Vulnerability Roundup 17

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities since our last roundup.

cc: @7c6f434c @FRidh @fpletz @vcunat.

Note: The list of people CC'd on this issue participated in the last roundup. If you participate on this roundup, I'll cc you on the next one. If you don't participate in the next one, you won't be CC'd on the one after that. If you would like to be CC'd on the next roundup, add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @NixOS/security-notifications If you would like to be CC'd on all roundups (or removed from the list), open a PR editing https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

1. The reports have been roughly grouped by the package name. This isn't perfect, but is intended to help identify if a whole group of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages. For example, there are sometimes problems that impact thunderbird, and firefox. LWN might report in one vulnerability "thunderbird firefox". These names have been split to make sure both packages get addressed.
3. By each issue is a link to code search for the package name, and a Github search by filename. These are to help, but may not return results when we do in fact package the software. If a search doesn't turn up, please try altering the search criteria or looking in nixpkgs manually before asserting we don't have it.
4. This issue is created by https://github.com/NixOS/security

Instructions:

1. Triage a report: If we don't have the software or our version isn't vulnerable, tick the box or add a comment with the report number, stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable, either leave a comment on this issue saying so, even open a pull request with the fix. If you open a PR, make sure to tag this issue so we can coordinate.
3. When an entire section is completed, move the section to the "Triaged and Resolved Issues" details block below.

Upon Completion ...

• [x] Be sure graham applied the jasper patch
• [x] Run the issue through reformat one last time
• [x] Review commits since last roundup for backport candidates
• [x] Send an update e-mail to nix-security-announce@googlegroups.com
• [x] Update the database at https://github.com/NixOS/security

Without further ado...

Assorted (22 issues)

• [x] #710900 (search, files) kopete: encryption botch
• [x] #711187 (search, files) nvidia304, nvidia340: denial of service
• [x] #710896 (search, files) flac: three vulnerabilities
• [x] #711047 (search, files) icoutils: code execution
• [x] #711186 (search, files) libtiff: XML External Entity (XXE) attacks
• [x] #710627 (search, files) libvncserver: two vulnerabilities
• [x] #711187 (search, files) nvidia304, nvidia340: denial of service
• [x] #711050 (search, files) sway: unspecified
• [x] #710628 (search, files) borgbackup: two vulnerabilities
• [x] #709985 (search, files) dovecot: denial of service
• [x] #652799 (search, files) hplip: man-in-the-middle attack
• [x] #711189 (search, files) irssi: multiple vulnerabilities
• [x] #711059 (search, files) jasper: three vulnerabilities
• [x] #710626 (search, files) pcsclite: privilege escalation
• [x] #711049 (search, files) php-swiftmailer: code execution
• [x] #711051 (search, files) php7: denial of service
• [x] #710895 (search, files) puppet-tripleo: access restriction bypass
• [x] #711055 (search, files) syncthing: two vulnerabilities
• [x] #711055 (search, files) syncthing: two vulnerabilities
• [x] #710898 (search, files) tinymce: cross-site scripting
• [x] #711048 (search, files) tomcat: information disclosure
• [x] #710899 (search, files) unrtf: code execution
• [ ] #710286 (search, files) openjpeg2: multiple vulnerabilities

[fpletz]

Already fixed irssi in the last roundup. Borgbackup was also fixed a while ago. :smiley:

Additionally:

• docker & runc (CVE-2016-9962)
  • cb07316773acc4f274c4bb3c3f03a67b11dfaa70
  • 260d97ca25819690ce87bc5af48ab6a4ae0e2e68
  • libgit2 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339)
  • c03bc5721203d4952bc7c4b90efedeee4383780c
  • 3ecfab881946370a1c27fd17b9e55e27bca35d96
• gnutls (CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)
  • 0e963d2563de6311a829de63762bb8a9c4378050
  • 85ac7906661e42fb89e186f77fcf01a5c96586bd

Those have already been backported to 16.09.

[grahamc]

Wow, alright! Nice staying ahead of the game :D!

Also:

• flashplayer (https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html, https://helpx.adobe.com/security/products/flash-player/apsb17-02.html, CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938)
  • ce11097b712c9415952a5bd6fce6184c7b923c20
  • fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271

[grahamc]

I've started a branch which fixes jasper

[grahamc]

Nice work, @fpletz, you fixed the php7 issue a month ago :)

[grahamc]

@ttuegel how can I find changelogs for something like Kopete?

