_verification_header();
+
// Print the response.
$commands = ajax_prepare_response($page_callback_result);
$json = ajax_render($commands);
@@ -577,6 +584,29 @@
}
/**
+ * Sets a response header for ajax.js to trust the response body.
+ *
+ * It is not safe to invoke Ajax commands within user-uploaded files, so this
+ * header protects against those being invoked.
+ *
+ * @see Drupal.ajax.options.success()
+ */
+function ajax_set_verification_header() {
+ $added = &drupal_static(__FUNCTION__);
+
+ // User-uploaded files cannot set any response headers, so a custom header is
+ // used to indicate to ajax.js that this response is safe. Note that most
+ // Ajax requests bound using the Form API will be protected by having the URL
+ // flagged as trusted in Drupal.settings, so this header is used only for
+ // things like custom markup that gets Ajax behaviors attached.
+ if (empty($added)) {
+drupal_add_http_header('X-Drupal-Ajax-Token', '1');
+// Avoid sending the header twice.
+$added = TRUE;
+ }
+}
+
+/**
* Performs end-of-Ajax-request tasks.
*
* This function is the equivalent of drupal_page_footer(), but for Ajax
@@ -764,7 +794,12 @@
$element['#attached']['js'][] = array(
'type' => 'setting',
- 'data' => array('ajax' => array($element['#id'] => $settings)),
+ 'data' => array(
+'ajax' => array($element['#id'] => $settings),
+'urlIsAjaxTrusted' => array(
+ $settings['url'] => TRUE,
+),
+ ),
);
// Indicate that Ajax processing was successful.
diff -Nru drupal-7.38/includes/database/database.inc drupal-7.39/includes/database/database.inc
--- drupal-7.38/includes/database/database.inc 2015-06-17 20:38:44.0 +0200
+++ drupal-7.39/includes/database/database.inc 2015-08-19 23:20:31.0 +0200
@@ -626,7 +626,7 @@
* A sanitized version of the query comment string.
*/
protected function filterComment($comment = '') {
-return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment);
+return strtr($comment, array('*' => ' * '));
}
/**
diff -Nru drupal-7.38/includes/form.inc drupal-7.39/includes/form.inc
--- drupal-7.38/includes/form.inc 2015-06-17 20:38:44.0 +0200
+++ drupal-7.39/includes/form.inc 2015-08-19 23:20:31.0 +0200
@@ -1128,6 +1128,17 @@
drupal_alter($hooks, $form, $form_state, $form_id);
}
+/**
+ * Helper function to call form_set_error() if there is a token error.
+ */
+function _drupal_invalid_token_set_form_error() {
+ $path = current_path();
+ $query = drupal_get_query_parameters();
+ $url = url($path, array('query' => $query));
+
+ // Setting this error will cause the form to fail validation.
+ form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then reload this page.', array('@link' => $url)));
+}
/**
* Validates user-submitted form data in the $form_state array.
@@ -1162,16 +1173,11 @@
}
// If the session token was set by drupal_prepare_form(), ensure that it
- // matches the current user's session.
+ // matches the current user's session. This is duplicate to code in
+ // form_builder() but left to protect any custom form handling code.
if (isset($form['#token'])) {
-if (!drupal_valid_token($form_state['values']['form_token'], $form['#token'])) {
- $path = current_path();
- $query = drupal_get_query_parameters();
- $url = url($path, array('query' => $query));
-
- // Setting this error will cause the form to fail validation.
- form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then reload this page.', array('@link' => $url)));
-
+if (!drupal_valid_token($form_state['values'
Bug#789165: SA-CORE-2015-002 -- please also fix for backports...
Package: drupal7
Version: 7.32-1+deb8u3~bpo70+1
Tags: patch,security
Severity: grave
Hi!
As SA-CORE-2015-002[1] is already public, I extracted the patch (diff
between 7.37 and 7.38 plus removed the version bumps).
It would be great if you could upload to wheezy-backports too...
Thanks!
-- Adi
[1] https://www.drupal.org/SA-CORE-2015-002
diff -Nru drupal-7.37/includes/common.inc drupal-7.38/includes/common.inc
--- drupal-7.37/includes/common.inc 2015-05-07 06:13:18.0 +0200
+++ drupal-7.38/includes/common.inc 2015-06-17 20:38:44.0 +0200
@@ -6329,13 +6329,21 @@
}
if (!empty($granularity)) {
+$cache_per_role = $granularity & DRUPAL_CACHE_PER_ROLE;
+$cache_per_user = $granularity & DRUPAL_CACHE_PER_USER;
+// User 1 has special permissions outside of the role system, so when
+// caching per role is requested, it should cache per user instead.
+if ($user->uid == 1 && $cache_per_role) {
+ $cache_per_user = TRUE;
+ $cache_per_role = FALSE;
+}
// 'PER_ROLE' and 'PER_USER' are mutually exclusive. 'PER_USER' can be a
// resource drag for sites with many users, so when a module is being
// equivocal, we favor the less expensive 'PER_ROLE' pattern.
