Re: status of the gdm3 security update

2018-08-27 Thread Antoine Beaupré
Oh, and I forgot to mention the test packages are available here:

https://people.debian.org/~anarcat/debian/jessie-lts/

Cheers,

A.



status of the gdm3 security update

2018-08-27 Thread Antoine Beaupré
Hi!

After asking Markus the status of the gdm3 security upgrade for jessie,
he nicely offered me to take it over since he got stuck.

Using his patches, however, I wasn't able to reproduce the
problems. Sure, it *looks* like gdm is "crashing", but I /think/ it's
actually doing what it's asked. The reproducer issues those two
commands:

display_path=$(dbus-send --system --dest=org.gnome.DisplayManager 
--type=method_call --print-reply=literal 
/org/gnome/DisplayManager/LocalDisplayFactory 
org.gnome.DisplayManager.LocalDisplayFactory.CreateTransientDisplay)
dbus-send --system --dest=org.gnome.DisplayManager --type=method_call 
$display_path org.gnome.DisplayManager.Display.GetId

ie. it's calling `CreateTransientDisplay`. I am not very familiar with
the gdm3 D-Bus API, but a quick search online seems to indicate this is
used to create a "transient" session, also known as "fast user
switching".

When running the patched gdm3 under Vagrant / VirtualBox, the reproducer
seems to "crash" the display - but what it's doing is actually trying to
create that secondary display. There is no actual segfault the Linux
kernel can detect, and an attached gdb process happily goes through
without detecting anything faulty.

I would therefore assert that the patch does what it's designed to do
and everything is actually good.

Just out of curiosity, I've actually tested the reproducer in Debian
buster, which is supposed to be fixed. It could be because I have an
exotic session (i3 window manager), but it doesn't work very well
either. The display seems to completely crash and return to some virtual
terminal. (Just for good measure, all volumes are maxed up as well,
bringing down my hearing a few more dBs. :p) But gdm3 doesn't segfault
and if I login with my regular user, my session actually returns
untouched.

So I think this flickering and reset is actually normal.

(One thing I *did* find in buster is that
gnome-session-check-accelerated segfaults during the procedure:

Aug 27 19:34:57 curie kernel: [446832.229288] gnome-session-c[28820]: segfault 
at 0 ip  sp 7fff2cd46d08 error 14 in 
gnome-session-check-accelerated
[5606b821b000+2000]
Aug 27 19:34:57 curie kernel: [446832.308946] gnome-session-c[28824]: segfault 
at 0 ip  sp 7fffcd6fb1b8 error 14 in 
gnome-session-check-accelerated
[5589f17d9000+2000]
Aug 27 19:34:57 curie gnome-session[28817]: gnome-session-binary[28817]: 
WARNING: software acceleration check failed: Le processus fils a été tué par le 
signal 11
Aug 27 19:34:57 curie gnome-session-binary[28817]: WARNING: software 
acceleration check failed: Le processus fils a été tué par le signal 11

This is likely an unrelated problem, however, so I am ignoring that.)

So long story short: apo, your patches were fine! Should I upload the
result or do you want to do the honors?

If I got no reply tomorrow, I'll complete the DLA.

Thanks for the hard work!

A.

