Re: CVE-2020-36193 php-pear vs drupal7
Hi Gunnar, all
See below.
On Tue, 9 Mar 2021 at 05:11, Gunnar Wolf wrote:
> Hello Ola, Salvatore, Chris et. al.!
>
> Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> > Hi Salvatore, Gunnar, all
> >
> > When looking further into this issue I do not think drupal7 is completely
> > fixed.
> > The durpal 7 package include the following fix:
> > +if (strpos(realpath(dirname($v_header['link'])),
> > realpath($p_path)) !== 0) {
> >
> > But it is missing the depth check
> >
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
> >
> > Or is it something that makes that depth check unnecessary?
> >
> > I'm asking since I'm looking into the php-pear fix and it should be very
> > similar to the drupal 7 fix.
>
> Umh... Did you consider the following patch?
>
>
> https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001
>
>
Yes, that is the "if (strpos(..." fix I was referring to below.
This is needed, but for php-pear there is also the fix to check for
multiple ../.. as protection mentioned as part of this CVE. This is not
included in the Drupal fix you mention and then obviously not in the
uploaded package either.
To me it looks like we have one more flaw to fix in Drupal. The question is
whether it should be handled as part of this CVE, or if we should consider
requesting a new CVE for it.
> I understand, but will admit that I didn't dig deep at all, that the
> Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
> course, my handling of this issue was basically only backporting the
> (very simple) diff in question from their 7.78 to our 7.52.
>
I see.
Best regards
// Ola
> Greetings,
>
--
--- Inguza Technology AB --- MSc in Information Technology
| o...@inguza.como...@debian.org|
| http://inguza.com/Mobile: +46 (0)70-332 1551 |
---
Accepted zeromq3 4.2.1-4+deb9u4 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 09 Mar 2021 19:45:32 +0100 Source: zeromq3 Binary: libzmq5 libzmq3-dev libzmq5-dbg Architecture: source Version: 4.2.1-4+deb9u4 Distribution: stretch-security Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) Changed-By: Anton Gladky Description: libzmq3-dev - lightweight messaging kernel (development files) libzmq5- lightweight messaging kernel (shared library) libzmq5-dbg - lightweight messaging kernel (debugging symbols) Changes: zeromq3 (4.2.1-4+deb9u4) stretch-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2021-20234 Memory leak in client induced by malicious server without CURVE/ZAP * CVE-2021-20235 Heap overflow when receiving malformed ZMTP v1 packets Checksums-Sha1: fa4898d1373a80e0d2be43df354a079fe953afcc 2079 zeromq3_4.2.1-4+deb9u4.dsc 51611dd2cc259be5f65316e10e83f04d7514cca2 25280 zeromq3_4.2.1-4+deb9u4.debian.tar.xz e5b4bcdcbdb8754e47f87f9ff1f324577338be8f 7080 zeromq3_4.2.1-4+deb9u4_amd64.buildinfo Checksums-Sha256: 6123278872eb4066d862c084750624fec022460d93fac6db7a22205061c547f3 2079 zeromq3_4.2.1-4+deb9u4.dsc f1f76b5a91ac54abb5246f24891dcaeb3408b2ebd0223c4f8e73adfdf4c5f5da 25280 zeromq3_4.2.1-4+deb9u4.debian.tar.xz 02fd141b875b128db352014074efaecb891354b3dc1bc7f10b329a9f1485b608 7080 zeromq3_4.2.1-4+deb9u4_amd64.buildinfo Files: 792cbd7d81c5eec56aa5aab3a2309bb4 2079 libs optional zeromq3_4.2.1-4+deb9u4.dsc 8078d4564623539295bdb26136f8a172 25280 libs optional zeromq3_4.2.1-4+deb9u4.debian.tar.xz c576e5893a7444bfba438686d40a7a7d 7080 libs optional zeromq3_4.2.1-4+deb9u4_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBHxzoRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wa6/w//XFjmkJ4ZTU65lnzWQyswSsVYw5Rj7aDi vRQUx+S1+kTJ2P01xE9XYoGHfTddZEGbew9xkXD0Hb+yN0M6THSJ8Rww+DPnCwpx 31Duq7W75/HWEKZyZGOJOih+1xUX/d1kr9+ijIyRwMP3OIhY6rKeOIPiGdxvH/v+ yZ9wjE+rxoGgcIqL3ZIEIx3IXyRIOawHodgOZEbqe9VKh2WQmuuRxwOjoS31dpWx MWj33NigelmKGczffCAIYH371eAWH/xxaFz4N+F7hpYG6LgiKhDxbAhm7y6Apt16 lL+dw/5uEd7QuqTpV5KSzLmz1Zog52YdpMXiZb1nDQXcs4VXxTJnBdxoo3NbjC5n bUuzgpE0k72PTF1/o7iruZZlVHUdw7WBdNshmUc29DAZNQKYDD9b3q3vulpmGUzv oS3GHGuN+esGyIQYzGzRDgVF+JevzmHif+M/N702zQtkv94E98PZzMpUTLMgdeNH z4xyaltAjn9aEkkMEapCfU/HgWV+CMJfQtxVuDnWSpGEtDQp5OAHcyZLB2CYTjA/ WGvDPGBHY2BAetSo6TX/x0GSbGf3Bl/8TIDwqNXO+qn1JzFkXWgIMtz5IHiyhX+D 61jhQvbxRBCS5sGwcj/sgYt2t2lwYkTbsgHJ4Zqg6KAw+/0i9xAejQ0jyUsf82lr CF1mvVCfawM= =ze3l -END PGP SIGNATURE-
