[SECURITY] [DLA 324-1] binutils security update

2015-10-01 Thread Ben Hutchings 
Package: binutils
Version: 2.20.1-16+deb6u2
CVE ID : CVE-2012-3509
Debian Bug : 688951

This update fixes several issues as described below.

PR ld/12613 (no CVE assigned)

Niranjan Hasabnis discovered that passing an malformed linker
script to GNU ld, part of binutils, may result in a stack buffer
overflow.  If the linker is used with untrusted object files, this
would allow remote attackers to cause a denial of service (crash)
or possibly privilege escalation.

CVE-2012-3509
#688951

Sang Kil Cha discovered that a buffer size calculation in
libiberty, part of binutils, may result in integer overflow and
then a heap buffer overflow.  If libiberty or the commands in
binutils are used to read untrusted binaries, this would allow
remote attackers to cause a denial of service (crash) or possibly
privilege escalation.

PR binutils/18750 (no CVE assigned)

Joshua Rogers reported that passing a malformed ihex (Intel
hexadecimal) file to to various commands in binutils may result in
a stack buffer overflow.  A similar issue was found in readelf.
If these commands are used to read untrusted binaries, this would
allow remote attackers to cause a denial of service (crash) or
possibly privilege escalation.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 2.20.1-16+deb6u2.

For the oldstable distribution (wheezy) and the stable distribution
(jessie), PR ld/12613 and CVE-2012-3509 were fixed before release, and
PR binutils/18750 will be fixed in a later update.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams




signature.asc
Description: This is a digitally signed message part

[SECURITY] [DLA 323-1] fuseiso security update

2015-10-01 Thread Mike Gabriel 
Package: fuseiso
Version: 20070708-2+deb6u1
Debian Bug : #779047

The following two issues have recently been fixed in Debian LTS (squeeze)
for the fuseiso package.

Issue 1

An integer overflow, leading to a heap-based buffer overflow flaw was
found in the way FuseISO, a FUSE module to mount ISO filesystem
images, performed reading of certain ZF blocks of particular inodes.
A remote attacker could provide a specially-crafted ISO file that,
when mounted via the fuseiso tool would lead to fuseiso binary crash.

This issue was discovered by Florian Weimer of Red Hat Product
Security Team.

The issue got resolve by bailing out before ZF blocks that exceed the
supported block size of 2^17 are to be read.

Issue 2

A stack-based buffer overflow flaw was found in the way FuseISO, a
FUSE module to mount ISO filesystem images, performed expanding of
directory portions for absolute path filename entries. A remote
attacker could provide a specially-crafted ISO file that, when
mounted via fuseiso tool would lead to fuseiso binary crash or,
potentially, arbitrary code execution with the privileges of the user
running the fuseiso executable.

This issue was discovered by Florian Weimer of Red Hat Product
Security Team.

The issue got resolved by checking the resulting length of an
absolute path name and by bailing out if the platform's PATH_MAX
value gets exceeded.

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



signature.asc
Description: Digital signature

[SECURITY] [DLA 322-1] commons-httpclient security update

2015-10-01 Thread Mike Gabriel 
Package: commons-httpclient
Version: 3.1-9+deb6u2
CVE ID : CVE-2015-5262

Trevin Beattie [1] discovered an issue where one could observe hanging
threads in a multi-threaded Java application. After debugging the issue,
it became evident that the hanging threads were caused by the SSL
initialization code in commons-httpclient.

This upload fixes this issue by respecting the configured SO_TIMEOUT
during SSL handshakes with the server.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1259892

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



signature.asc
Description: Digital signature

Re: squeeze update of fuseiso?

2015-10-01 Thread Mike Gabriel 

Hi all,

On  Do 16 Jul 2015 20:41:43 CEST, Ben Hutchings wrote:


PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Attached you find a .debdiff for fuseiso in unstable adding two  
patches to fuseiso, that hopefully fix the reported issues [1,2].


