Open Source Security

Re: CVE request: php 5.3.1 update

Fri, 20 Nov 2009 17:48:57 GMT

Posted by Eren Türkay on Nov 20

Bogdan Calin disclosed the details about that vulnerability on full-disclosure
mailing list. He didn't disclosed his script but I wrote a PoC that works like
a charm. It makes DoS possible for any server that runs PHP within 1 minute
with a few requests.

Additionally, this vulnerability affects 5.2.11. I guess all products before
PHP 5.3.1 are vulnerable.

I think this deserves CVE Id. Any ideas?

CVE Assignment nginx

Fri, 20 Nov 2009 15:36:51 GMT

Posted by Josh Bressers on Nov 20

I've not seen a CVE id for this one anywhere:

CVE-2009-3896

engine x (nginx) contains a null pointer dereference flaw in versions
0.1.0-0.8.13 before versions 0.8.14, 0.7.62, 0.6.39 and 0.5.38.

http://nginx.net/
http://marc.info/?l=nginx&m=125692080328141&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552035
http://www.debian.org/security/2009/dsa-1920

Thanks

Re: CVE request: php 5.3.1 update

Fri, 20 Nov 2009 14:04:01 GMT

Posted by Tomas Hoger on Nov 20

Link to announcement mail with CVEs:

http://news.php.net/php.announce/79

Reading the upstream bug http://bugs.php.net/bug.php?id=50063 , this is
not a security flaw, rather a safe_mode regression causing uid check to
happen where it should not resulting in over-restrictive safe_mode.

Some links for the other two issues:

http://securityreason.com/securityalert/6601
http://svn.php.net/viewvc?view=revision&revision=288945...

CVE request: v1.2.8 released to fix the 0777 base_dir creation issue

Fri, 20 Nov 2009 11:41:34 GMT

Posted by Thomas Biege on Nov 20

Hello.

http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz
http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz.sig

This is mainly to fix the 0777 base_dir creation issue, which could be
considered a security hole, exploitable by local users. An attacker
could for example replace Dovecot's auth socket and log in as other
users. Gaining root privileges isn't possible though....

Re: CVE request: php 5.3.1 update

Fri, 20 Nov 2009 10:48:09 GMT

Posted by Joe Orton on Nov 20

We assigned some CVE names for the new issues here; two correspond to
existing issues fixed earlier in 5.2.11. The CVE names have not made it
to the web site but were used in the e-mail announcement text:

- Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
(CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by...

CVE request: php 5.3.1 update

Fri, 20 Nov 2009 10:42:19 GMT

Posted by Thomas Biege on Nov 20

Hello,

PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5_3_1.php

Security Enhancements and Fixes in PHP 5.3.1:

* Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by
default, to prevent possible DOS via temporary file exhaustion.
* Added missing sanity checks around exif processing.
* Fixed a safe_mode bypass...

CVEs for nginx

Fri, 20 Nov 2009 01:36:16 GMT

Posted by Craig on Nov 19

Hi,

are the CVEs for

1.) nginx webdav: http://secunia.com/advisories/36818/

2.) nginx Null Pointer dereference:
http://sysoev.ru/nginx/patch.null.pointer.txt

3.) nginx SSL Renegotiation: http://sysoev.ru/nginx/patch.cve-2009-3555.txt

I know the last one contains a CVE number, nginx uses openssl and the
patch will disable renegotiation, maybe this deserves an own CVE?

Best regards,

Craig

mysql-5.1.41

Thu, 19 Nov 2009 21:08:49 GMT

Posted by Oden Eriksson on Nov 19

Hello.

The new mysql release mentions two security issues that has been addressed,
anyone knows more about that? I guess it would need some CVE assignment as
well.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

CVE assignment (libexif)

Thu, 19 Nov 2009 16:06:21 GMT

Posted by Josh Bressers on Nov 19

I'm giving libexif CVE-2009-3895. I've not seen an ID for this yet.

Only libexif version 0.6.18 is affected, all other versions are safe.

http://article.gmane.org/gmane.comp.graphics.libexif.devel/806
http://bugs.gentoo.org/show_bug.cgi?id=293190

Thanks.

CVE request: kernel: fuse: prevent fuse_put_request on invalid pointer

Thu, 19 Nov 2009 09:05:44 GMT

Posted by Eugene Teo on Nov 19

"fuse_direct_io() has a loop where requests are allocated in each
iteration. if allocation fails, the loop is broken out and follows into
an unconditional fuse_put_request() on that invalid pointer."

Upstream commit:
http://git.kernel.org/linus/f60311d5f7670d9539b424e4ed8b5c0872fc9e83

This can be triggered when the system is low on memory, and when the
fuse_request_alloc() function called from fuse_get_req() fails. The...

Re: CVE request: libpoppler4: buffer overflow in the Abiword backend

Wed, 18 Nov 2009 18:26:13 GMT

Posted by Josh Bressers on Nov 18

----- "Thomas Biege" <thomas () suse de> wrote:

As an FYI, MITRE assigned this CVE-2009-3938.

Thanks.

Re: CVE request: virtualbox-ose guest can trigger denial of service at host, mem consumption

Wed, 18 Nov 2009 15:16:08 GMT

Posted by Josh Bressers on Nov 18

Use CVE-2009-3893 for this.

Thanks.

Re: CVE request: libpoppler4: buffer overflow in the Abiword backend

Wed, 18 Nov 2009 07:08:22 GMT

Posted by Thomas Biege on Nov 17

Our maintainer told me that version 3 and 5 are vulnerable too.

Re: CVE request: oping allows the disclosure of arbitrary file contents

Tue, 17 Nov 2009 19:48:53 GMT

Posted by Tomas Hoger on Nov 17

My previous web search did find that one. Though set_user() doing
NPROC check is only called when new uid differs from current real uid
(so not called in setuid(getuid()) case).

Re: CVE request: libpoppler4: buffer overflow in the Abiword backend

Tue, 17 Nov 2009 08:27:31 GMT

Posted by Thomas Biege on Nov 17

AFAICS it just affects libpoppler. But version 4 may not be the only
one with the bug.

Bye,
Thomas