-- 
In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
- Tom Lehrer



Accepted ruby2.1 2.1.5-2+deb8u5 (source amd64 all) into oldstable

2018-08-27 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 27 Aug 2018 15:08:54 -0400
Source: ruby2.1
Binary: ruby2.1 libruby2.1 ruby2.1-dev ruby2.1-doc ruby2.1-tcltk
Architecture: source amd64 all
Version: 2.1.5-2+deb8u5
Distribution: jessie-security
Urgency: medium
Maintainer: Antonio Terceiro 
Changed-By: Antoine Beaupré 
Description:
 libruby2.1 - Libraries necessary to run Ruby 2.1
 ruby2.1- Interpreter of object-oriented scripting language Ruby
 ruby2.1-dev - Header files for compiling extension modules for the Ruby 2.1
 ruby2.1-doc - Documentation for Ruby 2.1
 ruby2.1-tcltk - Ruby/Tk for Ruby 2.1
Closes: 895778
Changes:
 ruby2.1 (2.1.5-2+deb8u5) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2018-174.patch: fix Deserialization of Untrusted Data
 vulnerability in owner command that can result in code execution
 through specially crafted YAML files. (Closes: #895778)
   * CVE-2018-173.patch: fix directory traversal vulnerability
   * CVE-2016-2337.patch: fix arbitrary code execution in Tcl/Tk API
Checksums-Sha1:
 a7bf3ad489ba066aadc0a897fb1eeaf703104d90 2106 ruby2.1_2.1.5-2+deb8u5.dsc
 4166699118c0b9db9064da0633a9177da9e0e4bd 120260 
ruby2.1_2.1.5-2+deb8u5.debian.tar.xz
 f4c7cecabc6da8bc5f5c695a8b95a99e7da0ad00 276640 
ruby2.1_2.1.5-2+deb8u5_amd64.deb
 2423c77081ff34a570de353705828e75dea003f4 3278106 
libruby2.1_2.1.5-2+deb8u5_amd64.deb
 1f4b4e0a220e3fb46a95c9ccb53ac351c94ad4ba 1101058 
ruby2.1-dev_2.1.5-2+deb8u5_amd64.deb
 e35a4046193ff9dc5afef6cf6cc4cffa61eca07d 3389400 
ruby2.1-doc_2.1.5-2+deb8u5_all.deb
 73abe8011e1f09de21119948186c7327247aa4b6 478434 
ruby2.1-tcltk_2.1.5-2+deb8u5_amd64.deb
Checksums-Sha256:
 ea7b3d5d0730974bd635c5a870080fe0677e9b899ed199782d918376809f79ea 2106 
ruby2.1_2.1.5-2+deb8u5.dsc
 5a5e8cbff2b3cd056076cd5f3707e5f8f1d685273640a97ed36cb9151531cdfa 120260 
ruby2.1_2.1.5-2+deb8u5.debian.tar.xz
 254c0e1506b12b2c4872839a42fe73cec08b2053d268a6603650190d406865ac 276640 
ruby2.1_2.1.5-2+deb8u5_amd64.deb
 5cbe0b9d52ec9e8f0ecc1f361763f1188d721362bae4b63a34e30c3bfcbe2473 3278106 
libruby2.1_2.1.5-2+deb8u5_amd64.deb
 0fc4d284c581efedcd92c9ea3d0ebcc0bcf2cf7e7904335c113b7ffc95cc61e4 1101058 
ruby2.1-dev_2.1.5-2+deb8u5_amd64.deb
 f994698c4642f320181f484703d134414bdf770bbd50af2b609738a3b43e10e3 3389400 
ruby2.1-doc_2.1.5-2+deb8u5_all.deb
 d49679a1c89549e9c4c006fa1c83ccb4e43ad29d1f78365ce20f9358a5c4821e 478434 
ruby2.1-tcltk_2.1.5-2+deb8u5_amd64.deb
Files:
 7bf15797ad2374466aeee86779476d1a 2106 ruby extra ruby2.1_2.1.5-2+deb8u5.dsc
 70427b2509503bb78f82430dce8e237f 120260 ruby extra 
ruby2.1_2.1.5-2+deb8u5.debian.tar.xz
 beaf31d28026ae908d4eaa2f635815c3 276640 ruby extra 
ruby2.1_2.1.5-2+deb8u5_amd64.deb
 a849c59b83d2b493e3c28f2cbd88b544 3278106 libs extra 
libruby2.1_2.1.5-2+deb8u5_amd64.deb
 d516c43b979ed830da419cee7ab77a5b 1101058 ruby extra 
ruby2.1-dev_2.1.5-2+deb8u5_amd64.deb
 b39cbf72666281c6aaaf601a65464a9e 3389400 doc extra 
ruby2.1-doc_2.1.5-2+deb8u5_all.deb
 972192d223fa4b39cf0d9d57a04ffa04 478434 ruby extra 
ruby2.1-tcltk_2.1.5-2+deb8u5_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAluEVNMACgkQPqHd3bJh
2Xv1mgf+KO7/SrfMueYV1haUiD+sScpH9+MhKIuJHB80wJic5I7Ck8F+0UZSc9bv
WJq9utvEjLm31aWPVKxUviSbDIzsCJeFYwXyomUt0FnpZTBO8vDHJFzoRFkYuGUp
VGNFl0TRnCjolp4kESUehaaO7ml7/XI3YTg06/yK2tB9KmKQhHycjUInJxei/jkr
FkYgnb/pDTCmUusRpw5/GDfngoHGXt3WqQ+IDulIGcUKpRUXWaPx9pn9bIcXnnVy
ydWh5uaGPXKD6US7bHSilJRTzGNYYNeQGNOJEG9H4BPEGfcb8mnDzLEF3CmZIH/J
aY9BwCwkHJgIGmwJMkP+n4Zad6CS4w==
=iU+h
-END PGP SIGNATURE-



