aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T14:21:18Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2067[v2.6] bind: A recursive resolver can be crashed by a query for a malformed z...2019-07-23T14:21:18ZNatanael Copa[v2.6] bind: A recursive resolver can be crashed by a query for a malformed zone (CVE-2013-3919)### Versions affected:
BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 are affected
Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0
through 9.9.2-P2 ARE NOT affected.
Other major branches of BIND (e.g. 9.7, 9.5, etc) are not vu...### Versions affected:
BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 are affected
Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0
through 9.9.2-P2 ARE NOT affected.
Other major branches of BIND (e.g. 9.7, 9.5, etc) are not vulnerable but
they are no longer supported by ISC and may lack other important
security fixes.
### Severity:
High
### Exploitable:
Remotely
### Description:
A bug has been discovered in the most recent releases of BIND 9 which
has the potential for deliberate exploitation as a denial-of-service
attack. By sending a recursive resolver a query for a record in a
specially malformed zone, an attacker can cause BIND 9 to exit with a
fatal “RUNTIME\_CHECK” error in resolver.c
### Impact:
Triggering this defect will cause the affected server to exit with an
error, denying service to recursive DNS clients that use that particular
server.
### CVSS Score: 7.8
### CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=%28AV:N/AC:L/Au:N/C:N/I:N/A:C%29
### Workarounds:
None.
### Active exploits:
At the time of this advisory no intentional exploitation of this bug has
been observed in the wild. However, the existence of the issue has been
disclosed on an open mailing list with enough accompanying detail to
reverse engineer an attack and ISC is therefore treating this as a Type
II (publicly disclosed) vulnerability, in accordance with our Phased
Disclosure Process.
### Solution:
New versions of BIND are being provided which contain a fix for the
defect. The recommended solution is to upgrade to the patched release
most closely related to your current version of BIND. These can all be
downloaded from http://ftp.isc.org/isc/bind9
BIND 9 version 9.9.3-P1
BIND 9 version 9.8.5-P1
BIND 9 version 9.6-ESV-R9-P1
### Acknowledgements:
### Document Revision History:
1.0 Type II Public Disclosure, 04 June, 2013
### Related Documents:
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you’d like more information on our product support please visit
www.isc.org/support.
Do you still have questions? Questions regarding this advisory should go
to security-officer@isc.org
Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here: ISC Software
Defect and Security Vulnerability Disclosure Policy
This Knowledge Base article https://kb.isc.org/article/AA-00967 is the
complete and official security advisory document.
*(from redmine: issue id 2067, created on 2013-06-05, closed on 2013-06-10)*
* Relations:
* parent #2066
* Changesets:
* Revision ace477310d877710f1b6995cda21939ad05bc8cf by Natanael Copa on 2013-06-05T08:54:03Z:
```
main/bind: security upgrade to 9.9.3_p1 (CVE-2013-3919)
fixes #2067
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2078[v2.6] CVE-2013-2164 Linux Kernel - Leak information in cdrom driver2019-07-23T14:21:08ZPeter Kotcauer[v2.6] CVE-2013-2164 Linux Kernel - Leak information in cdrom driverupstream fix:
http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/cdrom/cdrom.c?id=050e4b8fb7cdd7096c987a9cd556029c622c7fe2
In drivers/cdrom/cdrom.c mmc\_ioctl\_cdrom\_read\_data() allocates a
memory
area ...upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/cdrom/cdrom.c?id=050e4b8fb7cdd7096c987a9cd556029c622c7fe2
In drivers/cdrom/cdrom.c mmc\_ioctl\_cdrom\_read\_data() allocates a
memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP\_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy\_to\_user function:
2908 if (!ret && copy\_to\_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this
function. If
ret = 0 with the previous basic block, it’s possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but
if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
*(from redmine: issue id 2078, created on 2013-06-10, closed on 2013-07-02)*
* Relations:
* parent #2077
* Changesets:
* Revision f535ac0d0ba8351b98b4658280277391bf4e03c1 by Natanael Copa on 2013-06-19T08:38:19Z:
```
main/linux-grsec: upgrade to 3.9.5
(cherry picked from commit 26c4e189e825d62d0249fb5f499bcb545d40e1ab)
fixes #2078
```
* Revision bcbc45908a6264b88bb5f2f62f182f27d167bcf8 by Natanael Copa on 2013-06-19T08:38:20Z:
```
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2089[v2.6] CVE-2013-2852 Linux-Kernel: b43 wireless driver2019-07-23T14:21:00ZPeter Kotcauer[v2.6] CVE-2013-2852 Linux-Kernel: b43 wireless driverThe b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware....The b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware. When such a file is not found, the filename
will be processed as a format string. This flaw could potentially
allow
escalation from uid-0 to ring-0, so except for certain environments,
it is not too serious.