When updating OTR GUI icon properly set OTR instance tag Without configured instance tag libotr library does not encrypt sent messages and moreover it even does not report any error that message was not encrypted.

This should fix a bug when OTR "encrypted" icon is shown in GUI and libotr itself does not want to encrypt messages. It happened when Kopete window with active OTR session was closed and after that again opened.

[grahamc]

@7c6f434c can you check out libvncserver? I'm having issues with it building my update. Latest release from https://github.com/LibVNC/libvncserver/releases

[Mic92]

backported flac from unstable to stable: https://github.com/NixOS/nixpkgs/commit/cd27f9d492a8551bd86bf461ee26394211dd35df

[Mic92]

I will just make a regular upgrade on nixpkgs unstable for sway because there is no indication of a concrete security incidence.

[grahamc]

Perfect, thank you! I have patches for the nvidia drivers, and I'll start working on openjpeg.

[grahamc]

this openjpeg issue is 😬

CVEs to patch against:

• [x] CVE-2016-8332 https://bugzilla.suse.com/show_bug.cgi?id=1002414 (not affected)
• [x] CVE-2016-9112 https://bugzilla.suse.com/show_bug.cgi?id=1007747 (patched)
• [ ] CVE-2016-9113 https://bugzilla.suse.com/show_bug.cgi?id=1007739
• [x] CVE-2016-9114 https://bugzilla.suse.com/show_bug.cgi?id=1007740 (patched)
• [ ] CVE-2016-9115 https://bugzilla.suse.com/show_bug.cgi?id=1007741
• [x] CVE-2016-9116 https://bugzilla.suse.com/show_bug.cgi?id=1007742 (patched)
• [ ] CVE-2016-9117 https://bugzilla.suse.com/show_bug.cgi?id=1007743
• [x] CVE-2016-9118 https://bugzilla.suse.com/show_bug.cgi?id=1007744 (patched)
• [ ] CVE-2016-9572 / CVE-2016-9573 https://bugzilla.suse.com/show_bug.cgi?id=1014543
• [x] CVE-2016-9580, CVE-2016-9581 https://bugzilla.suse.com/show_bug.cgi?id=1014975 (patched)
• [ ] CVE-2016-7445 https://bugzilla.suse.com/show_bug.cgi?id=999817

[7c6f434c]

@grahamc and for the maximum fun we have alleged patches submitted as a PR.

[7c6f434c]

@grahamc I officially fail to understand what is the problem with 0.9.11 update of libvncserver

[grahamc]

I was seeing syntax errors in the libvncserver's autoconf which seemed beyond my range of expertise.

[grahamc]

Yeah. These PRs really are maximum fun ... it'd be a different story if they were merged PRs!

[7c6f434c]

Obviously these were not real syntax error but undefined functions. Adding a pkgconfig dependency fixed them nicely.

[grahamc]

Good to know for next time, thank you :)

[grahamc]

We're in good company with the openjpeg2 issues: https://security-tracker.debian.org/tracker/source-package/openjpeg2

[7c6f434c]

libtiff: we already have 4.0.7

[7c6f434c]

icoutils: bump done

[grahamc]

Hot dog! Is this a record? Pretty well finished! I think we're not vulnerable to the Kopete thing, but would like ttuegel to chime in. Openjpeg2... well, I'm hoping Debian provides some patches soon or openjpeg2 decides to merge something. Great great work. I'll plan on closing it out and merging my branch this afternoon.

[ttuegel]

@grahamc I'm not the Kopete maintainer; I don't know anything about that. I do know that KDE 4 is unmaintained upstream for years, so I would guess we are almost certainly vulnerable.

[grahamc]

There isn't a standard place to find KDE changelogs?

[Mic92]

@grahamc our kopete is new enough: https://portal.cert.dfn.de/adv/DFN-CERT-2017-0026/

[LnL7]

/participate

[bachp]

/participate

[7c6f434c]

Interesting, that IRC-style and HTML-style interpretations of /participate are both believable — and directly opposite. I know, I know IRC-style is the correct one.

[grahamc]

I forgot to close it from last week! Thank you! :) New one: https://github.com/NixOS/nixpkgs/issues/21967