Vulnerability Roundup 13

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities since our last roundup.

cc: @NeQuissimus @vcunat @joachifm.

Note: The list of people CC'd on this issue participated in the last roundup. If you participate on this roundup, I'll cc you on the next one. If you don't participate in the next one, you won't be CC'd on the one after that. If you would like to be CC'd on the next roundup, add a comment to the most recent vulnerability roundup. If you would like to be CC'd on all roundups, leave a comment and tell @grahamc so.

Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications (if you no longer want to be CC'd, ask to be removed from this list)

Notes on the list

1. The reports have been roughly grouped by the package name. This isn't perfect, but is intended to help identify if a whole group of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages. For example, there are sometimes problems that impact thunderbird, and firefox. LWN might report in one vulnerability "thunderbird firefox". These names have been split to make sure both packages get addressed.
3. By each issue is a link to code search for the package name, and a Github search by filename. These are to help, but may not return results when we do in fact package the software. If a search doesn't turn up, please try altering the search criteria or looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't vulnerable, tick the box or add a comment with the report number, stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable, either leave a comment on this issue saying so, even open a pull request with the fix. If you open a PR, make sure to tag this issue so we can coordinate.
3. When an entire section is completed, move the section to the "Triaged and Resolved Issues" details block below.

Upon Completion ...

• [x] Run the issue through reformat one last time
• [x] Review commits since last roundup for backport candidates
• [ ] Send an update e-mail to nix-security-announce@googlegroups.com
• [x] Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (36 issues)

• [x] #708522 (search, files) atomic-openshift: information disclosure
• [x] #708996 (search, files) golang: denial of service
• [x] #708652 (search, files) python-XStatic-jquery-ui: cross-site scripting
• [x] #709009 (search, files) zabbix: two vulnerabilities
• [x] #708876 (search, files) perl-DBD-MySQL: use after free
• [x] #708883 (search, files) subversion: denial of service
• [x] #708995 (search, files) unzip: buffer overflows
• [x] #709007 (search, files) webkit-gtk: multiple vulnerabilities
• [x] #708524 (search, files) gst-plugins-bad: code execution
• [x] #708525 (search, files) gst-plugins-base: code execution
• [x] #708873 (search, files) gstreamer-plugins-bad-free: two vulnerabilities
• [x] #708657 (search, files) httpd: denial of service
• [x] #708871 (search, files) libgsf: denial of service
• [x] #595998 (search, files) libmms: code execution
• [x] #708359 (search, files) mapserver: information leak
• [x] #708363 (search, files) mingw-nsis: DLL hijacking
• [x] #708528 (search, files) openjpeg: code execution
• [x] #708875 (search, files) openjpeg2: denial of service
• [x] #588035 (search, files) xstream: code execution
• [x] #708523 (search, files) openstack-cinder, openstack-glance: denial of service
• [x] #629686 (search, files) coreutils: code execution
• [x] #595046 (search, files) elfutils: code execution
• [x] #662905 (search, files) exfat-utils: two vulnerabilities
• [x] #708523 (search, files) openstack-cinder, openstack-glance: denial of service
• [x] #708365 (search, files) pecl-http: code execution
• [x] #709010 (search, files) php: unknown
• [x] #708527 (search, files) php-php-gettext: code execution
• [x] #708997 (search, files) php-simplesamlphp-saml2: incorrect signature verification
• [x] #708993 (search, files) php5: multiple vulnerabilities
• [x] #658600 (search, files) pixman: buffer overflow
• [x] #664215 (search, files) powerdns: denial of service
• [x] #708655 (search, files) roundcube: code execution
• [x] #627589 (search, files) sox: code execution
• [x] #708656 (search, files) spip: cross-site scripting
• [x] #708529 (search, files) sqlite: code execution
• [x] #529991 (search, files) squashfs-tools: two code execution flaws

jasper (2 issues)

• [x] #708870 (search, files) jasper: buffer overflow
• [x] #708654 (search, files) jasper: multiple vulnerabilities

kernel (8 issues)

