[SECURITY] [DLA 324-1] binutils security update
Package: binutils Version: 2.20.1-16+deb6u2 CVE ID : CVE-2012-3509 Debian Bug : 688951 This update fixes several issues as described below. PR ld/12613 (no CVE assigned) Niranjan Hasabnis discovered that passing an malformed linker script to GNU ld, part of binutils, may result in a stack buffer overflow. If the linker is used with untrusted object files, this would allow remote attackers to cause a denial of service (crash) or possibly privilege escalation. CVE-2012-3509 #688951 Sang Kil Cha discovered that a buffer size calculation in libiberty, part of binutils, may result in integer overflow and then a heap buffer overflow. If libiberty or the commands in binutils are used to read untrusted binaries, this would allow remote attackers to cause a denial of service (crash) or possibly privilege escalation. PR binutils/18750 (no CVE assigned) Joshua Rogers reported that passing a malformed ihex (Intel hexadecimal) file to to various commands in binutils may result in a stack buffer overflow. A similar issue was found in readelf. If these commands are used to read untrusted binaries, this would allow remote attackers to cause a denial of service (crash) or possibly privilege escalation. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.20.1-16+deb6u2. For the oldstable distribution (wheezy) and the stable distribution (jessie), PR ld/12613 and CVE-2012-3509 were fixed before release, and PR binutils/18750 will be fixed in a later update. -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 323-1] fuseiso security update
Package: fuseiso Version: 20070708-2+deb6u1 Debian Bug : #779047 The following two issues have recently been fixed in Debian LTS (squeeze) for the fuseiso package. Issue 1 An integer overflow, leading to a heap-based buffer overflow flaw was found in the way FuseISO, a FUSE module to mount ISO filesystem images, performed reading of certain ZF blocks of particular inodes. A remote attacker could provide a specially-crafted ISO file that, when mounted via the fuseiso tool would lead to fuseiso binary crash. This issue was discovered by Florian Weimer of Red Hat Product Security Team. The issue got resolve by bailing out before ZF blocks that exceed the supported block size of 2^17 are to be read. Issue 2 A stack-based buffer overflow flaw was found in the way FuseISO, a FUSE module to mount ISO filesystem images, performed expanding of directory portions for absolute path filename entries. A remote attacker could provide a specially-crafted ISO file that, when mounted via fuseiso tool would lead to fuseiso binary crash or, potentially, arbitrary code execution with the privileges of the user running the fuseiso executable. This issue was discovered by Florian Weimer of Red Hat Product Security Team. The issue got resolved by checking the resulting length of an absolute path name and by bailing out if the platform's PATH_MAX value gets exceeded. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: Digital signature
[SECURITY] [DLA 322-1] commons-httpclient security update
Package: commons-httpclient Version: 3.1-9+deb6u2 CVE ID : CVE-2015-5262 Trevin Beattie [1] discovered an issue where one could observe hanging threads in a multi-threaded Java application. After debugging the issue, it became evident that the hanging threads were caused by the SSL initialization code in commons-httpclient. This upload fixes this issue by respecting the configured SO_TIMEOUT during SSL handshakes with the server. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1259892 -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: Digital signature
Re: squeeze update of fuseiso?
Hi all, On Do 16 Jul 2015 20:41:43 CEST, Ben Hutchings wrote: PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup Attached you find a .debdiff for fuseiso in unstable adding two patches to fuseiso, that hopefully fix the reported issues [1,2]. Under [1,2] Florian Weimer from Redhat offers two ISO images that reproduce the observed issues. I am still waiting for Florian Weimer to get back to me about those ISO images (one ISO arrived here in a corrupt state, the other ISO I have only just asked for). I have tested my changes on the code in respect to potential breakages, ISO images mount well here with the changes applied. But the real test will happen, once I have the reproducer ISO images at hand. Greets, Mike [1] https://bugzilla.redhat.com/show_bug.cgi?id=862211 [2] https://bugzilla.redhat.com/show_bug.cgi?id=861358 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb diff -Nru fuseiso-20070708/debian/changelog fuseiso-20070708/debian/changelog --- fuseiso-20070708/debian/changelog 2014-10-02 02:55:59.0 +0200 +++ fuseiso-20070708/debian/changelog 2015-10-01 10:34:35.0 +0200 @@ -1,3 +1,16 @@ +fuseiso (20070708-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patches (Closes: #779047): ++ Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow + when concatenating strings to an absolute path names. Prevention is done + by checking that the result we stay under the maximum path lenght as given + by the platforms PATH_MAX constant. ++ Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO + code. Bail out if a ZF block size > 2^17 is to be read. + + -- Mike GabrielThu, 01 Oct 2015 10:34:33 +0200 + fuseiso (20070708-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch --- fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch 1970-01-01 01:00:00.0 +0100 +++ fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch 2015-10-01 10:27:16.0 +0200 @@ -0,0 +1,35 @@ +Description: Prevent stack-based buffer overflow on too-long path names +Author: Mike Gabriel + +--- a/src/isofs.c b/src/isofs.c +@@ -1532,13 +1532,23 @@ + if(path[1] != '\0') { // not root dir + strcat(absolute_entry, "/"); + }; +-strcat(absolute_entry, entry); +-if(g_hash_table_lookup(lookup_table, absolute_entry)) { +-// already in lookup cache ++ ++if(strlen(absolute_entry) + strlen(entry) <= PATH_MAX-1) { ++strcat(absolute_entry, entry); ++if(g_hash_table_lookup(lookup_table, absolute_entry)) { ++// already in lookup cache ++isofs_free_inode(inode); ++} else { ++g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode); ++}; ++} ++else { ++printf("readdir: absolute path name for entry '%s' exceeding PATH_MAX (%d)\n", entry, PATH_MAX); + isofs_free_inode(inode); +-} else { +-g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode); +-}; ++free(buf); ++free(entry); ++return -EIO; ++} + + free(entry); + diff -Nru fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch --- fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch 1970-01-01 01:00:00.0 +0100 +++ fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch 2015-10-01 10:31:11.0 +0200 @@ -0,0 +1,16 @@ +Description: Prevent integer overflow in ZISO code +Author: Mike Gabriel + +--- a/src/isofs.c b/src/isofs.c +@@ -1618,6 +1618,10 @@ + }; + + static int isofs_real_read_zf(isofs_inode *inode, char *out_buf, size_t size, off_t offset) { ++if( inode->zf_block_shift > 17 ) { ++fprintf(stderr, "isofs_real_read_zf: can't handle ZF block size of 2^%d\n", inode->zf_block_shift); ++return -EIO; ++} + int zf_block_size = 1 << inode->zf_block_shift; + int zf_start = offset / zf_block_size; + int zf_end =
Accepted fuseiso 20070708-2+deb6u1 (source amd64) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 01 Oct 2015 05:52:08 +0200 Source: fuseiso Binary: fuseiso Architecture: source amd64 Version: 20070708-2+deb6u1 Distribution: squeeze-lts Urgency: medium Maintainer: David PaleinoChanged-By: Mike Gabriel Description: fuseiso- FUSE module to mount ISO filesystem images Closes: 779047 Changes: fuseiso (20070708-2+deb6u1) squeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * debian/patches (Closes: #779047): + Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow when concatenating strings to an absolute path name. Prevention is done by checking that the result will stay under the maximum path length as given by the platforms PATH_MAX constant. + Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO code. Bail out if a ZF block size > 2^17 is to be read. Checksums-Sha1: 34d693816e1b608dc819c4de6072bd09d55d4bbc 1921 fuseiso_20070708-2+deb6u1.dsc e82aee54c2a3ecc0c84ed738345eb0287c99a3b0 4933 fuseiso_20070708-2+deb6u1.debian.tar.gz ae3647de26ffadf48d79380913832afba28d8f38 21940 fuseiso_20070708-2+deb6u1_amd64.deb Checksums-Sha256: d5514cb26cc5e86e261a36511fc5fe1217d66a5da411814e49f81c4fdf7667e8 1921 fuseiso_20070708-2+deb6u1.dsc bb2d99c296afd5bcbe7ae446b268398f41cd70062fa5703436ad15c25d3b7b6f 4933 fuseiso_20070708-2+deb6u1.debian.tar.gz 15e5f9e4dac6c5ee3cb1bee52f493127681208972a62ba96ce82fafa8d1b0449 21940 fuseiso_20070708-2+deb6u1_amd64.deb Files: c931f85e31ccc2dde445fd4335f035c9 1921 admin optional fuseiso_20070708-2+deb6u1.dsc a7aaefe68e525f44d120088d36978de3 4933 admin optional fuseiso_20070708-2+deb6u1.debian.tar.gz 77c7178dc2bfc257b3cc5802c072e5da 21940 admin optional fuseiso_20070708-2+deb6u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWDP0zAAoJEJr0azAldxsxwA0QAIh/4Rgzq9pPoIPUodQmFAXR 9Pyh9ewLUMNoUxfAtxOPfc66otrrBL4arzrfL34PGA2VdUpJTAXEj1cAo2mpvmJE 5fMKMELCDnhBu2JaN6BOwysT/wjuhbuWt1C9FIajqI20/xOzFBkCa1eVDohEe30v WuJHqzSFtlZIjGZzzTIS2uj2rvemPlR920ZupfznCZzQfskA0h589zq0JR/cx/n6 L2nzP8QvZLkmra1Tr3BMSM3I2YfUWKo/Iko0xhlEuuLUtrsmGxugakWqhHUsH5NG E5/0QDIzYtBWcvpAZH5QpPj+PqVb5Moc2HgCbWXKC4fFDzrP3bK0ui2ew8eIeU7a FfGlOtefAD88Sgpw7lOUyI3LR2bTsEUUlUIFcaK8abDWALOl2R5fjrBzBKX0+TJD E10SPwEEWcipY22iBesW2kHR6W31FYalOFOpgA7dODyumrg6/MY2ch+JGtYn5Lo9 54e3R9FceMkw61t4QGr8zVL1xuHj3pz7RokjBYA3ga6tk4IZC65msopZECXRLW2F vx6XEMj22QWnEF/swQMMaUbnOWZH0OL3z/kx2W34Bw/caLMHCKKKEZtAydJ7nK6Q gazuPuTqWspv3KmfyX3mk40wAkbK0fbBvG80V2VO7n/viFJhLo7eMXxm4WDsvlVQ 8LF8R5ne3Y/AoyWtWMmi =M4jg -END PGP SIGNATURE-