Under [1,2] Florian Weimer from Redhat offers two ISO images that  
reproduce the observed issues. I am still waiting for Florian Weimer  
to get back to me about those ISO images (one ISO arrived here in a  
corrupt state, the other ISO I have only just asked for).


I have tested my changes on the code in respect to potential  
breakages, ISO images mount well here with the changes applied. But  
the real test will happen, once I have the reproducer ISO images at  
hand.


Greets,
Mike

[1] https://bugzilla.redhat.com/show_bug.cgi?id=862211
[2] https://bugzilla.redhat.com/show_bug.cgi?id=861358



--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff -Nru fuseiso-20070708/debian/changelog fuseiso-20070708/debian/changelog
--- fuseiso-20070708/debian/changelog   2014-10-02 02:55:59.0 +0200
+++ fuseiso-20070708/debian/changelog   2015-10-01 10:34:35.0 +0200
@@ -1,3 +1,16 @@
+fuseiso (20070708-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches (Closes: #779047):
++ Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
+  when concatenating strings to an absolute path names. Prevention is done
+  by checking that the result we stay under the maximum path lenght as 
given
+  by the platforms PATH_MAX constant.
++ Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
+  code. Bail out if a ZF block size > 2^17 is to be read.
+
+ -- Mike Gabriel   Thu, 01 Oct 2015 10:34:33 +0200
+
 fuseiso (20070708-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch 
fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch
--- fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch
1970-01-01 01:00:00.0 +0100
+++ fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch
2015-10-01 10:27:16.0 +0200
@@ -0,0 +1,35 @@
+Description: Prevent stack-based buffer overflow on too-long path names
+Author: Mike Gabriel 
+
+--- a/src/isofs.c
 b/src/isofs.c
+@@ -1532,13 +1532,23 @@
+ if(path[1] != '\0') { // not root dir
+ strcat(absolute_entry, "/");
+ };
+-strcat(absolute_entry, entry);
+-if(g_hash_table_lookup(lookup_table, absolute_entry)) {
+-// already in lookup cache
++
++if(strlen(absolute_entry) + strlen(entry) <= PATH_MAX-1) {
++strcat(absolute_entry, entry);
++if(g_hash_table_lookup(lookup_table, absolute_entry)) {
++// already in lookup cache
++isofs_free_inode(inode);
++} else {
++g_hash_table_insert(lookup_table, 
g_strdup(absolute_entry), inode);
++};
++}
++else {
++printf("readdir: absolute path name for entry '%s' exceeding 
PATH_MAX (%d)\n", entry, PATH_MAX);
+ isofs_free_inode(inode);
+-} else {
+-g_hash_table_insert(lookup_table, g_strdup(absolute_entry), 
inode);
+-};
++free(buf);
++free(entry);
++return -EIO;
++}
+ 
+ free(entry);
+ 
diff -Nru fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch 
fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch
--- fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch   
1970-01-01 01:00:00.0 +0100
+++ fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch   
2015-10-01 10:31:11.0 +0200
@@ -0,0 +1,16 @@
+Description: Prevent integer overflow in ZISO code
+Author: Mike Gabriel 
+
+--- a/src/isofs.c
 b/src/isofs.c
+@@ -1618,6 +1618,10 @@
+ };
+ 
+ static int isofs_real_read_zf(isofs_inode *inode, char *out_buf, size_t size, 
off_t offset) {
++if( inode->zf_block_shift > 17 ) {
++fprintf(stderr, "isofs_real_read_zf: can't handle ZF block size of 
2^%d\n", inode->zf_block_shift);
++return -EIO;
++}
+ int zf_block_size = 1 << inode->zf_block_shift;
+ int zf_start = offset / zf_block_size;
+ int zf_end =

