Vulnerability Roundup 7

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last hunt.

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages.
   For example, there are sometimes problems that impact thunderbird,
   and firefox. LWN might report in one vulnerability "thunderbird
   firefox". These names have been split to make sure both packages get
   addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Update how to subscribe to security advisory notices for nixpkgs / nixos? #13515 with a
  summary.

Without further ado...

Assorted (21 issues)

• #705119 (search, files) cairo: denial of service
• #704699 (search, files) nspr, nss: information disclosure
• #705125 (search, files) imagemagick: multiple vulnerabilities
• #705216 (search, files) tar: file overwrite
• #705214 (search, files) memcached: code execution
• #704699 (search, files) nspr, nss: information disclosure
• #704698 (search, files) nginx: privilege escalation
• #704922 (search, files) nodejs-tough-cookie: denial of service
• #705213 (search, files) libxml2: code execution
• #703767 (search, files) chromium-browser: multiple vulnerabilities
• #704924 (search, files) tre: code execution
• #704712 (search, files) mozilla: two vulnerabilities
• #704702 (search, files) perl-Image-Info: information disclosure
• #705124 (search, files) chromium: denial of service
• #704834 (search, files) openstack-manila-ui: cross-site scripting
• #705120 (search, files) qemu-kvm: multiple vulnerabilities
• #668545 (search, files) libpng: read underflow
• #620056 (search, files) sssd: restriction bypass
• #704701 (search, files) qemu: three vulnerabilities
• #704697 (search, files) asterisk: two vulnerabilities
• #704712 (search, files) mozilla: two vulnerabilities

graphicsmagick (3 issues)

• #704703 (search, files) graphicsmagick: three vulnerabilities
• #704711 (search, files) graphicsmagick: multiple vulnerabilities
• #704704 (search, files) graphicsmagick: multiple vulnerabilities

kernel (2 issues)

• #704737 (search, files) kernel: local privilege escalation (Dirty COW)
• #704714 (search, files) kernel: three vulnerabilities

mariadb (2 issues)

• #705212 (search, files) mysql: unspecified vulnerability
• #705211 (search, files) mariadb: multiple unspecified vulnerabilities

mysql (2 issues)

• #705212 (search, files) mysql: unspecified vulnerability
• #705211 (search, files) mariadb: multiple unspecified vulnerabilities

potrace (2 issues)

• #704700 (search, files) potrace: multiple vulnerabilities
• #639578 (search, files) potrace: denial of service

[grahamc]

cc @FRidh, @fpletz, @NeQuissimus, @vcunat who participated last time.

Also:

• Backport 11 curl patch to 16.09: 1e1609d

PS: I'm unusually busy this morning, and won't be able to participate as much as normal. I'll have some time here and there. Feel free to conscript your friends to help finish this out ;)

[rycee]

The perl-Image-Info package is vulnerable. I will push an updated version shortly.

[grahamc]

@rycee Thank you for the patches and what-not! When you push a commit to a branch, can you add a comment on this issue with the package, and the sha that you fixed it in? that'll help me do the summary at the end.

[grahamc]

perl-Image-Info: 68f2bc8 / f33c5f7

[rycee]

@grahamc Sorry, I missed that. I'll make sure to include the commit hashes in the future.

[fpletz]

Django (not yet on LWN): 6ad14d4, 58ad105, b806e14

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/

We should remove Django 1.5 and 1.6 as they're not maintained upstream anymore. One of the users of Django 1.6 in nixpks, reviewboard, is maintaining a version with security patches, maybe switch to this: https://www.reviewboard.org/news/2016/11/01/new-django-1-6-11-5-security-releases/

I'm currently investigating and will open a PR shortly if all goes well.

[NeQuissimus]

I just took a quick look at gnutar and it needs to be changed to pull from git. But something is wrong with fetchgit, it complains about an issue in cpio of all things. Not really sure what to do.

[NeQuissimus]

nginx is up-to-date. I think the vulnerability is Debian-specific

[vcunat]

@NeQuissimus: tar may pose problems due to being involved in bootstrapping.

[NeQuissimus]

@vcunat This is how far I got:
https://gist.github.com/NeQuissimus/9a01a2215fffba1ce789ca598486fa46

1. Changed the fetchurl to fetchgit
2. nix-build complains about a chain of things, which lead me back to fetchurl/boot.nix
3. Added a , ... argument to the function there "fixes" the issue
4. C build does not work; and I have no idea about C builds :)

[grahamc]

@vcunat can you help me out with fixing the tar issue? I'd love to understand how that process works.

[grahamc]

BTW thank you everyone for help with this roundup. I've had an incredibly busy week, and regret not being more involved. I'll do a summary on this one shortly.

[grahamc]

I'm closing out this issue for now, but it is important to note hydra hasn't passed in some time: https://hydra.nixos.org/build/43025591 can someone diagnose this issue and try and get a fix in?

Also, we really need to get this tar issue fixed. @vcunat If not you, who could show me the process here?

[shlevy]

@grahamc What's the issue with tar? I can help.

[shlevy]

@grahamc fix for the nss issue 80cbb8a

[grahamc]

Thank you for the nss patch, @shlevy! Regarding tar, it is mishandling .. in archives: https://lwn.net/Vulnerabilities/705216/ which @NeQuissimus was trying to patch: https://gist.github.com/NeQuissimus/9a01a2215fffba1ce789ca598486fa46

[shlevy]

Testing a fix

[shlevy]

ac59e2f
674ebc2

[shlevy]

Will link to jobsets shortly...

[shlevy]

Well, I wanted to link to evals but the loop is taking too long ( @edolstra @rbvermaa everyting good with hydra?) http://hydra.nixos.org/jobset/nixos/staging http://hydra.nixos.org/jobset/nixos/staging-16.09 I'll check back in the morning.

[vcunat]

It does compilation during eval! http://hydra.nixos.org/jobset/nixos/staging#tabs-errors

[vcunat]

Using git would complicate the bootstrapping process and make it longer, so it's nicer to avoid that like shlevy did.

[vcunat]

I can post a few lines about (linux stdenv) bootstrapping here/somewhere, if you're still interested.

[grahamc]

Yes please!

[shlevy]

The build-during-eval is due to the cjdns test...