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
On 09/03/21 10:47 AM, Roland Rosenfeld wrote: > Hi Abhijith! > > On Di, 09 Mär 2021, Abhijith PA wrote: > > > Roland, thanks again for the patch. I can see that last LTS update > > (3.0.26-3+deb9u1) done by you. Hope you can upload this time as > > well. If not, let me know. I am happy to help. Once uploaded to > > archive I will take care of DLA and announcements. > > Thanks for your support. > > I just uploaded privoxy_3.0.26-3+deb9u2_source.changes to > security-master. > > Once it is installed, it would be great if you could do DLA etc. DLA 2587-1. This is done. Thanks --abhijith
[SECURITY] [DLA 2586-1] linux security update
- Debian LTS Advisory DLA-2586-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 08, 2021https://wiki.debian.org/LTS - Package: linux Version: 4.9.258-1 CVE ID : CVE-2019-19318 CVE-2019-19813 CVE-2019-19816 CVE-2020-27815 CVE-2020-27825 CVE-2020-28374 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2020-36158 CVE-2021-3178 CVE-2021-3347 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-19318, CVE-2019-19813, CVE-2019-19816 "Team bobfuzzer" reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-27815 A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service. CVE-2020-27825 Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak. CVE-2020-28374 David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings. CVE-2020-29568 (XSA-349) Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path. CVE-2020-29569 (XSA-350) Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. CVE-2020-29660 Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID. CVE-2020-29661 Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation. CVE-2020-36158 A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value. CVE-2021-3178 吴异 reported an information leak in the NFSv3 server. When only a subdirectory of a filesystem volume is exported, an NFS client listing the exported directory would obtain a file handle to the parent directory, allowing it to access files that were not meant to be exported. Even after this update, it is still possible for NFSv3 clients to guess valid file handles and access files outside an exported subdirectory, unless the "subtree_check" export option is enabled. It is recommended that you do not use that option but only export whole filesystem volumes. CVE-2021-3347 It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. CVE-2021-26930 (XSA-365) Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H. Schönherr discovered that the Xen block backend driver (xen-blkback) did not handle grant mapping errors correctly. A malicious guest could exploit this bug to cause a denial of service (crash), or possibly an information leak or privilege escalation, within the domain running the backend, which is typically dom0. CVE-2021-26931 (XSA-362), CVE-2021-26932 (XSA-361), CVE-2021-28038 (XSA-367) Jan Beulich discovered that the Xen support code and various Xen backend drivers did not handle grant mapping errors correctly. A malicious guest could exploit these bugs to cause a denial of service (crash) within the domain running the backend, which is typically dom0. CVE-2021-27363 Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to transport handle attributes in sysfs. On a system acting as an iSCSI initiator,