-if ($granularity & DRUPAL_CACHE_PER_ROLE) {
+if ($cache_per_role) {
$cid_parts[] = 'r.' . implode(',', array_keys($user->roles));
}
-elseif ($granularity & DRUPAL_CACHE_PER_USER) {
+elseif ($cache_per_user) {
$cid_parts[] = "u.$user->uid";
}
diff -Nru drupal-7.37/modules/field_ui/field_ui.admin.inc drupal-7.38/modules/field_ui/field_ui.admin.inc
--- drupal-7.37/modules/field_ui/field_ui.admin.inc 2015-05-07 06:13:18.0 +0200
+++ drupal-7.38/modules/field_ui/field_ui.admin.inc 2015-06-17 20:38:44.0 +0200
@@ -2105,6 +2105,10 @@
$destinations = !empty($_REQUEST['destinations']) ? $_REQUEST['destinations'] : array();
if (!empty($destinations)) {
unset($_REQUEST['destinations']);
+ }
+ // Remove any external URLs.
+ $destinations = array_diff($destinations, array_filter($destinations, 'url_is_external'));
+ if ($destinations) {
return field_ui_get_destinations($destinations);
}
$admin_path = _field_ui_bundle_admin_path($entity_type, $bundle);
diff -Nru drupal-7.37/modules/field_ui/field_ui.test drupal-7.38/modules/field_ui/field_ui.test
--- drupal-7.37/modules/field_ui/field_ui.test 2015-05-07 06:13:18.0 +0200
+++ drupal-7.38/modules/field_ui/field_ui.test 2015-06-17 20:38:44.0 +0200
@@ -445,6 +445,19 @@
$this->assertText(t('The machine-readable name is already in use. It must be unique.'));
$this->assertUrl($url, array(), 'Stayed on the same page.');
}
+
+ /**
+ * Tests that external URLs in the 'destinations' query parameter are blocked.
+ */
+ function testExternalDestinations() {
+$path = 'admin/structure/types/manage/article/fields/field_tags/field-settings';
+$options = array(
+ 'query' => array('destinations' => array('http://example.com')),
+);
+$this->drupalPost($path, NULL, t('Save field settings'), $options);
+
+$this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.');
+ }
}
/**
diff -Nru drupal-7.37/modules/openid/openid.module drupal-7.38/modules/openid/openid.module
--- drupal-7.37/modules/openid/openid.module 2015-05-07 06:13:18.0 +0200
+++ drupal-7.38/modules/openid/openid.module 2015-06-17 20:38:44.0 +0200
@@ -365,14 +365,20 @@
// to the OpenID Provider, we need to do discovery on the returned
// identififer to make sure that the provider is authorized to
// respond on behalf of this.
-if ($response_claimed_id != $claimed_id) {
+if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
$discovery = openid_discovery($response['openid.claimed_id']);
+ $uris = array();
if ($discovery && !empty($discovery['services'])) {
-$uris = array();
foreach ($discovery['services'] as $discovered_service) {
- if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
-$uris[] = $discovered_service['uri'];
+ if (!in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) && !in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
+continue;
}
+ // The OP-Local Identifier (if different than the Claimed
+ // Identifier) must be present in the XRDS document.
+ if ($response_claimed_id != $response['openid.identity'] && (!isset($discovered_service['identity']) || $discovered_service['identity'] != $response['openid.identit
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Tags: security, patch
find the Ubuntu patch attached.
best regards,
Adi Kriegisch
=== modified file 'bin/named/query.c'
--- bin/named/query.c 2011-11-16 14:22:11 +
+++ bin/named/query.c 2012-10-05 09:45:39 +
@@ -1024,13 +1024,6 @@
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE("query_isduplicate: false: done");
@@ -1228,6 +1221,7 @@
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1288,11 +1282,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
-if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1331,11 +1327,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_, &mname)) {
-if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1846,22 +1844,24 @@
crdataset->type == dns_rdatatype_) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
-if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname->link could
- * leak below.
- */
- INSIST(mname0 == NULL);
+if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+ * already stored in the additional
+ * section. We'll reuse the name.
+ * Note that this should happen at most
+ * once. Otherwise, fname->link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
- query_releasename(client, &fname);
- fname = mname;
- mname0 = mname;
-} else
- need_addname = ISC_TRUE;
+ query_releasename(client, &fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
=== modified file 'debian/changelog'
--- debian/changelog 2012-09-12 16:16:57 +
+++ debian/changelog 2012-10-05 09:45:39 +
@@ -1,3 +1,12 @@
+bind9 (1:9.7.3.dfsg-1ubuntu4.5) oneiric-security; urgency=low
+
+ * SECURITY UPDATE: denial of service via specific combinations of RDATA
+- bin/named/query.c: fix logic
+- Patch backported from 9.8.3-P4
+- CVE-2012-5166
+
+ -- Marc Deslauriers Fri, 05 Oct 2012 09:45:39 -0400
+
bind9 (1:9.7.3.dfsg-1ubuntu4.4) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service via large crafted resource record
signature.asc
Description: Digital signature
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9
Tags: security
Severity: grave
A security relevant bug on all versions of bind9 has been discovered. Only
recursive servers are vulnerable. To mitigate the effects of a possible
attack it should be sufficient to set "minimal-responses yes;" in the
global "options {}" section.
As information on that bug already leaked (and even got mailed to
full-disclosure by Mandriva), I am reporting to the Debian bugtracker.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 and
https://kb.isc.org/article/AA-00801 for details.
best regards,
Adi Kriegisch
signature.asc
Description: Digital signature