If b43 hardware is available, this should show itself easily. I don’t
have
any available for testing, but it seems it would show itself like this:
1. rmmod b43
2. modprobe b43 fwpostfix=AA%xBB
…
3. dmesg
…
b43-0 ERROR: Firmware file “b43AAdeff80ccBB/a0g1bsinitvals5.fw” not
found
Using %n instead of %x would lead to exciting crashes. :)
It has been fixed in the upstream wireless tree:
http://git.kernel.org/cgit/linux/kernel/git/linville/wireless.git/commit/?id=9538cbaab6e8b8046039b4b2eb6c9d614dc782bd
*(from redmine: issue id 2089, created on 2013-06-18, closed on 2013-07-02)*
* Relations:
* parent #2088
* Changesets:
* Revision bcbc45908a6264b88bb5f2f62f182f27d167bcf8 by Natanael Copa on 2013-06-19T08:38:20Z:
```
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2094[v2.6] CVE-2013-2851 Linux-Kernel: block layer2019-07-23T14:20:56ZPeter Kotcauer[v2.6] CVE-2013-2851 Linux-Kernel: block layerThe block layer uses the “disk\_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to defi...The block layer uses the “disk\_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to define nearly arbitrary names via
md. Instead of filtering md, this should be fixed within the kernel’s
interfaces. This flaw could potentially allow escalation from uid-0 to
ring-0, so except for certain environments, it is not too serious.
The test case is trivial:
1. echo md\_%x.%x.%x.%x >/sys/module/md\_mod/parameters/new\_array
2. ls /dev/md\_\*
/dev/md\_c12cc370.df66d800.df66d80c.c13da45b
Using %n instead of %x leads to exciting crashes. :)
The fix has been sent upstream:
http://marc.info/?l=linux-kernel&m=137055204522556&w=2
With the above fixes, a series of additional format string related
clean
ups has also been sent upstream:
http://marc.info/?l=linux-kernel&m=137055207522563&w=2
*(from redmine: issue id 2094, created on 2013-06-18, closed on 2013-07-02)*
* Relations:
* parent #2093
* Changesets:
* Revision bcbc45908a6264b88bb5f2f62f182f27d167bcf8 by Natanael Copa on 2013-06-19T08:38:20Z:
```
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2099[v2.6] CVE-2013-2175 : haproxy may crash when using header occurrences relati...2019-07-23T14:20:50ZPeter Kotcauer[v2.6] CVE-2013-2175 : haproxy may crash when using header occurrences relative to the tailDavid Torgerson reported an haproxy crash with enough traces to
diagnose
the cause as being related to the use of a negative occurrence number
in
a header extraction, which is used to extract an entry starting from
the
last occurre...David Torgerson reported an haproxy crash with enough traces to
diagnose
the cause as being related to the use of a negative occurrence number
in
a header extraction, which is used to extract an entry starting from
the
last occurrence.
—- summary —-
Configurations at risk are those which make use of “hdr\_ip(name,–1)”
(in
1.4) or any hdr\_\* variant with a negative occurrence count in 1.5,
or
the “usesrc hdr\_ip(name)” statement in both 1.4 and 1.5. These
configurations may be crashed when run with haproxy 1.4.4 to 1.4.23 or
development versions up to and including 1.5-dev18. Versions 1.4.24
and
1.5-dev19 are safe.
—- quick workaround —-
A workaround consists in rejecting dangerous requests early using
hdr\_cnt(<name>), which is available both in 1.4 and 1.5 :
block if { hdr\_cnt(<name>) ge 10 }
—- details —-
When a config makes use of hdr\_ip(x-forwarded-for,–1) or any such
thing
involving a negative occurrence count, the header is still parsed in
the
order it appears, and an array of up to MAX\_HDR\_HISTORY entries is
created.