[SECURITY] [DLA 1479-1] twitter-bootstrap3 security update

2018-08-27 Thread Antoine Beaupré
Package: twitter-bootstrap3
Version: 3.2.0+dfsg-1+deb7u1
CVE ID : CVE-2018-14040
Debian Bug : 907414

The Bootstrap framework was found to have cross-site scripting
vulnerabilities in the "collapse" plugin.

For Debian 8 "Jessie", this problem has been fixed in version
3.2.0+dfsg-1+deb7u1.

We recommend that you upgrade your twitter-bootstrap3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature


Accepted twitter-bootstrap3 3.2.0+dfsg-1+deb7u1 (source all) into oldstable

2018-08-27 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 27 Aug 2018 14:23:39 -0400
Source: twitter-bootstrap3
Binary: libjs-bootstrap
Architecture: source all
Version: 3.2.0+dfsg-1+deb7u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Antoine Beaupré 
Description:
 libjs-bootstrap - HTML, CSS and JS framework
Closes: 907414
Changes:
 twitter-bootstrap3 (3.2.0+dfsg-1+deb7u1) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2018-14040: fix XSS issue in collapse plugin (Closes: #907414)
Checksums-Sha1:
 91caf90a872753fec240517e5b4bfad1b1816dd8 1780 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.dsc
 b579dc111afb76ef6652110575e5995a8b5843c7 1955927 
twitter-bootstrap3_3.2.0+dfsg.orig.tar.gz
 740443c9c7bb00adeaea376db0e7003c08f06b03 12376 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.debian.tar.xz
 50fb599b6d176b27baac53a37309852db535d0e4 182204 
libjs-bootstrap_3.2.0+dfsg-1+deb7u1_all.deb
Checksums-Sha256:
 358a3fd0ea5cd2c8abcad35de9b34ad944df2714afbbd9fa3a76fabe41fd0056 1780 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.dsc
 c969c2b1f33fc5336d2e58b18d9e9381342cd17e3028a8b6dfba2b3b0f96bab8 1955927 
twitter-bootstrap3_3.2.0+dfsg.orig.tar.gz
 20fd642791bd71acf11a6976aa2d23c7e1f9f3dbd2115735ed8291a57da7c08d 12376 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.debian.tar.xz
 63ce058f1e086c499322cf2da9d0b18a20d8ea153fb55ea0bfd1ea877a81cd95 182204 
libjs-bootstrap_3.2.0+dfsg-1+deb7u1_all.deb
Files:
 bce5c2c740c73d31d4e3c795fb495a15 1780 web optional 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.dsc
 bbca9a96548389c591868d6aeae65fa7 1955927 web optional 
twitter-bootstrap3_3.2.0+dfsg.orig.tar.gz
 e539602041060e03269e9ea8c65456fa 12376 web optional 
twitter-bootstrap3_3.2.0+dfsg-1+deb7u1.debian.tar.xz
 66d55d9240e93557753e53d72afcae0b 182204 web optional 
libjs-bootstrap_3.2.0+dfsg-1+deb7u1_all.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAluEUyIACgkQPqHd3bJh
2XuL+wf/ZTZl//9LWKDk7V3hRfG5+IzQNBpCAr3CMAF1jN3xl+l+yCkOa/ISwz7U
Hc/a8+EqLtbUdK6DcA/aOeOSvFBwNoQtlR0f7BE5CuQdv09hDu553IRkdUAWAA+c
h26mMoZhbkm8sWHrMjdiwbVQvQZK85hTIR6h8UuWqr37RiyjN6qcfGLXt3ZBzoZk
XRS0YykyvC31hqyRowXktIw/XzdKg7Q6cmUlPB1nG9eG1lvN74jDIdqugg/Nv+74
t6k0O0u1YHuGBJNkLzjqtSeZlNx0sBSA6O8mgVp5ooFAWEceJIq0TAdzRa4DSx5Y
bGRQ+vdS1E7Kdu6Go8DVy1CUvsKfOQ==
=4mtm
-END PGP SIGNATURE-



