Vulnerability Roundup 15

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities since our last roundup.

cc: @joachifm @michalpalka @abbradar @bachp @LnL7 @the-kenny @Mic92 @FRidh @bjornfor @vcunat.

Note: The list of people CC'd on this issue participated in the last roundup. If you participate on this roundup, I'll cc you on the next one. If you don't participate in the next one, you won't be CC'd on the one after that. If you would like to be CC'd on the next roundup, add a comment to the most recent vulnerability roundup. If you would like to be CC'd on all roundups, leave a comment and tell @grahamc so.

Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications (if you no longer want to be CC'd, ask to be removed from this list)

Notes on the list

1. The reports have been roughly grouped by the package name. This isn't perfect, but is intended to help identify if a whole group of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages. For example, there are sometimes problems that impact thunderbird, and firefox. LWN might report in one vulnerability "thunderbird firefox". These names have been split to make sure both packages get addressed.
3. By each issue is a link to code search for the package name, and a Github search by filename. These are to help, but may not return results when we do in fact package the software. If a search doesn't turn up, please try altering the search criteria or looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't vulnerable, tick the box or add a comment with the report number, stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable, either leave a comment on this issue saying so, even open a pull request with the fix. If you open a PR, make sure to tag this issue so we can coordinate.
3. When an entire section is completed, move the section to the "Triaged and Resolved Issues" details block below.

Upon Completion ...

• [x] Run the issue through reformat one last time
• [x] Review commits since last roundup for backport candidates
• [x] Send an update e-mail to nix-security-announce@googlegroups.com
• [x] Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (17 issues)

• [x] #710086 (search, files) kernel: denial of service
• [x] #710210 (search, files) libcrypto++: denial of service
• [x] #710082 (search, files) openssh: multiple vulnerabilities
• [x] #709844 (search, files) ceph: denial of service
• [x] #710085 (search, files) gdk-pixbuf2: unspecified
• [x] #709987 (search, files) graphicsmagick: denial of service
• [x] #709988 (search, files) imagemagick: code execution
• [x] #710084 (search, files) botan: integer overflow
• [x] #710209 (search, files) exim4: information leak
• [x] #710214 (search, files) httpd: three vulnerabilities
• [x] #709984 (search, files) imagemagick: code execution
• [x] #709986 (search, files) msgpuck: two denial of service flaws
• [x] #710212 (search, files) qemu: denial of service
• [x] #671098 (search, files) shellinabox: DNS rebinding
• [x] #710213 (search, files) spip: two vulnerabilities
• [x] #710087 (search, files) squid: two vulnerabilities
• [x] #709993 (search, files) xen: two vulnerabilities

gstreamer-plugins-good (2 issues)

• [x] #318382 (search, files) gstreamer-plugins-good: heap buffer overflows
• [x] #709839 (search, files) gstreamer-plugins-good: denial of service

[grahamc]

I tried updating botan with

commit 81879537edc27b40075563fff55a59ad06526d17
Author: Graham Christensen <graham@grahamc.com>
Date:   Wed Dec 28 07:08:13 2016 -0500

    botan: 1.10.13 -> 1.10.14

    CVE-2016-9132

diff --git a/pkgs/development/libraries/botan/default.nix b/pkgs/development/libraries/botan/default.nix
index 6e8a8cd..69e8f17 100644
--- a/pkgs/development/libraries/botan/default.nix
+++ b/pkgs/development/libraries/botan/default.nix
@@ -2,7 +2,7 @@

 callPackage ./generic.nix (args // {
   baseVersion = "1.10";
-  revision = "13";
-  sha256 = "144vl65z7bys43sxgb09mbisyf2nmh49wh0d957y0ksa9cyrgv13";
+  revision = "14";
+  sha256 = "072czy26vfjcqjww4qccsd29fzkb6mb8czamr4x76rdi9lwhpv8h";
   extraConfigureFlags = "--with-gnump";
 })

but get a build error:

In file included from src/asn1/ber_dec.cpp:11:0:
build/include/botan/internal/safeint.h: In constructor 'Botan::Integer_Overflow_Detected::Integer_Overflow_Detected(const string&, int)':
build/include/botan/internal/safeint.h:20:67: error: 'to_string' is not a member of 'std'
          Exception("Integer overflow detected at " + file + ":" + std::to_string(line))
                                                                   ^
build/include/botan/internal/safeint.h:20:67: note: suggested alternatives:
In file included from build/include/botan/exceptn.h:12:0,
                 from build/include/botan/asn1_int.h:12,
                 from build/include/botan/asn1_oid.h:11,
                 from build/include/botan/ber_dec.h:11,
                 from src/asn1/ber_dec.cpp:8:
build/include/botan/parsing.h:56:23: note:   'Botan::to_string'
 BOTAN_DLL std::string to_string(u64bit n, size_t min_len = 0);
                       ^
In file included from build/include/botan/asn1_oid.h:11:0,
                 from build/include/botan/ber_dec.h:11,
                 from src/asn1/ber_dec.cpp:8:
build/include/botan/asn1_int.h:94:13: note:   'Botan::ASN1::to_string'
 std::string to_string(const BER_Object& obj);
             ^
make: *** [Makefile:633: build/lib/asn1_ber_dec.o] Error 1

[the-kenny]

@grahamc Can you add me to the permanent-CC list please?

[grahamc]

Done, @the-kenny: https://github.com/NixOS/security/commit/686a57a690142de51d1c67df38eefad75d2654b5

[grahamc]

@wkennington second bump on Ceph, we're 2 major versions behind, 9.x hasn't seen an update in ages, and there don't seem to be any distros I can take the security patches from. I may mark as broken soon.

[7c6f434c]

re: botan: fixed, stable version wasn't enforcing C++11 for some reason.

[grahamc]

Thank you, @7c6f434c! botan patches: https://github.com/NixOS/nixpkgs/compare/04736aef42e6...21d4d54a38b3

[7c6f434c]

imagemagick: I have updated to the latest repository release tag, no idea if it fixes all the vulnerabilities.

[grahamc]

image magick: https://github.com/NixOS/nixpkgs/compare/9ec867f59fba...de99dc50495e

[7c6f434c]

Also updated dovecot

[grahamc]

dovecot: https://github.com/NixOS/nixpkgs/commit/35e3ea0966bcdf3483fc25e78a5e9e1887befe9b

[vcunat]

gdk-pixbuf: 421a7f37f and f3d383553e6.

[LnL7]

@vcunat any idea what's going wrong with the openssh test?

[vcunat]

No idea. That's why I had reverted that update in 661b5a987.

[grahamc]

re SSH: I was able to reproduce the issue locally.

[nlewo]

qemu CVE-2016-9911 adressed by #21482.

[grahamc]

@vcunat, @LnL7

applying:

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 073391f..80659f1 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -264,8 +264,7 @@ in
                 StandardInput = "socket";
               } else {
                 Restart = "always";
-                Type = "forking";
-                PIDFile = "/run/sshd.pid";
+                Type = "simple";
               });
           };

@@ -322,8 +321,6 @@ in

     services.openssh.extraConfig = mkOrder 0
       ''
-        PidFile /run/sshd.pid
-
         Protocol 2

         UsePAM yes

has fixed it for me:

• https://bugzilla.mindrot.org/attachment.cgi?id=2896&action=diff
• https://bugzilla.mindrot.org/show_bug.cgi?id=2641

 * sshd(8): Improve handling of SIGHUP by checking to see if sshd is
   already daemonised at startup and skipping the call to daemon(3)
   if it is. This ensures that a SIGHUP restart of sshd(8) will
   retain the same process-ID as the initial execution. sshd(8) will
   also now unlink the PidFile prior to SIGHUP restart and re-create
   it after a successful restart, rather than leaving a stale file in
   the case of a configuration error. bz#2641

what do you think of this solution / backporting?

[vcunat]

I know little about this stuff. In master it'll be good to switch to --with-systemd, I guess, though that's not security-related. /cc openssh maintainer @aneeshusa. Context: previous comment and 661b5a9.

[grahamc]

@vcunat / @aneeshusa -- they don't create any sort of --with-systemd flag. That patch was rejected. The change they made makes it properly realize it is already backgrounded and not background itself if it is called by an init system. That is why my patch works, without adding a --with-systemd flag.

[LnL7]

That's also how I understood it, if simple also works with services.openssh.startWhenNeeded it should be fine.

[grahamc]

I marked ceph as broken.

[grahamc]

Thank you, everyone, for their work!