CVE-2014-9556 CVE-2015-2060
Created attachment 157283 [details] security/vuxml update for CVE-2015-2060 and CVE-2014-9556 Sevan, Thanks once again for the astute eye catching these issues and pointing them out. Gabor, I hope you don't mind but I figured you can use some help. This has been sitting in the queue for a while and was a trivial patch to do that fixes documented security issues. The research for validating vuxml and runtime took far longer than the Makefile bump and make makesum. As pointed out by Sevan, there are two CVE's fixed in the upcoming patches. The libmspack CVE announced in December 2014 was already fixed in libmspack but no associated entry was made. Since it affects cabextract <= 1.5, document it now for the sake of being thorough. Jason # # Proposed Changelog: # - Document CVE-2014-9556 for libmspack and cabextract infinite loop denial of service - Document CVE-2015-2060 for cabextract directory traversal with UTF-8 symbols in filenames PR: 198955 Submitted by: Jason Unovitch <jason unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk> # # security/vuxml validation steps follow: # # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.4 cabextract-1.4 is vulnerable: cabextract -- directory traversal with UTF-8 symbols in filenames CVE: CVE-2015-2060 WWW: http://vuxml.FreeBSD.org/freebsd/cfb12f02-06e1-11e5-8fda-002590263bf5.html cabextract-1.4 is vulnerable: libmspack -- frame_end overflow which could cause infinite loop CVE: CVE-2014-9556 WWW: http://vuxml.FreeBSD.org/freebsd/cc7548ef-06e1-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.5 cabextract-1.5 is vulnerable: cabextract -- directory traversal with UTF-8 symbols in filenames CVE: CVE-2015-2060 WWW: http://vuxml.FreeBSD.org/freebsd/cfb12f02-06e1-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.6 0 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libmspack-0.4 libmspack-0.4 is vulnerable: libmspack -- frame_end overflow which could cause infinite loop CVE: CVE-2014-9556 WWW: http://vuxml.FreeBSD.org/freebsd/cc7548ef-06e1-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libmspack-0.5 0 problem(s) in the installed packages found.
Created attachment 157284 [details] Poudriere Testport Log from 11.0-CURRENT amd64 Also bulk build tested on the following releases (info from `poudriere jail -l`) 8.4-RELEASE-p28 amd64 8.4-RELEASE-p28 i386 9.3-RELEASE-p14 amd64 9.3-RELEASE-p14 i386 10.1-RELEASE-p10 amd64 10.1-RELEASE-p10 i386 11.0-CURRENT r282869 amd64 11.0-CURRENT r282869 i386 Below is all the runtime validation that shows the CVE's are all fixed: # CVE-2014-9556 # cabextract-1.4 # Runtime tests aided by sample file from Debian Bugzilla at https://bugs.debian.org/773041 # The process hangs, top in another shell confirms it spinning at 100% CPU in a denial of service ################# % cabextract hang.cab Extracting cabinet: hang.cab extracting limerick ^C # top | head last pid: 4647; load averages: 1.20, 1.09, 0.71 up 0+06:06:41 11:28:32 58 processes: 2 running, 56 sleeping Mem: 94M Active, 225M Inact, 707M Wired, 754M Buf, 6920M Free Swap: 2048M Total, 2048M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 4606 test 1 102 0 12408K 2008K CPU3 3 8:53 100.00% cabextract 1008 test 5 20 0 176M 73532K uwait 3 1:10 0.00% Xorg # CVE-2014-9556 # cabextract-1.5 # Runtime tests aided by sample file from Debian Bugzilla at https://bugs.debian.org/773041 # Runtime looks good. No hang. ################# % cabextract hang.cab Extracting cabinet: hang.cab extracting limerick limerick: error in CAB data format All done, errors in processing 1 file(s) # CVE-2015-2060 # cabextract-1.5 # Runtime tests based off steps in Red Hat bugzilla. 