Accepted linux-4.9 4.9.110-3+deb9u4~deb8u1 (all source) into oldstable, oldstable

2018-08-27 Thread Ben Hutchings
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 24 Aug 2018 05:35:55 +0100
Source: linux-4.9
Binary: linux-source-4.9 linux-support-4.9.0-0.bpo.8 linux-doc-4.9 
linux-manual-4.9 linux-kbuild-4.9 linux-perf-4.9 
linux-headers-4.9.0-0.bpo.8-common linux-headers-4.9.0-0.bpo.8-common-rt 
linux-headers-4.9.0-0.bpo.8-all linux-headers-4.9.0-0.bpo.8-all-alpha 
linux-image-4.9.0-0.bpo.8-alpha-generic 
linux-headers-4.9.0-0.bpo.8-alpha-generic linux-image-4.9.0-0.bpo.8-alpha-smp 
linux-headers-4.9.0-0.bpo.8-alpha-smp linux-headers-4.9.0-0.bpo.8-all-amd64 
linux-image-4.9.0-0.bpo.8-amd64 linux-headers-4.9.0-0.bpo.8-amd64 
linux-image-4.9.0-0.bpo.8-amd64-dbg linux-image-4.9.0-0.bpo.8-rt-amd64 
linux-headers-4.9.0-0.bpo.8-rt-amd64 linux-image-4.9.0-0.bpo.8-rt-amd64-dbg 
linux-headers-4.9.0-0.bpo.8-all-arm64 linux-image-4.9.0-0.bpo.8-arm64 
linux-headers-4.9.0-0.bpo.8-arm64 linux-image-4.9.0-0.bpo.8-arm64-dbg 
linux-headers-4.9.0-0.bpo.8-all-armel linux-image-4.9.0-0.bpo.8-marvell 
linux-headers-4.9.0-0.bpo.8-marvell linux-headers-4.9.0-0.bpo.8-all-armhf 
linux-image-4.9.0-0.bpo.8-armmp
 linux-headers-4.9.0-0.bpo.8-armmp linux-image-4.9.0-0.bpo.8-armmp-lpae 
linux-headers-4.9.0-0.bpo.8-armmp-lpae linux-headers-4.9.0-0.bpo.8-all-hppa 
linux-image-4.9.0-0.bpo.8-parisc linux-headers-4.9.0-0.bpo.8-parisc 
linux-image-4.9.0-0.bpo.8-parisc64-smp linux-headers-4.9.0-0.bpo.8-parisc64-smp 
linux-headers-4.9.0-0.bpo.8-all-i386 linux-image-4.9.0-0.bpo.8-686 
linux-headers-4.9.0-0.bpo.8-686 linux-image-4.9.0-0.bpo.8-686-pae 
linux-headers-4.9.0-0.bpo.8-686-pae linux-image-4.9.0-0.bpo.8-686-pae-dbg 
linux-image-4.9.0-0.bpo.8-rt-686-pae linux-headers-4.9.0-0.bpo.8-rt-686-pae 
linux-image-4.9.0-0.bpo.8-rt-686-pae-dbg linux-headers-4.9.0-0.bpo.8-all-m68k 
linux-image-4.9.0-0.bpo.8-m68k linux-headers-4.9.0-0.bpo.8-m68k 
linux-headers-4.9.0-0.bpo.8-all-mips linux-image-4.9.0-0.bpo.8-4kc-malta 
linux-headers-4.9.0-0.bpo.8-4kc-malta linux-image-4.9.0-0.bpo.8-5kc-malta 
linux-headers-4.9.0-0.bpo.8-5kc-malta linux-image-4.9.0-0.bpo.8-octeon 
linux-headers-4.9.0-0.bpo.8-octeon
 linux-headers-4.9.0-0.bpo.8-all-mipsel linux-image-4.9.0-0.bpo.8-loongson-3 
linux-headers-4.9.0-0.bpo.8-loongson-3 linux-headers-4.9.0-0.bpo.8-all-mips64 
linux-headers-4.9.0-0.bpo.8-all-mips64el 
linux-headers-4.9.0-0.bpo.8-all-powerpc linux-image-4.9.0-0.bpo.8-powerpc 