Accepted fuseiso 20070708-2+deb6u1 (source amd64) into squeeze-lts

2015-10-01 Thread Mike Gabriel 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 01 Oct 2015 05:52:08 +0200
Source: fuseiso
Binary: fuseiso
Architecture: source amd64
Version: 20070708-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: David Paleino 
Changed-By: Mike Gabriel 
Description: 
 fuseiso- FUSE module to mount ISO filesystem images
Closes: 779047
Changes: 
 fuseiso (20070708-2+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches (Closes: #779047):
 + Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
   when concatenating strings to an absolute path name. Prevention is done
   by checking that the result will stay under the maximum path length as 
given
   by the platforms PATH_MAX constant.
 + Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
   code. Bail out if a ZF block size > 2^17 is to be read.
Checksums-Sha1: 
 34d693816e1b608dc819c4de6072bd09d55d4bbc 1921 fuseiso_20070708-2+deb6u1.dsc
 e82aee54c2a3ecc0c84ed738345eb0287c99a3b0 4933 
fuseiso_20070708-2+deb6u1.debian.tar.gz
 ae3647de26ffadf48d79380913832afba28d8f38 21940 
fuseiso_20070708-2+deb6u1_amd64.deb
Checksums-Sha256: 
 d5514cb26cc5e86e261a36511fc5fe1217d66a5da411814e49f81c4fdf7667e8 1921 
fuseiso_20070708-2+deb6u1.dsc
 bb2d99c296afd5bcbe7ae446b268398f41cd70062fa5703436ad15c25d3b7b6f 4933 
fuseiso_20070708-2+deb6u1.debian.tar.gz
 15e5f9e4dac6c5ee3cb1bee52f493127681208972a62ba96ce82fafa8d1b0449 21940 
fuseiso_20070708-2+deb6u1_amd64.deb
Files: 
 c931f85e31ccc2dde445fd4335f035c9 1921 admin optional 
fuseiso_20070708-2+deb6u1.dsc
 a7aaefe68e525f44d120088d36978de3 4933 admin optional 
fuseiso_20070708-2+deb6u1.debian.tar.gz
 77c7178dc2bfc257b3cc5802c072e5da 21940 admin optional 
fuseiso_20070708-2+deb6u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWDP0zAAoJEJr0azAldxsxwA0QAIh/4Rgzq9pPoIPUodQmFAXR
9Pyh9ewLUMNoUxfAtxOPfc66otrrBL4arzrfL34PGA2VdUpJTAXEj1cAo2mpvmJE
5fMKMELCDnhBu2JaN6BOwysT/wjuhbuWt1C9FIajqI20/xOzFBkCa1eVDohEe30v
WuJHqzSFtlZIjGZzzTIS2uj2rvemPlR920ZupfznCZzQfskA0h589zq0JR/cx/n6
L2nzP8QvZLkmra1Tr3BMSM3I2YfUWKo/Iko0xhlEuuLUtrsmGxugakWqhHUsH5NG
E5/0QDIzYtBWcvpAZH5QpPj+PqVb5Moc2HgCbWXKC4fFDzrP3bK0ui2ew8eIeU7a
FfGlOtefAD88Sgpw7lOUyI3LR2bTsEUUlUIFcaK8abDWALOl2R5fjrBzBKX0+TJD
E10SPwEEWcipY22iBesW2kHR6W31FYalOFOpgA7dODyumrg6/MY2ch+JGtYn5Lo9
54e3R9FceMkw61t4QGr8zVL1xuHj3pz7RokjBYA3ga6tk4IZC65msopZECXRLW2F
vx6XEMj22QWnEF/swQMMaUbnOWZH0OL3z/kx2W34Bw/caLMHCKKKEZtAydJ7nK6Q
gazuPuTqWspv3KmfyX3mk40wAkbK0fbBvG80V2VO7n/viFJhLo7eMXxm4WDsvlVQ
8LF8R5ne3Y/AoyWtWMmi
=M4jg
-END PGP SIGNATURE-