Vulnerability Roundup 8

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities since
our last hunt.

cc @rycee @fpletz @NeQuissimus @vcunat @shlevy @FRidh who were involved in the last one.

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages.
   For example, there are sometimes problems that impact thunderbird,
   and firefox. LWN might report in one vulnerability "thunderbird
   firefox". These names have been split to make sure both packages get
   addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Update how to subscribe to security advisory notices for nixpkgs / nixos? #13515 with a
  summary.

Without further ado...

Assorted (31 issues)

• #705578 (search, files) qemu: multiple vulnerabilities
• #705370 (search, files) mailman: cross-site request forgery
• #667153 (search, files) libraw: two vulnerabilities
• #705372 (search, files) oxide-qt: information disclosure
• #705560 (search, files) 389-ds-base: two vulnerabilities
• #705579 (search, files) spip: multiple vulnerabilities
• #705581 (search, files) nvidia-graphics-drivers-367: privilege escalation
• #705580 (search, files) openjpeg2: code execution
• #705822 (search, files) tomcat: multiple vulnerabilities
• #705373 (search, files) python-django: two vulnerabilities
• #705568 (search, files) libvirt: privilege escalation
• #705361 (search, files) java: unspecified vulnerability
• #705574 (search, files) subscription-manager: information disclosure
• #705915 (search, files) ansible: two vulnerabilities
• #705566 (search, files) libreswan: denial of service
• #639784 (search, files) powerpc-utils-python: code execution
• #705917 (search, files) java-1.8.0-openjdk-aarch32: multiple vulnerabilities
• #705572 (search, files) resteasy-base: code execution
• #705672 (search, files) oracle-jre-bin: unspecified vulnerability
• #705671 (search, files) libwebp: integer overflows
• #705363 (search, files) libwmf: denial of service
• #705913 (search, files) python-imaging: two vulnerabilities
• #705575 (search, files) sudo: information disclosure
• #705366 (search, files) libtiff: denial of service
• #705362 (search, files) bind: denial of service
• #703767 (search, files) chromium-browser: multiple vulnerabilities
• #705823 (search, files) chromium: memory leak
• #705216 (search, files) tar: file overwrite
• #625494 (search, files) rpm: code execution
• #705815 (search, files) libxslt: code execution
• #633086 (search, files) dbus: denial of service

curl (2 issues)

• #705367 (search, files) curl: multiple vulnerabilities
• #705577 (search, files) curl: insufficient validation

jasper (2 issues)

• #705824 (search, files) jasper: multiple vulnerabilities
• #705673 (search, files) jasper: multiple vulnerabilities

kernel (2 issues)

• #705918 (search, files) kernel: two vulnerabilities
• #705565 (search, files) kernel: three vulnerabilities

pacemaker (2 issues)

• #705571 (search, files) pacemaker: privilege escalation
• #705570 (search, files) pacemaker: denial of service

tiff (2 issues)

• #705364 (search, files) tiff: multiple vulnerabilities
• #635993 (search, files) tiff: multiple vulnerabilities

[grahamc]

Chromium was patched in master with this merge: c67a7ee (note: don't cherry-pick merges!) and is waiting a successful build before going to 16.09.

[grahamc]

Libtiff: d9db320 plus many other commits around this issue.

[grahamc]

We're good against the current jasper issues reported here, but there are two more releases since our last update: https://github.com/mdadams/jasper/releases

[grahamc]

Ported sudo patches:

[release-16.09 cb35b0c] sudo: 1.8.17p1 -> 1.8.18
 Author: Alexander Ried <[email protected]>
 Date: Fri Sep 23 02:01:57 2016 +0200
 1 file changed, 2 insertions(+), 2 deletions(-)
[release-16.09 6443b40] sudo: 1.8.18 -> 1.8.18p1
 Author: mimadrid <[email protected]>
 Date: Sun Oct 23 17:57:16 2016 +0200
 1 file changed, 2 insertions(+), 2 deletions(-)

[FRidh]

python-imaging (pillow) is fixed in 20d16f8
and 3c8e07f

[rasendubi]

#633086 dbus: denial of service

dbus 1.10.12 is not vulnerable

[NeQuissimus]

All the java stuff is covered by what we have

[fpletz]

#705915 ansible: two vulnerabilities

We already have ansible 2.2.x.

[fpletz]

#705566 libreswan: denial of service

CVE-2016-5361 was misissued because this is a protocol flaw. See http://www.openwall.com/lists/oss-security/2016/06/13/1.

[fpletz]

#705671 libwebp: integer overflows

Vulnerable code (examples/giflib.c) is not present in our version of libwebp. https://chromium-review.googlesource.com/#/c/396007/

[fpletz]

#705568 libvirt: privilege escalation

Debian considers CVE-2015-5160 a minor issue: https://security-tracker.debian.org/tracker/CVE-2015-5160

There were already patches on the qemu ML in 2011: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html. Not sure if it has been fixed in current versions, but there is no clear fix available.

[fpletz]

#705672 oracle-jre-bin: unspecified vulnerability

We have Oracle JRE/JDK > 8u102.

[NeQuissimus]

We are good for the two kernel issues, our kernels are up-to-date

[fpletz]

#667153 libraw: two vulnerabilities

Fix is in our version of libraw (0.17.1): LibRaw/LibRaw@89d0654

[fpletz]

#705560 389-ds-base: two vulnerabilities

CVE-2016-5405: No fix available?
CVE-2016-5416: Fixed with patch from https://fedorahosted.org/389/ticket/48354

[NeQuissimus]

I don't think qemu has anything available, it would have to be manual patching

[fpletz]

#705373 python-django: two vulnerabilities

We have the fixes already: https://www.djangoproject.com/weblog/2016/nov/01/security-releases/

[fpletz]

#705580 openjpeg2: code execution

Fix is in openjpeg 2.1.2, which we already have.

[grahamc]

Thank you all! Here is a bit of an update on my position: I moved very recently, and have been spending most of my spare time dealing with that. Due to that, I haven't been able to help in the same capacity. That should be coming back to normal within the next couple weeks. Thank you all for stepping up and getting these done :)

[joepie91]

Commenting here for potential involvement in a future roundup :)