linux-headers-4.9.0-0.bpo.8-powerpc linux-image-4.9.0-0.bpo.8-powerpc-smp 
linux-headers-4.9.0-0.bpo.8-powerpc-smp linux-image-4.9.0-0.bpo.8-powerpc64 
linux-headers-4.9.0-0.bpo.8-powerpc64 
linux-headers-4.9.0-0.bpo.8-all-powerpcspe linux-image-4.9.0-0.bpo.8-powerpcspe 
linux-headers-4.9.0-0.bpo.8-powerpcspe linux-headers-4.9.0-0.bpo.8-all-ppc64 
linux-headers-4.9.0-0.bpo.8-all-ppc64el linux-image-4.9.0-0.bpo.8-powerpc64le 
linux-headers-4.9.0-0.bpo.8-powerpc64le linux-headers-4.9.0-0.bpo.8-all-s390x 
linux-image-4.9.0-0.bpo.8-s390x linux-headers-4.9.0-0.bpo.8-s390x 
linux-image-4.9.0-0.bpo.8-s390x-dbg linux-headers-4.9.0-0.bpo.8-all-sh4 
linux-image-4.9.0-0.bpo.8-sh7751r linux-headers-4.9.0-0.bpo.8-sh7751r
 linux-image-4.9.0-0.bpo.8-sh7785lcr linux-headers-4.9.0-0.bpo.8-sh7785lcr 
linux-headers-4.9.0-0.bpo.8-all-sparc64 linux-image-4.9.0-0.bpo.8-sparc64 
linux-headers-4.9.0-0.bpo.8-sparc64 linux-image-4.9.0-0.bpo.8-sparc64-smp 
linux-headers-4.9.0-0.bpo.8-sparc64-smp linux-compiler-gcc-4.9-arm
 linux-compiler-gcc-4.9-s390
Architecture: all source
Version: 4.9.110-3+deb9u4~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team 
Changed-By: Ben Hutchings 
Closes: 906769
Description: 
 linux-compiler-gcc-4.9-arm - Compiler for Linux on ARM (meta-package)
 linux-compiler-gcc-4.9-s390 - Compiler for Linux on IBM zSeries (meta-package)
 linux-doc-4.9 - Linux kernel specific documentation for version 4.9
 linux-headers-4.9.0-0.bpo.8-4kc-malta - Header files for Linux 
4.9.0-0.bpo.8-4kc-malta
 linux-headers-4.9.0-0.bpo.8-5kc-malta - Header files for Linux 
4.9.0-0.bpo.8-5kc-malta
 linux-headers-4.9.0-0.bpo.8-686 - Header files for Linux 4.9.0-0.bpo.8-686
 linux-headers-4.9.0-0.bpo.8-686-pae - Header files for Linux 
4.9.0-0.bpo.8-686-pae
 linux-headers-4.9.0-0.bpo.8-all - All header files for Linux 4.9 (meta-package)
 linux-headers-4.9.0-0.bpo.8-all-alpha - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-amd64 - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-arm64 - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-armel - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-armhf - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-hppa - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-i386 - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-m68k - All header files for Linux 4.9 
(meta-package)
 linux-headers-4.9.0-0.bpo.8-all-mips64 - All 

