oss-sec mailing list archives

CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 30 Mar 2011 19:13:37 +0200

Hello Steve, vendors,

  based on:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857

  and:
  [2] http://www.erlang.org/download/otp_src_R14B.readme
  [3] http://www.erlang.org/download/otp_src_R14B01.readme
  [4] http://www.erlang.org/download/otp_src_R14B02.readme

performed some initial issues review -- erlang-CVE-request.txt
attached. But since not sure, which of those are real security
flaws and how many CVE ids will be needed for those, Cc-ing
also Erlang upstream developers to shed more light into this.

The distribution of OTPs is as follows:
=======================================
Rickard Green:          OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
Bjorn-Egil Dahlberg:    OTP-8814, OTP-8827, OTP-8943
Sverker Eriksson:       OTP-8945, OTP-8716
Patrik Nyblom:          OTP-7178, OTP-8780, OTP-8993
Raimo Niskanen:         OTP-8729, OTP-8795
Bjorn Gustavsson:       OTP-8831, OTP-8892, OTP-9117
Niclas Axelsson:        OTP-9101
Hans Bolinder:          OTP-8898

Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
could you please have a look at the attached review file
and reply which of the #20 OTPs in the list are security flaws
(so we would know the count of CVE identifiers needed) and which
are just bugs? (since you know the Erlang code better than me)

Help / guidance from your side is really appreciated to resolve
this one.

Thank you in advance for your time and cooperation.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

crypto:
   - 1), multiple memory leaks OTP-8810
     Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1
     Note: Hard to tell if has security implications, but from the patch looks certain
           memory content leaks were possible

   - 2), rc4 not working correctly (silent data corruption) OTP-8781
     Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
     Note: Seems to be just bugfix
     From the patch log: RC4 stream cipher didn't work.

erl_interface:
   - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
     Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
     Note: security, stack based buffer overflow possible

   - 4), erl_call: fix multiple buffer overflows OTP-8827
     Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b
     Note: security, multiple heap overflows possible

   - 5), Check the length of the node name to prevent an overflow OTP-8943
     Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d
     Note: security

   - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
     Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6
     Note: Hard to tell if has security implications
erts:
   - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178 
     Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5
     Note: ignore underflow in list_to_float and return 0.0

   - 8), Fix faulty 64-bit integer term output from drivers (crash or silent data corruption) OTP-8716
     Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97
     Note: security     

   - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
     Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03
     Note: seems to be just bugfix     

   - 10), Removed some potential vulnerabilities from epmd OTP-8780
     Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44
     Note: security
     From patch log: Remove two buffer overflow vulnerabilities in EPMD 
         
   - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
     Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c
     Note: seems to be just bugfix

   - 12), Multiple Buffer overflows have been prevented OTP-8892
     Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1
     Note: security
     From patch log: 
       * ms/security-fixes: erlc: remove unused variable, typer: prevent buffer overflows,
         run_test: prevent buffer overflow, heart: prevent buffer overflow,
         escript: prevent buffer overflows, erlexec: prevent buffer overflows, 
         erlc: prevent buffer overflows, dialyzer: prevent buffer overflows
 
   - 13), The ERTS internal rwlock implementation could get into an inconsistent state OTP-8925
     Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
     Note: Assertion failure, but not sure if exploitable for DoS

   - 14), Some malformed distribution messages could cause VM to crash OTP-8993
     Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7
     Note: security
     From patch log: Teach VM not to dump core on bad dist message structure

   - 15), A bug in the exit/2 BIF could potentially cause an emulator crash OTP-9005
     Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb
     Note: Not sure if has security implications

   - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
     Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2
     Note: Not sure if has security implications

   - 17), Attempting to create binaries exceeding 2Gb (using for
     example term_to_binary/1) would crash the emulator OTP-9117
     Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a
     Note: Hard to tell if has security implications
    
hipe:
   - 18), Fix bug in the simplification of inexact comparisons OTP-9101
     Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
     Note: Seems to be just bugfix

kernel:
   - 19), inet:getsockopt for SCTP sctp_default_send_param, random answers OTP-8795
     Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024
     Note: Seems to be just bugfix

stdlib:
   - 20), race condition/silent data corruption in dets OTP-8898
     Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
     Note: Hard to tell if has security implications

Note: Are there potentially more ones, I missed?
=====

Current thread:

CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Jan Lieskovsky (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Steven M. Christey (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes pan (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Raimo Niskanen (Mar 31)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Sverker Eriksson (Mar 31)
- Message not available
  - Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Rickard Green (Mar 31)