• [x] #708869 (search, files) kernel: denial of service
• [x] #708367 (search, files) kernel: two vulnerabilities
• [x] #708530 (search, files) kernel: two vulnerabilities
• [x] #708659 (search, files) kernel: multiple vulnerabilities
• [x] #708532 (search, files) kernel: two vulnerabilities
• [x] #708531 (search, files) kernel: multiple vulnerabilities
• [x] #708884 (search, files) kernel: privilege escalation
• [x] #708874 (search, files) kernel: two vulnerabilities

systemd (2 issues)

• [x] #709006 (search, files) systemd: denial of service
• [x] #570330 (search, files) systemd: multiple vulnerabilities

xen (2 issues)

• [x] #708886 (search, files) xen: information disclosure
• [x] #708533 (search, files) xen: privilege escalation

[grahamc]

I've got a jasper update in the works. Checking to see if 2.0.6 is BC with 1.900.x or not.

[NeQuissimus]

kernel: #708869 (search, files) kernel: denial of service

This needs a patch from https://bugzilla.kernel.org/show_bug.cgi?id=189851 I am not home, so I can't do it until late tonight.

All the other kernel vulns are covered by the kernel versions we have.

[grahamc]

Thank you, @NeQuissimus, I'll apply that patch.

[NeQuissimus]

Let's also mention #21135 (firefox: 50.0.2 -> 50.1.0, firefox-esr: 45.5.1esr -> 45.6.0esr) in here, even though I don't see it on the list.

[grahamc]

Good idea, https://github.com/NixOS/nixpkgs/pull/21134 (firefox-bin: 50.0.2 -> 50.1.0) too.

[grahamc]

Hung up on https://github.com/NixOS/nixpkgs/issues/21145 which is blocking channels from moving forward.

[NeQuissimus]

Xen and SystemD are good.

[NeQuissimus]

Looks like unzip needs both the CVEs patched

[NeQuissimus]

I am going to send a PR for subversion once it has built on my machine. It's a straight forward update.

[grahamc]

@domenkozar are you available to look in to upgrading our openstack components?

[grahamc]

Actually, @NeQuissimus, can you apply that kernel patch?

[grahamc]

@makefu can you look in to updating XStatic-jquery-ui?

[makefu]

@grahamc ^

[grahamc]

Thank you!

[phanimahesh]

I started looking at atomic-openshift. Both code and files searches failed to show any results. Past roundups mentioned atomic-openshift a few times, but I couldn't locate the corresponding commits/patches that fixed it.

The derivations for openshift and rhc are both simple. Should I be looking at their commits to see if the fixes have been included? Are they the right repos? How do I find out the corresponding repo and package, in general?

Pointers? How do I proceed?

[grahamc]

oh I don't think we have Atomic, and the one that says cinder is also for glance which we do have: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/virtualization/openstack/glance.nix.

[domenkozar]

Updating openstack is quite some work as you need to bump all components. It's better to look into patching existing versions, if they're still supported upstream.

[bachp]

I think atomic-openshift refers to the package openshift. RHC is the old (OpenShiftv2) client utility. This is completly different from openshift (OpenShift v3, aka OpenShift Container Platform).

As there is a version 1.3.2 available I think this would be the component to update.

[grahamc]

@bachp can you make that PR?

[grahamc]

@NeQuissimus bump on that kernel patch. Can you do it?

[grahamc]

I think my patches to release 16.09 are bad... will investigate in a few hours.

[grahamc]

I think my patches were good, but the nix / hydra issues are hurting us again.

[bachp]

@grahamc I might find some time to do it this weekend.

[NeQuissimus]

I bumped the kernels just now

[bachp]

@grahamc PR created #21216

[grahamc]

@bachp: Excellent, thank you!

@NeQuissimus Looks great, thank you!

@domenkozar That is part of what I feared, touching Openstack in general spooks me. It looks like there are patch releases within these major releases, 11.0.0 -> 11.0.2... 7.0.0 -> 7.0.2. Are these safe, do you think? Do they all need to go up in lock-step for these patch releases.

[grahamc]

I deleted this one from this week to close it out:

• [ ] #708523 (search, files) openstack-cinder, openstack-glance: denial of service

[domenkozar]

Minor bumps would work, but it's quite some python packages to update (sorry, I don't have time now).