Re: Missing dependency on latest jessie-security release of linux-image-4.9-amd64

2018-08-27 Thread Ben Hutchings
On Mon, 2018-08-27 at 16:23 +0200, Shaun Bugler - Hetzner (Pty) Ltd wrote:
> Hello, we have shifted a number of servers using linux-image-4.9-amd64 
> from backports to the jessie-security release, with great success. Today 
> however, we see the package was bumped to 4.9+80+deb9u6~deb8u1, which 
> has a dependency on:
[...]
> This doesn't seem to be available on the jessie security mirrors yet 
> (linux-image-4.9.0-0.bpo.7-amd64 is still available), was this an 
> oversight and being fixed or have we made a mistake in out apt 
> configuration?

Unlike most uploads for LTS, this update of the linux source package
requires approval by the FTP team.  This should be resolved soon.

Ben.

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams


signature.asc
Description: This is a digitally signed message part


Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-27 Thread Antoine Beaupré
On 2018-08-08 17:35:52, Brian May wrote:
> If I got this right, we cannot use $(xyz) unless the value of xyz is
> trusted. Otherwise executing $(xyz) can result in the execution of code
> if xyz is something like "". This
> happens immediately, and even if you don't use the return value.
>
>
> I believe this fixes CVE-2018-14040 in Jessie:
>
> --- twitter-bootstrap-2.0.2+dfsg.orig/js/bootstrap-collapse.js
> +++ twitter-bootstrap-2.0.2+dfsg/js/bootstrap-collapse.js
> @@ -26,7 +26,7 @@
>  this.options = $.extend({}, $.fn.collapse.defaults, options)
>  
>  if (this.options["parent"]) {
> -  this.$parent = $(this.options["parent"])
> +  this.$parent = $(document.querySelector(this.options["parent"]))
>  }
>  
>  this.options.toggle && this.toggle()
>
>
> I think an alternative option here would be to replace $(xyz) with
> $(document).find(xyz) - as used in the upstream patch for
> CVE-2018-14042.

I am a bit puzzled as to how this attack works, but I'm ready to accept
that as yet another jQuery excentricity. :)

> CVE-2018-14041 / CVE-2018-14042 both refer to code that I cannot find in
> Jessie, hence I do not think they apply.

However, when trying to reproduce this online, I am failing to do so
with the version numbers matching those in Debian. Here are "pastebins"
which actually run the XSS with various versions, as provided in one of
the upstream bug reports (CVE-2018-14042):

https://github.com/twbs/bootstrap/issues/26628

The original, with 4.1.1:

https://jsbin.com/bimipayoda/edit?html,output

The same, with 3.3.7 (stretch, sid):

https://jsbin.com/nakisuhuso/edit?html,output

3.2.0 (jessie):

https://jsbin.com/tafejagene/edit?html,output

2.0.2 (jessie, stretch, sid):

https://jsbin.com/zapefecije/edit?html,output

Only the 4.1.1 codebase triggers the mouse-over XSS when running in
Firefox 60 or Chromium 68. So I can confirm that both CVE-2018-14041 and
CVE-2018-14042 a n/a in jessie and have marked them as such in the
tracker.

In my tests, only CVE-2018-14040 actually triggers a XSS, and only with
3.2.0. So I've marked 2.x N/A there as well..

> Looking at the code I do see a number of other references to $(xyz)
> where xyz is potentially untrusted, so simply applying the above patch
> may not be sufficient to fixing the problem. e.g. in
> js/bootstrap-scrollspy.js I see:
>
> var href = $(this).attr('href')   
>
> return /^#\w/.test(href) && $(href).length ? href : null  
>
>
> While this one might be obvious, there any many others that are not so
> clear. So I am not sure if I should fix only the instances fixed by
> these CVEs or search for everything I can find.

I would focus on those issues for now. CVEs have been pretty
systematically assigned and auditing the entire bootstrap codebase does
not seem realistic to me. And if we do, it would mean going into another
round of CVE assigment and upstream communication.

It might be worth, however, pinpointing that fact upstream, which I have
done here:

https://github.com/twbs/bootstrap/issues/26628#issuecomment-416282154

I've also posted in the other issues to validate the above claims.

In the meantime, I'll see if I can issue a patch for CVE-2018-14040
directly.

Sounds good?

A.

-- 
Pour marcher au pas d'une musique militaire, il n'y a pas besoin de
cerveau, une moelle épinière suffit.
- Albert Einstein



Re: tiff / CVE-2018-15209

2018-08-27 Thread Antoine Beaupré
On 2018-08-14 17:27:29, Brian May wrote:
> I have been trying to reproduce this bug (buffer overflow), but instead
> I get increasing memory usage until my computer crashes. With versions
> from Jessie, Stretch, and Sid. So maybe another security issue?
>
> I note that CVE-2017-11613 and CVE-2018-5784 can use unbounded
> memory. However these are marked as fixed everywhere but Stretch.
>
> As far as I can tell, the relevant code is:
>
> uint64* newcounts;
>
> ...
>
> newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
> "for chopped \"StripByteCounts\" array");
>
> ...
>
> for (strip = 0; strip < nstrips; strip++) {
> ...
> newcounts[strip] = stripbytes;
> ...
> }
>
> However, I cannot see how this could cause a buffer overflow
> condition. We appear to allocate nstrips uint64, and then use nstrips
> uint64.