[SECURITY] [DLA 2587-1] privoxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2587-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 09, 2021https://wiki.debian.org/LTS - - Package: privoxy Version: 3.0.26-3+deb9u2 CVE ID : CVE-2021-20272 CVE-2021-20273 CVE-2021-20275 CVE-2021-20276 Multiple vulnerabilites were discovered in privoxy, a web proxy with advanced filtering capabilities. CVE-2021-20272 An assertion failure could be triggered with a crafted CGI request leading to server crash. CVE-2021-20273 A crash can occur via a crafted CGI request if Privoxy is toggled off. CVE-2021-20275 An invalid read of size two may occur in chunked_body_is_complete() leading to denial of service. CVE-2021-20276 Invalid memory access with an invalid pattern passed to pcre_compile() may lead to denial of service. For Debian 9 stretch, these problems have been fixed in version 3.0.26-3+deb9u2. We recommend that you upgrade your privoxy packages. For the detailed security status of privoxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/privoxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBHtbIACgkQhj1N8u2c KO/0Pg//bGq8GoIcW3Q75gd+suPhLU+WoqNrgbAVk3X6iaCTqQfp2fTa390xL51t Lb6enUhD9gnMQWfkyfZImKBjO/WMKkqek+f+iahSN7YdjZ06gQzMlZyGgW6m96xX EzbwW6kJOKKlvZq9wt5uRILZNzfd2k35d2ZKTW7/KFVXqSJegcftgtQYKtvaLLpx PxGGqPJrklKAin04X49Vqmnop9C5LPC/l4VxL1cB5CWXdL5/liDSRCsUTkPIUXej moTF0NfcWVPkB1pnrd9Hagh5jP1YcjklJCBIGOCVlFkyy18lMDqd9aVrQlit+C3p EjfaZpVwUhIj1sH44gG5Y5ary8+QotrGCArcZFpq1TrdYWuylBTA85sylqlg6x9z Wm4XYRLQ31bxOMVm6DZVktBktROt9FBmWCjjay2+/AwO2EAikTwJN0SHMSCqM9se EsGN5Lgkz9+uWvpReQOVs7l1YkM2DyH680cWE4M1JOBts3297DnSUNVCV11jGfW4 c2kRNEYWRtHBipWIhi6DSq8kEGHtRjeqUAe46KdG0VaIFWjjaWxLeBZNBOLXDEvE RcAsUG3W4jiHELFW8hTF7WXic4rkOCNH3qoUZA8m0JjiFMe4YXZ94CmNNG8Zyblc PFP0Zp1AdMtExtzHMQnhKnzWKsF10u3bfd1U9MvCNVzplAMZoT0= =+aeO -END PGP SIGNATURE-
Re: CVE-2021-3121 stretch patch review request and request for test help
Hi, I'll let the Go packagers answer authoritatively but as I'm currently working on golang fixes I'd like to share a few points: On 08/03/2021 22:48, Ola Lundqvist wrote: I have prepared a patch for CVE-2021-3121 described in: https://security-tracker.debian.org/tracker/CVE-2021-3121 You can find the patch here: http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch The patch is based on the following commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc My conclusion is that the field function in stretch is unaffected. The reason is that there is no skippy check there at all in the stretch version. For the generate function the iNdEx check was not in place so I added it, similar to the patch. I do have a problem, and that is to check whether the code introduce some regression issue. Also since the CVE lack a description of the effect of this problem I have little knowledge on what the result of this may be. Therefore I would highly appreciate a description of what this problem is and how to regression test the package. This appears to be a tricky issue to fix. First, due to static linking in Go, dependencies need to be rebuilt too, but even then, the vulnerability lies in generated code. (see below for a list of deps) Then, the vulnerability appears to be a serialization issue but even the netapp report is vague. To test the fix, the package comes with a testsuite, though the original patch includes dozens of testsuite changes (mostly regenerated files). Then all the dependencies (that need a rebuild) do provide another way to check if something broke. It should be noted that golang* packages are supported in stretch but come with limited support, not to due to code generation but due to Go static linking in the first place: https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited If you do decide to support this package, I recently documented how to find direct reverse build dependencies at: https://wiki.debian.org/LTS/TestSuites/golang $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev -T debsrc debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages | grep-dctrl -n -s Package '' | sort -u gobgp golang-github-appc-goaci