When more entries are used, the entries simply wrap and continue this
way.
A problem happens when the incoming header field count exactly divides
MAX\_HDR\_HISTORY, because the computation removes the number of
requested
occurrences from the count, but does not care about the risk of
wrapping
with a negative number. Thus we can dereference the array with a
negative
number and randomly crash the process.
The bug is located in http\_get\_hdr() in haproxy 1.5, and
get\_ip\_from\_hdr2()
in haproxy 1.4. It affects configurations making use of one of the
following
functions with a negative <value> occurence number :
\- hdr\_ip(<name>, <value>) (in 1.4)
- hdr\_\*(<name>, <value>) (in 1.5)
It also affects “source” statements involving “hdr\_ip(<name>)” since
that
statement implicitly uses –1 for <value> :
\- source 0.0.0.0 usesrc hdr\_ip(<name>)
This bug has been present since the introduction of the negative
offset
count in 1.4.4 via commit bce70882.
CVE-2013-2175 was assigned to this bug.
Special thanks to David Torgerson who provided a significant number of
traces, and to Ryan O’Hara from Red Hat for providing a CVE id.
—- links —-
1.4-stable patch for version <= 1.4.23 :
http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=f534af74ed
1.4.24 source code:
http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.24.tar.gz
1.5-dev patch for versions <= 1.5-dev18 :
http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=67dad2715b
1.5-dev19 source code:
http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
*(from redmine: issue id 2099, created on 2013-06-18, closed on 2013-07-02)*
* Relations:
* parent #2098
* Changesets:
* Revision f7f59c5c4bc4eb186d2346ccde23948d8d1d6586 by Natanael Copa on 2013-06-21T13:38:56Z:
```
main/haproxy: security upgrade to 1.4.24 (CVE-2013-2175)
fixes #2099
(cherry picked from commit d2207b3c4708cac6038cfbb0b7c58722e49c5c4e)
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2109[v2.6] Xen Security Advisory 55 (CVE-2013-2194, CVE-2013-2195, CVE-2013-2196)...2019-07-23T14:20:41ZPeter Kotcauer[v2.6] Xen Security Advisory 55 (CVE-2013-2194, CVE-2013-2195, CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling——<s>BEGIN PGP SIGNED MESSAGE——</s>
Hash: SHA1
Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 /
XSA-55
version 5
Multiple vulnerabilities in libelf PV kernel handling
UPDATES IN VERSION 5
CVE numbers have been ...——<s>BEGIN PGP SIGNED MESSAGE——</s>
Hash: SHA1
Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 /
XSA-55
version 5
Multiple vulnerabilities in libelf PV kernel handling
UPDATES IN VERSION 5
CVE numbers have been assigned.
ISSUE DESCRIPTION
=
The ELF parser used by the Xen tools to read domains’ kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.
This corresponds to the following CVEs:
CVE-2013-2194 XEN XSA-55 integer overflows
CVE-2013-2195 XEN XSA-55 pointer dereferences
CVE-2013-2196 XEN XSA-55 other problems
IMPACT
==
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).
Additionally a malicious HVM domain administrator who is able to
supply their own firmware (“hvmloader”) can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.
VULNERABLE SYSTEMS
==
All Xen versions are affected.
Installations which only allow the use of trustworthy kernels for PV
domains are not affected.
MITIGATION
==
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.
RESOLUTION
==
Applying the appropriate patch series will resolve this issue.
