[Secure-testing-team] Bug#720632: znc: CVE-2013-2130: NULL pointer dereference vulnerabilities

[Salvatore Bonaccorso]

Package: znc
Version: 1.0-4
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for znc.

CVE-2013-2130[0]:
null pointer dereference in webadmin

See references for additional information and a patch. This only
affectes znc 1.0.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-2130
[1] https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28
[2] http://www.openwall.com/lists/oss-security/2013/05/30/3

Regards,
Salvatore

___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

[Secure-testing-team] Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps

[Vincent Lefevre]

Package: initramfs-tools
Version: 0.113
Severity: important
Tags: security

I've noticed that when running update-initramfs, a core dump was
generated in the current directory, which is in itself a first bug.

After looking at this problem with strace, I saw that this came from:

  /usr/bin/ldd /lib/firmware/cis/PCMLM28.cis

apparently via mkinitramfs. The strace output shows:

23190 execve(/libx32/ld-linux-x32.so.2, [/libx32/ld-linux-x32.so.2], [/* 
115 vars */]) = 0
23190 syscall_1073741836(0, 0, 0x400c, 0xbfebfbff, 0x37f, 0x64, 0x1000, 
0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 
0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 
0x1000, 0x1000, 0x1000, 0x1000, 0x1000) = -1 (errno 38)
23190 syscall_1073742340(0x2, 0xfffbaa70, 0x1, 0xbfebfbff, 0xf77b0a3e, 
0xf776d8cc, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 
0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 
0xf776ef7d, 0xf776ef7d, 0xf776ef7d) = -1 (errno 38)
23190 syscall_1073742055(0x7f, 0x403c, 0x7f, 0xbfebfbff, 0x40e7, 
0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 syscall_1073741884(0x7f, 0x403c, 0x7f, 0xbfebfbff, 0x40e7, 
0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 --- SIGSEGV (Segmentation fault) @ 0 (0) ---

I wonder whether it may be a security bug. /libx32 is not necessarily
a standard directory, and could for instance be NFS mounted, have
write-access to more people, or whatever; only some particular
packages use this directory, but if they are not installed, I assume
that the admin is free to do whatever he wants with it, and tools
like mkinitramfs are not supposed to run anything from it.

And this is not a bug in ldd, as the ldd man page says:

  Security
In the usual  case,  ldd  invokes  the  standard  dynamic  linker  (see
ld.so(8))  with the LD_TRACE_LOADED_OBJECTS environment variable set to
1, which causes the linker to display  the  library  dependencies.   Be
aware,  however,  that  in some circumstances, some versions of ldd may
attempt to obtain the dependency information by directly executing  the
program.  Thus, you should never employ ldd on an untrusted executable,
since this may result in the execution  of  arbitrary  code.   A  safer
alternative when dealing with untrusted executables is:

$ objdump -p /path/to/program | grep NEEDED

For this reason, I think that the use of ldd should be dropped
entirely from initramfs-tools. It might ease privilege escalation
if there's another security bug on the system.

-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 13M 2013-08-24 23:54:26 /boot/initrd.img-3.10-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:31 /boot/initrd.img-3.10-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:36:02 /boot/initrd.img-3.8-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:55 /boot/initrd.img-3.8-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:46 /boot/initrd.img-3.9-1-amd64
-- /proc/cmdline
root=/dev/mapper/xvii-root ro quiet reboot=pci

-- resume
RESUME=/dev/mapper/xvii-swap_1
-- /proc/filesystems
ext3
fuseblk
ext2

-- lsmod
Module  Size  Used by
cuse   12971  3 
cpufreq_powersave  12454  0 
cpufreq_stats  12866  0 
cpufreq_userspace  12576  0 
cpufreq_conservative14184  0 
xt_multiport   12548  2 
iptable_filter 12536  1 
ip_tables  22036  1 iptable_filter
x_tables   19041  3 ip_tables,xt_multiport,iptable_filter
parport_pc 22409  0 
ppdev  12763  0 
lp 13025  0 
parport31901  3 lp,ppdev,parport_pc
bnep   17535  2 
rfcomm 33471  0 
bluetooth 170002  10 bnep,rfcomm
crc16  12343  1 bluetooth
binfmt_misc12925  1 
uinput 17439  1 
nfsd  192007  2 
auth_rpcgss39085  1 nfsd
oid_registry   12419  1 auth_rpcgss
nfs_acl12511  1 nfsd
nfs   110304  0 
lockd  59673  2 nfs,nfsd
dns_resolver   12641  1 nfs
fscache37551  1 nfs
sunrpc164583  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ext2   59601  1 
firewire_sbp2  17956  0 
loop   22869  0 
fuse   67503  2 cuse
uvcvideo   66788  0 
arc4   12543  2 
iwldvm111931  0 
coretemp   12898  0