Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilty Roundup 32 #33826

Closed
20 of 38 tasks
ckauhaus opened this issue Jan 13, 2018 · 18 comments
Closed
20 of 38 tasks

Vulnerabilty Roundup 32 #33826

ckauhaus opened this issue Jan 13, 2018 · 18 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Milestone
18.03

Comments

@ckauhaus
Copy link
Contributor

ckauhaus commented Jan 13, 2018
edited by fpletz
Loading

Scanned nixos/release-combined.nix @ d982c61. May contain false positives.

ffmpeg-3.4.1 (search, files)

gstreamer-0.10.36 (search, files)

imagemagick-6.9.9-28 (search, files)

libarchive-3.3.2 (search, files)

libcroco-0.6.12 (search, files)

libid3tag-0.15.1b (search, files)

libsndfile-1.0.28 (search, files)

libtiff-4.0.8 (search, files)

libvorbis-1.3.5 (search, files)

openldap-2.4.45 (search, files)

pcre-8.41 (search, files)

rsync-3.1.2 (search, files)

systemd-234 (search, files)

wpa_supplicant-2.6 (search, files)

Cc: @NixOS/security-notifications, @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7

Contact @ckauhaus for any questions.
@ckauhaus
Copy link
Contributor Author

imagemagick-6.9.9-28 is explicitly listed in CVE-2017-17504 despite being released recently.

ckauhaus pushed a commit to nix-community/vulnix that referenced this issue Jan 13, 2018
Vulnerability Roundup 32
dca1daa 
NixOS/nixpkgs#33826
@ckauhaus
Copy link
Contributor Author

I decided not to filter out some stuff that was not fixed pre-December - we should reevaluate if there are any new fixes available.

@adisbladis
Copy link
Member

wpa_supplicant CVEs are all KRACK Attacks which we already patched

@adisbladis
Copy link
Member

CVE-2017-15908 is patched

@adisbladis
Copy link
Member

As discussed in #32117 CVE-2017-11164 is invalid

@adisbladis
Copy link
Member

CVE-2017-16548 is fixed

@adisbladis
Copy link
Member

As mentioned in #30959 we are not affected by CVE-2017-14159

@YorikSar
Copy link
Contributor

CVE-2018-1000001 just came around - should it be included here?

@ckauhaus
Copy link
Contributor Author

@adisbladis sorry for the noise with the old stuff - I'm currently working to fix the broken whitelisting code so we can keep track of this kind of information.

@dtzWill
Copy link
Member

dtzWill commented Jan 13, 2018

The fix for ImageMagick (2017-17504) is part of 6.9.9-28, I just checked. It's this commit: ImageMagick/ImageMagick@ce3a586

I checked with a local clone of the repo, this fix is not mentioned in their changelog but commit history shows it was fixed between -23 and -24.

I suggest we bump ImageMagick to latest anyway, I'll submit a PR doing so shortly.
( ImageMagick/ImageMagick@6.9.9-28...6.9.9-33 shows the changes, almost entirely out-of-bounds accesses, heap-overflow, ...)

Actually found that one of the fixes is this: ImageMagick/ImageMagick#927
which is for (CVE-2018-5248)[https://nvd.nist.gov/vuln/detail/CVE-2018-5248].

@dtzWill dtzWill mentioned this issue Jan 13, 2018
Merged
8 tasks
@adisbladis
Copy link
Member

CVE-2017-17555 is not actually a bug in ffmpeg but in aubio.
No patch yet. See aubio/aubio#137.

@adisbladis
Copy link
Member

CVE-2016-9447 fixed in fa3aec7

@7c6f434c
Copy link
Member

libsndfile: it's complicated.
CVE-2017-14245 and CVE-2017-14246 are libsndfile/libsndfile#317 — there is an unmerged superficial fix in libsndfile/libsndfile#325 with a stalled conversation, and the maintainers think about a proper fix.

@vcunat
Copy link
Member

vcunat commented Jan 14, 2018
edited
Loading

I wonder if it's better to scan release-17.09 (in future) – I would think it's more security-centered and likely to contain more unfixed CVEs than unstable/master. (Though there certainly can be issues not present in 17.09 and present in unstable/master; maybe best scan both at once.)

vcunat added a commit that referenced this issue Jan 14, 2018
@vcunat
glibc: 2.26-115 -> 2.26-131 to fix CVE-2018-1000001
990ff97 
/cc #33826 (comment)
@ckauhaus
Copy link
Contributor Author

@vcunat I think it would be worthwhile to scan both master and 17.09. The resulting actions may be different for both - in master it is usually best to bump the version (if there is an upstream release), while in 17.09 we'll tend to backport patches.

I'll try this approach the next time and we will see how far it goes.

@7c6f434c
Copy link
Member

libarchive issues go in the opposite order as issues and as CVEs…

CVE-2017-14503 is libarchive/libarchive#948 and CVE-2017-14501 is libarchive/libarchive#949

Both are found with AFL, both originally reported to Debian, apparently neither Debian nor the upstream has any patches or specific ideas about causes.

vcunat added a commit that referenced this issue Jan 17, 2018
@vcunat
glibc: 2.25-49 -> 2.25-123 to fix CVE-2018-1000001
0186286 
/cc #33826 (comment)
Unstable/master uses 2.26-x, updated in 990ff97.
@fpletz
Copy link
Member

fpletz commented Jan 29, 2018

CVE-2017-17555 in aubio is just a DoS and thus not really important.

@fpletz fpletz added this to the 18.03 milestone Mar 13, 2018
@fpletz fpletz added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 13, 2018
@ckauhaus
Copy link
Contributor Author

ckauhaus commented Oct 8, 2018

nixos-17.09 is EOL

@ckauhaus ckauhaus closed this as completed Oct 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
18.03
Development

No branches or pull requests
7 participants
@adisbladis @fpletz @YorikSar @dtzWill @ckauhaus @vcunat @7c6f434c