Home page logo
/
oss-sec logo
Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Jan–MarApr–JunJul–SepOct–Dec
2014714711886448
2013777648688583
2012815578591549
2011640738550591
2010291376465383
2009250264272304
2008206390402358

Latest Posts

Re: Vulnerability fixed in Quassel? Pierre Schweitzer (Oct 25)
Was a CVE ID assigned for the Konversation bug?

In any case, it's way worse than my understanding (thanks for the
clarifications!).

So I believe a CVE should be assigned to that commit for Quassel. Do
we need the project owners to ask for it? Or MITRE can just assign it?

Cheers,

cve request: libbfd? Michal Zalewski (Oct 25)
Hey,

You may want to assign something to:

http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html
http://sourceware.org/bugzilla/show_bug.cgi?id=17510

This is slightly complicated by the fact that libbfd is just bad in
general and there likely are dozens of individual bugs, but the
write-to-arbitrary-pointer issues with ELF section parsing in elf.c
sort of stand out.

/mz

Re: strings / libbfd crasher Tavis Ormandy (Oct 25)
Yeah, `strings -a` is closer to what people expect by default - most
people find the section parsing a surprise. I found this one 10 years
ago https://bugs.gentoo.org/show_bug.cgi?id=91398, and suggested at
the time that maybe `strings -a` should be the default mode, enabling
bfd parsing only when requested.

This was dismissed by upstream, but I still think it's a good idea...

Tavis.

Re: strings / libbfd crasher mancha (Oct 24)
Yes.

Unfortunately, the buggy code can be arrived at via multiple entry
points (e.g. objdump -p or nm on stringme, stringmetoo, and
strings-bfd-badfree). Those are also commonly used on untrusted binaries
(e.g. forensics). Fixing the core issues seems the way to go.

--mancha

Re: strings / libbfd crasher Michal Zalewski (Oct 24)
[+Tavis]

Tavis mentioned to me some time ago that he made that suggestion
upstream when he bumped into other issues many years ago; he can
probably comment on how that went, but more generally, distro vendors
have some latitude to apply non-upstream patches to change the default
behavior... maybe that's the way to go.

/mz

Re: strings / libbfd crasher Hanno Böck (Oct 24)
I've checked the upstream patch they pointed me to:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f

Unfortunately this mixes in another change that is a revert, so it
doesn't apply cleanly to the current release (2.24), if anyone needs it
I've re-diffed it:
https://files.hboeck.de/binutils-2.24-fix-crash.diff

This fixes the original stringme and strinmetoo from mancha, but not...

Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185 cve-assign (Oct 24)
In cases of disputes about the validity of a vulnerability with
respect to a specific threat model, it's sometimes possible to have
multiple CVEs.

https://bugzilla.redhat.com/CVE-2013-2185 says:

This suggests a completely general case in which the serialized
instance could come from an arbitrary untrusted source in an
application-specific way. Apparently, from the perspective of the
Apache Tomcat maintainer, they are not interested in...

Re: strings / libbfd crasher Michal Zalewski (Oct 24)
Filed this as:
https://sourceware.org/bugzilla/show_bug.cgi?id=17510

Re: strings / libbfd crasher Michal Zalewski (Oct 24)
I do have a bunch more that seem exploitable, though - for example:

http://lcamtuf.coredump.cx/strings-bfd-badfree - does this repro for
people (I tried with binutils 2.24)?

I think that given the expectations people have around what strings
does and whether it's safe to run on untrusted binaries, I'd seriously
question the wisdom of making it use libbfd, at least by default;
perhaps distros want to consider non-upstream patches that...

kvm issues Petr Matousek (Oct 24)
Hi,

a number of kvm issues were disclosed today, here's the list.

CVE-2014-3610
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=854e8bb1aa06c578c2c9145fa6bfe3680ef63b23
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=8b3c3104c3f4f706e99365c3e0d2aa61b95f969f

CVE-2014-3611
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=2febc839133280d5a5e8e1179c94ea674489dae2

CVE-2014-3646...

New security advisories released for Apache CXF Colm O hEigeartaigh (Oct 24)
CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of
Service (DoS) attack

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.0-milestone1,
2.7.8 and 2.6.11.

Description:

An Apache CXF JAX-RS service can process SAML tokens received in the
authorization header of a request via the SamlHeaderInHandler. However it is
possible to...

CVE-2014-8369 - Linux kernel iommu.c excessive unpinning cve-assign (Oct 24)
CVE-2014-8369 has been assigned to this virt/kvm/iommu.c issue:

https://lkml.org/lkml/2014/10/24/460

(This vulnerability exists because of an incorrect fix for
CVE-2014-3601.)

Re: strings / libbfd crasher Hanno Böck (Oct 24)
I've now put this in upstream's bugtracker:
https://sourceware.org/bugzilla/show_bug.cgi?id=17509

Hope noone else has already done this.

Re: strings / libbfd crasher mancha (Oct 24)
To clarify...

While my sample input to strings (or objdump, etc.) also gets bytes to
wraparound, the nature of the crash is different that that of Michal's
sample. My input triggers a NULL pointer dereference and further
demonstrates the need to tighten up the codebase.

Re: Vulnerability fixed in Quassel? Bas Pape (Oct 24)
Sorry, forgot to actually paste the link. The konversation bug can be found at
https://bugs.kde.org/show_bug.cgi?id=210792

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]