These were attached to v3 of the advisory which can be found here:
http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html
These are available in xen.git
http://xenbits.xen.org/gitweb/?p=xen.git
git://xenbits.xen.org/xen.git
http://xenbits.xen.org/git-http/xen.git
in the git changesets listed below.
xen-unstable:
82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in
xc\_dom\_alloc\_segment
966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from
malloc
aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to
xc\_dom\_binloader
66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete
macros
39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running
away
a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned
integers
7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for
booleans
c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call
elf\_check\_broken
943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer
references in
elf\_is\_elfbinary
65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer
accesses
04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated
strings
properly
50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for
memory
access and pointer handling
95dd49bed681af93f71a401b0a35bf2f917c6e68
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of
<asm/guest\_access.h>to top of file
13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf\_sval and
elf\_access\_signed
009ddca51504ce80889937e485d44ac0f9290d63 libelf: add \`struct
elf\_binary\*’
parameter to elf\_load\_image
b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish
libelf-relocate.c
Xen 4.2.x:
d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in
xc\_dom\_alloc\_segment
2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from
malloc
77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to
xc\_dom\_binloader
3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete
macros
52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running
away
e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned
integers
3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for
booleans
a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call
elf\_check\_broken
d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer
references in
elf\_is\_elfbinary
cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer
accesses
db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated
strings
properly
59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for
memory
access and pointer handling
de9089b449d2508b1ba05590905c7ebaee00c8c4
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of
<asm/guest\_access.h>to top of file
83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf\_sval and
elf\_access\_signed
035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add \`struct
elf\_binary\*’
parameter to elf\_load\_image
8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
9737484becab4a25159f1e985700eaee89690d34 libelf: abolish
libelf-relocate.c
Xen 4.1.x:
ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from
malloc
117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to
xc\_dom\_binloader
4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete
macros
968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running
away
282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc\_bitops.h
86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned
integers
bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for
booleans
44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call
elf\_check\_broken
9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer
references in
elf\_is\_elfbinary
39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer
accesses
8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated
strings
properly
4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for
memory
access and pointer handling
4d3339de1fe3cbf7b05487fdb6cadd7267950948
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf\_sval and
elf\_access\_signed
f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish
libelf-relocate.c
——<s>BEGIN PGP SIGNATURE——</s>
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRwticAAoJEIP+FMlX6CvZFbEIAMjbI64TpgYSm3cRSFmdHol/
FC2d4mo/aeb8e24RCTnJvxP3oE+o1Oar5FGJi+AATDynzbqcuv7yK7iDQ9ZfwGm5
xZR+knkFKymWLsutb8uhDRT8eYCgmK8aQEXorvcjr69sxrxJascPGv4aHesNihxO
t4tRqRbqGhAzkm9Gm32LaVz3UYCW2ZRs4lxDBjtW5HmsugaOarCYNTqSpftAiAkn
XE8UChNUVO95PAJKRtmihLQ+TGJ9cyujBACrl6RsxdD8JZU6EP4rq7fccdzyqD6D
+c5pw859mtukyy56fwfP5Ji6G9O2VrrZyf4kq13V74SPZ/LV3VKDalfaVVItLGQ=
=RVh5
——<s>END PGP SIGNATURE——</s>
*(from redmine: issue id 2109, created on 2013-06-21, closed on 2013-07-02)*
* Relations:
* parent #2108
* Changesets:
* Revision 50869d41a1af768fb0c39ff2d059a8bec102bc91 by Natanael Copa on 2013-06-26T10:36:24Z:
```
main/xen: security fix (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196)
fixes #2109
(cherry picked from commit f78e9dea47b7c130cb417d9826c984d8664f01ec)
Conflicts:
main/xen/APKBUILD
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2116Fw: [alpine-devel] Tmux dependencies2019-07-23T14:20:34ZNatanael CopaFw: [alpine-devel] Tmux dependenciesBegin forwarded message:
Date: Sat, 22 Jun 2013 02:19:08 +0200
From: Oliver Loch
To: “alpine-devel@lists.alpinelinux.org Development”
Subject: \[alpine-devel\] Tmux
dependencies
Hi,
the maintainer of the tmux package should ad...Begin forwarded message:
Date: Sat, 22 Jun 2013 02:19:08 +0200
From: Oliver Loch
To: “alpine-devel@lists.alpinelinux.org Development”
Subject: \[alpine-devel\] Tmux
dependencies
Hi,
the maintainer of the tmux package should add ncurses-terminfo to its
dependencies, else it fails if you logon via ssh from a machine
running
X:
ldt3:~\# tmux
open terminal failed: missing or unsuitable terminal: xterm-256color
KR,
Oliver
—
-nc
*(from redmine: issue id 2116, created on 2013-06-23, closed on 2013-07-02)*
* Changesets:
* Revision db9fb3315f2265f80149324cea527ec3efc8e93e by Natanael Copa on 2013-06-26T10:01:09Z:
```
main/tmux: add ncurses-terminfo as a dependency
ref #2116
```
* Revision 052803fcf280e0ade32c0ca64438c37476c84525 by Natanael Copa on 2013-06-26T10:04:34Z:
```
main/tmux: add ncurses-terminfo as a dependency
fixes #2116
(cherry picked from commit db9fb3315f2265f80149324cea527ec3efc8e93e)
```Alpine 2.6.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/2118[v2.6] Xen Security Advisory 57 - libxl allows guest write access to sensitiv...2019-07-23T14:20:31ZPeter Kotcauer[v2.6] Xen Security Advisory 57 - libxl allows guest write access to sensitive console related xenstore keys (CVE-2013-2211 )ISSUE DESCRIPTION
=
The libxenlight (libxl) toolstack library does not correctly set
permissions on xenstore keys relating to paravirtualised and emulated
serial console devices. This could allow a malicious guest
administrator ...ISSUE DESCRIPTION
=
The libxenlight (libxl) toolstack library does not correctly set
permissions on xenstore keys relating to paravirtualised and emulated
serial console devices. This could allow a malicious guest
administrator to change values in xenstore which the host later relies
on being implicitly trusted.
IMPACT
==
A malicious guest administrator can read and write any files in the
host filesystem which are accessible to the user id running the
xenconsole client binary. This may be the user id of a host
administrator who connects to the guest’s console or the user id of
any self service mechanism provided to guest administrators by the
host provider.
As well as reading and writing files an attacker with access to an HVM
guest can cause any PV or serial consoles to be connected to a variety
of network resources (sockets, udp connections) or other end points
(fifo, pipes) in the host file filesystem according to the privileges
granted to the qemu device model for that guest.
A malicious guest administrator can also redirect the VNC console
port of the guest to another port on the host. This may expose the VNC
port of other guests or of other firewalled services to an attack.
VULNERABLE SYSTEMS
==
All systems which use libxl as part of the toolstack are vulnerable.
libxl is present in Xen versions 4.0 onwards.
The major consumer of libxl functionality is the xl toolstack which
became the default in Xen 4.2.
In addition to this libvirt can optionally make use of libxl. This can
be queried with
\# virsh version
Which will report “xenlight” if libxl is in use. libvirt currently
prefers the xend backend if xend is running.
The xend and xapi toolstacks do not currently use libxl.
MITIGATION
==
Host administrators can start a domain paused and manually correct the
xenstore permissions of the relevant nodes.
A domain can be started in the paused state with xl by using
\# xl create -p <cfg>
A domain’s domid can then be determined with:
\# xl domid <name>
If using libvirt then virsh can be used instead:
\# virsh start —paused <name>
\# virsh domid <name>
For a domain $DOMID the following command will recursively correct the
permissions for the primary PV console:
\# xenstore-chmod -r /local/domain/$DOMID/console n0 r$DOMID
If the domain uses a device model stubdomain then it will also be
necessary to fix the permissions for the stubdomain. The stubdomain is
named “<name>-dm”. Assuming its domain ID is $DMDOM:
\# xenstore-chmod -r /local/domain/$DMDOM/console n0 r$DMDOM
In addition a stub domain has three secondary PV consoles which must
be
fixed, however in this case the “state” and “protocol” nodes along
with the device node itself should not be restricted. For each device
$D in \[1,2,3\]:
\# xenstore-chmod -r /local/domain/$DMDOM/device/console/$N n0 r$DMDOM
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N/state n$DMDOM
r0
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N/protocol
n$DMDOM r0
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N n$DMDOM r0
The current permissions can be listed with
\# xenstore-ls -fp <PATH>
Once the permissions are fixed you may unpause the domain with
\# xl unpause <domain>
or with virsh:
\# virsh resume <domain>
The permissions can also be corrected on a live system if they are
then manually validated to be non-malicious.
See http://wiki.xen.org/wiki/XenBus\#Permissions for information on
the
permissions syntax.
