aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:06:48Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10590[3.10] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:48ZAlicha CH[3.10] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10590, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* parent #105883.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10589[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:49ZAlicha CH[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10589, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* parent #10588
* Changesets:
* Revision bcc49b4c70d8234ad73c32628b01f58554ec5b5e on 2019-06-20T08:09:34Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```
* Revision a80d49fcecdaa5350d709fc4e9b5d71716661eb7 on 2019-06-20T08:43:16Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10588samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:50ZAlicha CHsamba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10588, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* child #10589
* child #10590Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10578[3.7] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:53ZAlicha CH[3.7] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10578, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #10574
* Changesets:
* Revision 6d61c0096ba308d340d865f9fc295ac6e88e1277 by Natanael Copa on 2019-06-17T09:42:04Z:
```
main/glib: security fix for CVE-2019-12450
fixes #10578
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10577[3.8] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:54ZAlicha CH[3.8] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10577, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #10574
* Changesets:
* Revision a59a37b197c56022525bbdcbec2d0b98b048883b by Natanael Copa on 2019-06-17T09:38:05Z:
```
main/glib: security fix for CVE-2019-12450
fixes #10577
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10576[3.9] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:55ZAlicha CH[3.9] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10576, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #10574
* Changesets:
* Revision 300c17172f28b6d0bd024111bc74805dc28de56a by Natanael Copa on 2019-06-17T09:35:30Z:
```
main/glib: security fix for CVE-2019-12450
fixes #10576
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10575[3.10] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:56ZAlicha CH[3.10] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10575, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #105743.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10574glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:57ZAlicha CHglib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10574, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* child #10575
* child #10576
* child #10577
* child #10578Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10571[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2022-08-14T22:33:43ZAlicha CH[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10571, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision f85fc6d35df663ffa71b00201dcbde8cb5727322 by Natanael Copa on 2019-06-17T09:58:25Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10571
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10570[3.8] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:00ZAlicha CH[3.8] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10570, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision 7bcd4b5fb804992725b55d128d1c8f3dd87cb5c4 by Natanael Copa on 2019-06-17T09:54:14Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10570
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10569[3.9] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:01ZAlicha CH[3.9] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10569, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision 4197c781d3fe1b09de37fa74c222bad3183c187f by Natanael Copa on 2019-06-17T09:53:00Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10569
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10568[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:02ZAlicha CH[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10568, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision fa0e230be9fd2e79919214ecab466f5149cab5fe by Natanael Copa on 2019-06-17T09:49:34Z:
```
main/dbus: upgrade to 1.12.16 (CVE-2019-12749)
fixes #10568
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10567dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:04ZAlicha CHdbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10567, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* child #10568
* child #10569
* child #10570
* child #10571Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10566[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:19ZAlicha CH[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10566, created on 2019-06-13)*
* Relations:
* parent #105633.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10565[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:17ZAlicha CH[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10565, created on 2019-06-13)*
* Relations:
* parent #105633.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10564[3.9] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:32:31ZAlicha CH[3.9] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10564, created on 2019-06-13)*
* Relations:
* parent #105633.9.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10563libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-88...2019-07-23T10:34:16ZAlicha CHlibcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10563, created on 2019-06-13)*
* Relations:
* child #10564
* child #10565
* child #10566LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10562[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)2019-07-23T11:07:05ZAlicha CH[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
#...getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
### References:
https://github.com/numirias/security/blob/master/doc/2019-06-04\_ace-vim-neovim.md
### Patch:
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
*(from redmine: issue id 10562, created on 2019-06-13, closed on 2019-06-22)*
* Changesets:
* Revision aaf594bc234db11d5ef457511b7b3cebb3bcba46 by Natanael Copa on 2019-06-22T07:30:19Z:
```
main/vim: backport fix for CVE-2019-12735
fixes #10562
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10561[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:06ZAlicha CH[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10561, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 901a6212b9da2d67aced00bf967da681827a5f37 by Natanael Copa on 2019-06-25T21:09:56Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10561
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10560[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:07ZAlicha CH[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10560, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision ece4776819ab6ba9289ec3478766b5298bbcfa86 by Natanael Copa on 2019-06-25T21:08:37Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10560
```3.8.5Natanael CopaNatanael Copa