I can't reproduce this either in a jessie VM:

[...]
ii  libtiff-tools4.0.3-12.3+deb8u6   amd64  
 TIFF manipulation and conversion tools
ii  libtiff5:amd64   4.0.3-12.3+deb8u6   amd64  
 Tag Image File Format (TIFF) library
vagrant@jessie:~$ valgrind tiff2pdf poc1
==17408== Memcheck, a memory error detector
==17408== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17408== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==17408== Command: tiff2pdf poc1
==17408== 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not 
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and 
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as 
ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and 
calculating from imagelength.
II*TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not 
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and 
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as 
ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and 
calculating from imagelength.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not 
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and 
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as 
ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and 
calculating from imagelength.
%PDF-1.1 
%âãÏÓ
1 0 obj
<< 
/Type /Catalog 
/Pages 3 0 R 
>>
endobj
2 0 obj
<< 
/CreationDate (D:20180827145928)
/ModDate (D:20180827145928)
/Producer (libtiff / tiff2pdf - 20120922)
/Title (miniswhite-1c-1b.tiff)
>> 
endobj
3 0 obj
<< 
/Type /Pages 
/Kids [ 4 0 R ] 
/Count 1 
>> 
endobj
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not 
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and 
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as 
ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and 
calculating from imagelength.
tiff2pdf: No support for poc1 with 254 samples per pixel.
tiff2pdf: An error occurred creating output PDF file.
==17408== 
==17408== HEAP SUMMARY:
==17408== in use at exit: 0 bytes in 0 blocks
==17408==   total heap usage: 106 allocs, 106 frees, 35,811 bytes allocated
==17408== 
==17408== All heap blocks were freed -- no leaks are possible
==17408== 
==17408== For counts of detected and suppressed errors, rerun with: -v
==17408== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Now, this could be because it's valgrind and not ASAN. But still - if
compiling with ASAN triggers the bug, I fail to see how this affects us:
our package is *not* compiled with it, and, as such, doesn't
misbehave. But just for the fun of it, I *did* try to recompile the
package with ASAN, as per:

https://wiki.debian.org/LTS/Development/Asan

And I still can't trigger the bug.

For what it's worth, the original bug report mentions Ubuntu 16.04 and
v4.0.9, compiled with clang:


Missing dependency on latest jessie-security release of linux-image-4.9-amd64

2018-08-27 Thread Shaun Bugler - Hetzner (Pty) Ltd
Hello, we have shifted a number of servers using linux-image-4.9-amd64 
from backports to the jessie-security release, with great success. Today 
however, we see the package was bumped to 4.9+80+deb9u6~deb8u1, which 
has a dependency on:


dedi # aptitude show linux-image-4.9-amd64
Package: linux-image-4.9-amd64
New: yes
State: not installed
Version: 4.9+80+deb9u6~deb8u1
Priority: optional
Section: kernel
Maintainer: Debian Kernel Team 
Architecture: amd64
Uncompressed Size: 39.9 k
Depends: linux-image-4.9.0-0.bpo.8-amd64
Provides: linux-latest-modules-4.9.0-0.bpo.8-amd64

dedi # apt-cache policy linux-image-4.9.0-0.bpo.8-amd64
linux-image-4.9.0-0.bpo.8-amd64:
  Installed: (none)
  Candidate: (none)
  Version table:
dedi # apt-cache policy linux-image-4.9.0-0.bpo.7-amd64
linux-image-4.9.0-0.bpo.7-amd64:
  Installed: 4.9.110-3+deb9u2~deb8u1
  Candidate: 4.9.110-3+deb9u2~deb8u1
  Version table:
 *** 4.9.110-3+deb9u2~deb8u1 0
    990 http://security.debian.org/ jessie/updates/main amd64 Packages

This doesn't seem to be available on the jessie security mirrors yet 
(linux-image-4.9.0-0.bpo.7-amd64 is still available), was this an 
oversight and being fixed or have we made a mistake in out apt 
configuration?