golang-github-appc-spec golang-github-mesos-mesos-go influxdb syncthing (Note: this is not recursive.) In addition, apt-file does provide a list of generated .pb.go files, though it also includes those from "plain" protobuf (of which gogoprotobuf if a fork) so not all are affected (the affected ones should contain "skippy" somewhere): # apt-file search .pb.go | cut -d: -f1 | sort -u golang-github-appc-spec-dev golang-github-gogo-protobuf-dev golang-github-golang-groupcache-dev golang-github-influxdb-influxdb-dev golang-github-mesos-mesos-go-dev golang-github-opencontainers-runc-dev golang-github-osrg-gobgp-dev golang-github-prometheus-alertmanager-dev golang-github-prometheus-client-model-dev golang-github-syncthing-syncthing-dev golang-gomega-dev golang-google-appengine-dev golang-google-genproto-dev golang-google-grpc-dev golang-gopkg-dancannon-gorethink.v1-dev golang-gopkg-dancannon-gorethink.v2-dev golang-goprotobuf-dev Cheers! Sylvain
Accepted privoxy 3.0.26-3+deb9u2 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 08 Mar 2021 14:11:04 +0100 Source: privoxy Architecture: source Version: 3.0.26-3+deb9u2 Distribution: stretch-security Urgency: medium Maintainer: Roland Rosenfeld Changed-By: Roland Rosenfeld Changes: privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium . * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be triggered with a crafted CGI request (CVE-2021-20272). * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy is toggled off (CVE-2021-20273). * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of size two (CVE-2021-20275). * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses (CVE-2021-20276). Checksums-Sha1: 7e7443caa21f541eebf240ff3f8504aa88e8850e 1940 privoxy_3.0.26-3+deb9u2.dsc 6f33ab4bf2521ccf8ff112abf54917bae6d60a3b 30368 privoxy_3.0.26-3+deb9u2.debian.tar.xz 43d431f388eaeea824045ce4e63a5810fab2ac7b 10330 privoxy_3.0.26-3+deb9u2_source.buildinfo Checksums-Sha256: c0c5fb2c684acd93838c0e38e029d815e7ff6a2b7f2bd876f8f024563cf077a2 1940 privoxy_3.0.26-3+deb9u2.dsc 9a90b0be06eb8732883bccf03d625c88cb1272968fa26c56e658f5f1f02c 30368 privoxy_3.0.26-3+deb9u2.debian.tar.xz 90cc6f3e088ac9b8d93eb7f0193dff95748a5ba797bdc1de0c381e6721653ec4 10330 privoxy_3.0.26-3+deb9u2_source.buildinfo Files: 4abf086abfdb877b3db9eff52ae9ba79 1940 web optional privoxy_3.0.26-3+deb9u2.dsc 8a87d5ece9e7e5f4a9cf753b43770ba5 30368 web optional privoxy_3.0.26-3+deb9u2.debian.tar.xz cc8423a23f7ba966b93eec85fe0c484a 10330 web optional privoxy_3.0.26-3+deb9u2_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmBGJB8ACgkQAnE7z8pU ELLXhhAAjJr3IpMAVYGZD3/iiNERDiBIOMxrj9A/4Brhh2sqms267nGwQgJGKZ+2 x4GOJN6CyYTKUTunOSK1gSbCBQlIkJutMJDiInPUzAeGgcSQ1fO5OabgAL51Xku+ /lj+DpKE++2P0/6AUcJXuzt8X7GhzORkJV9PEDeUy7sWOmIxS/RSsYJDtXz2vdZb 9Rwk5nzwRFXWeyLryUCw4UQAC/SbAGQZsrHtMwg/w9R3UECoa2Jsy7/nKf6ASmqJ jKqpZ8GOl7XDXPF4E/EZlz2kmrhKJGcQ8NtmtH5RXLPJUWLD1P4ll7E4KkGZTlxf EUQx22zQivWjThY2bE23hFdGscJRJ6XmKNMoEDTRMQ6x97KxBCO3kFy6SPJs6aQg peWB9Pc01oaZrWMBM+w227znQKL2Vct7hDVX7HVbiBXoCl3OS6F7lC3k4F3UYXqs 7mfknBgzEmtwxFw7BMVT+pWFA12y1fCftO9v2j6f8rnZxK2Eqqqz1b4HRnIEXjkr KG3K0uNmFnkpHnQq92rK4LgQhOGCPHWyR81b/kNDOv9S4EvryrCJeUJoSi5hRDCn 9K0zY7p1Ol6QwFBfKeTtHHjAh4o7f+iGHXY4moriNJwJjrqWBzbPiFxoxReJ+ktp u+4F6DrNjOc0ninw/bJ7xXIRvfGdpT6g3BSLH4s2a3Fg8SqvgcU= =AR0D -END PGP SIGNATURE-
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
Hi Abhijith! On Di, 09 Mär 2021, Abhijith PA wrote: > Roland, thanks again for the patch. I can see that last LTS update > (3.0.26-3+deb9u1) done by you. Hope you can upload this time as > well. If not, let me know. I am happy to help. Once uploaded to > archive I will take care of DLA and announcements. Thanks for your support. I just uploaded privoxy_3.0.26-3+deb9u2_source.changes to security-master. Once it is installed, it would be great if you could do DLA etc. Greetings Roland signature.asc Description: PGP signature