RESOLUTION
==
Applying the appropriate attached patch resolves this issue.
xsa57-4.2.patch Xen 4.2.x
xsa57-4.1.patch Xen 4.1.x
xsa57-unstable.patch xen-unstable
$ sha256sum xsa57-\*.patch
428a1d42f4314404cde339a78a59422bf4f0590c4d16ea8adc83425fe5eede3d
xsa57-4.1.patch
b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770
xsa57-4.2.patch
d329f56c30f7a4f91906658ea661234d2ca31b74ee68257bf009072999b3d3ef
xsa57-unstable.patch
*(from redmine: issue id 2118, created on 2013-06-26, closed on 2013-07-02)*
* Relations:
* parent #2117
* Changesets:
* Revision 638e4f7ceb5b5a8b9f9c7c3206fcd9e7c39d2bee by Natanael Copa on 2013-06-26T11:48:55Z:
```
main/xen: fix xsa57 (CVE-2013-2211)
ref #2117
fixes #2118
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2124[v2.6] Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting err...2019-07-23T14:20:24ZPeter Kotcauer[v2.6] Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixesreferences:
http://lists.xen.org/archives/html/xen-announce/2013-06/msg00012.html
ISSUE DESCRIPTION
=
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible
broke
page reference counting by not retaining a referen...references:
http://lists.xen.org/archives/html/xen-announce/2013-06/msg00012.html
ISSUE DESCRIPTION
=
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible
broke
page reference counting by not retaining a reference on pages stored
for
deferred cleanup. This would lead to the hypervisor prematurely
attempting to
free the page, generally crashing upon finding the page still in use.
CREDITS
===
Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.
IMPACT
==
Malicious or buggy PV guest kernels can mount a denial of service
attack
affecting the whole system. It can’t be excluded that this could also
be
exploited to mount a privilege escalation attack.
VULNERABLE SYSTEMS
==
All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are
vulnerable.
The vulnerability is only exposed by PV guests.
MITIGATION
==
Running only HVM guests, or PV guests with trusted kernels, will avoid
this
vulnerability.
RESOLUTION
==
Applying the appropriate attached patch resolves this issue.
xsa58-4.1.patch Xen 4.1.x
xsa58-4.2.patch Xen 4.2.x
xsa58-unstable.patch xen-unstable
$ sha256sum xsa58\*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641
xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2
xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5
xsa58-unstable.patch
*(from redmine: issue id 2124, created on 2013-06-26, closed on 2013-07-02)*
* Relations:
* parent #2123
* Changesets:
* Revision ccdb8c3a1257db6b1ceb3af663b239003a047fd3 by Natanael Copa on 2013-07-01T16:44:49Z:
```
main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2124
(cherry picked from commit 448e4822bbf8a2b4aa8b8f8d8153a2a0b4e0efda)
Conflicts:
main/xen/APKBUILD
```Alpine 2.6.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2128openldap fails to start at boot time2019-07-23T14:20:19ZJan-Hendrik Dörneropenldap fails to start at boot timethe directory /var/run/openldap is missing, therefore the slapd does not
start on boot.
Easy-fix:
Adjust the /etc/init.d/slapd file.
sed -i ‘s|depend|if \[ ! -d /var/run/openldap \] then\\n mkdir -p
/var/run/openldap\\n fi\\n&|’ /etc...the directory /var/run/openldap is missing, therefore the slapd does not
start on boot.
Easy-fix:
Adjust the /etc/init.d/slapd file.
sed -i ‘s|depend|if \[ ! -d /var/run/openldap \] then\\n mkdir -p
/var/run/openldap\\n fi\\n&|’ /etc/init.d/slapd
(or something similar)
*(from redmine: issue id 2128, created on 2013-06-27, closed on 2013-07-02)*
* Changesets:
* Revision f10bce070b3bea6cfad50c28c94561df9d7c271a by Natanael Copa on 2013-07-02T11:50:56Z:
```
main/openldap: create pid dir before checking config
ref #2128
```
* Revision 64443cb214d1cb772c75b77d531182db404da27a by Natanael Copa on 2013-07-02T11:51:31Z:
```
main/openldap: create pid dir before checking config
fixes #2128
```Alpine 2.6.2