TIA
--
Kind Regards,

Shaun Bugler
System Administrator
Hetzner (Pty) Ltd

SA Contact Centre: 0861 0861 08
International: +27 21 970 2000



Website: hetzner.co.za 
Disclaimer: hetzner.co.za/email-disclaimer 



[SECURITY] [DLA 1476-1] dropbear security update

2018-08-27 Thread Holger Levsen
Package: dropbear
Version: 2014.65-1+deb8u3
CVE ID : CVE-2018-15599
Debian Bug : 906890

A vulnerability in dropbear, a lightweight SSH2 server and client, making it
possible to guess valid usernames has been found:

CVE-2018-15599:

The recv_msg_userauth_request function in svr-auth.c in is prone
to a user enumeration vulnerability, similar to CVE-2018-15473 in OpenSSH.

For Debian 8 "Jessie", this problem has been fixed in version
2014.65-1+deb8u3.

We recommend that you upgrade your dropbear packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature


Accepted dropbear 2014.65-1+deb8u3 (source) into oldstable

2018-08-27 Thread Guilhem Moulin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 24 Aug 2018 02:52:26 +0200
Source: dropbear
Binary: dropbear
Architecture: source
Version: 2014.65-1+deb8u3
Distribution: jessie-security
Urgency: medium
Maintainer: Guilhem Moulin 
Changed-By: Guilhem Moulin 
Description:
 dropbear   - lightweight SSH2 server and client
Closes: 906890
Changes:
 dropbear (2014.65-1+deb8u3) jessie-security; urgency=medium
 .
   * Backport security fix for CVE-2018-15599: The recv_msg_userauth_request
 function in svr-auth.c in Dropbear through 2018.76 is prone to a user
 enumeration vulnerability because username validity affects how fields in
 SSH_MSG_USERAUTH messages are handled.  (Closes: #906890.)
 Adapted from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
Checksums-Sha1:
 93ab838b8a56d5a5171ead6316bd94d989e2e52d 1720 dropbear_2014.65-1+deb8u3.dsc
 6761fa87f368d3e17fd2d466897466affc4b9b5d 16296 
dropbear_2014.65-1+deb8u3.diff.gz
Checksums-Sha256:
 2ee095aac7bba39644ce96ba9de66a05eb61760b0f4f0a65919d88e66481abab 1720 
dropbear_2014.65-1+deb8u3.dsc
 7e527b92aa37dff226f26aba3955676e8357e82d0c05c99b86ff3f6d4752de49 16296 
dropbear_2014.65-1+deb8u3.diff.gz
Files:
 26e0a5e9a643047c54b21311178fa2f6 1720 net optional 
dropbear_2014.65-1+deb8u3.dsc
 8649a0aec15cf216949dd11b8f23daf1 16296 net optional 
dropbear_2014.65-1+deb8u3.diff.gz

-BEGIN PGP SIGNATURE-

iQIyBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAluD9osACgkQCRq4Vgaa
qhxMGw/479FSGuYrAuwLDwKQM1bkpdl7CYllecQ5kNz2yRqne6R1uAawToeOVtwN
tyPjnDRoo6k2O+kG7ItZuFUV0NmmbrdvlcLw3tzyzxnT2N3+fOJ1eQFvMnr2TJsb
cTyqKBHxTanD7Z+j8sB4+clBqojqWmrSLcEHhs2OjdwdXhfwuZya0T5SMFhRDY7z
zTRmywEF0iH4JeRd+LYgIxtw/ooD8kuvF08Sg7MrJJYtPD5YULDUG4YzLllTWGiY
GXElSMbdRt9oOHZ1A1YAos3HuKL2BTz+nv/+eRpheKySdvlKl3j7T5jVWBVYMBjV
Nl3Sf0W0nhHycit3GGZXEKhkv0TGTs6I1GsL/4OirvLryo1uYZa4qLL5tjJznw/A
T4jYwMS0wYN0s0yPaHR03LHeeaSxd6+cvgWhvUV6bRmCA9T7OBFDjlIAuHNGy4A9
NcrWDEb6D9XCmpltoJYu70oy9YraR8tg6ygAWgogT7jI7isvk4S2k5BYq7wAIEz8
M0ea+Vy7H5l/kCMHG2oBirlB2F/QJ7nhhNAxrgflclxlyK0c6Lish1VklK8UtPCq
2iYfo9Ha+gl0E8JQ+oW4eLUW4LhkEI03oBhgeAwmJZsKE1vG0i+ETV1dov9j4H6S
ouYlSTYuiLa3jmWIVUp4qa0hsYErz8QLF+zvKFWne7kz4WsXrw==
=pqsZ
-END PGP SIGNATURE-