1.4 and 1.5 were both vulnerable to the bad path checks. # https://bugzilla.redhat.com/show_bug.cgi?id=cve-2015-2060 ################# root@freebsd10:/tmp # cabextract -v cabextract version 1.5 root@freebsd10:/tmp # touch xxxxxxxxxx root@freebsd10:/tmp # lcab xxxxxxxxxx test.cab lcab v1.0b11 (2003) by Rien (rien@geekshop.be) nopath : no recursive : no quiet : no inputfiles : xxxxxxxxxx outputfile : test.cab cabfile : 0 bytes (approx. 0.00 Kbytes) cfileInit: xxxxxxxxxx localtime: tmp,header,folder,. done root@freebsd10:/tmp # gsed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab root@freebsd10:/tmp # rm xxxxxxxxxx root@freebsd10:/tmp # ls /tmp/abs ls: /tmp/abs: No such file or directory root@freebsd10:/tmp # cabextract test.cab Extracting cabinet: test.cab extracting /tmp/abs All done, no errors. root@freebsd10:/tmp # ls /tmp/abs /tmp/abs # CVE-2015-2060 # cabextract-1.6 # Runtime tests based off steps in Red Hat bugzilla. 1.6 is no longer vulnerable. # https://bugzilla.redhat.com/show_bug.cgi?id=cve-2015-2060 ################# root@freebsd10:/mnt # touch xxxxxxxxxx root@freebsd10:/mnt # lcab xxxxxxxxxx test.cab lcab v1.0b11 (2003) by Rien (rien@geekshop.be) nopath : no recursive : no quiet : no inputfiles : xxxxxxxxxx outputfile : test.cab cabfile : 0 bytes (approx. 0.00 Kbytes) cfileInit: xxxxxxxxxx localtime: tmp,header,folder,. done root@freebsd10:/mnt # gsed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab root@freebsd10:/mnt # rm xxxxxxxxxx root@freebsd10:/mnt # ls /tmp/abs ls: /tmp/abs: No such file or directory root@freebsd10:/mnt # cabextract test.cab Extracting cabinet: test.cab extracting tmp/abs All done, no errors. root@freebsd10:/mnt # ls tmp/abs tmp/abs root@freebsd10:/mnt # cat tmp/abs
Created attachment 157285 [details] archivers/cabextract update from 1.4 -> 1.6 Security update to 1.6 PR: 198955 Security: cc7548ef-06e1-11e5-8fda-002590263bf5 Security: CVE-2014-9556 Security: cfb12f02-06e1-11e5-8fda-002590263bf5 Security: CVE-2015-2060 Submitted by: Jason Unovitch <jason unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk> MFH: 2015Q2
A commit references this bug: Author: delphij Date: Mon Jun 1 05:59:01 UTC 2015 New revision: 388200 URL: https://svnweb.freebsd.org/changeset/ports/388200 Log: Reflect CVE-2015-2060 and CVE-2014-9556. PR: ports/198955 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: delphij Date: Mon Jun 1 06:04:37 UTC 2015 New revision: 388201 URL: https://svnweb.freebsd.org/changeset/ports/388201 Log: Security update to 1.6 PR: 198955 Security: cc7548ef-06e1-11e5-8fda-002590263bf5 Security: CVE-2014-9556 Security: cfb12f02-06e1-11e5-8fda-002590263bf5 Security: CVE-2015-2060 Submitted by: Jason Unovitch <jason unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk> Approved by: maintainer timeout MFH: 2015Q2 Changes: head/archivers/cabextract/Makefile head/archivers/cabextract/distinfo
A commit references this bug: Author: delphij Date: Mon Jun 1 06:06:49 UTC 2015 New revision: 388202 URL: https://svnweb.freebsd.org/changeset/ports/388202 Log: MFH: r388201 Security update to 1.6 PR: 198955 Security: cc7548ef-06e1-11e5-8fda-002590263bf5 Security: CVE-2014-9556 Security: cfb12f02-06e1-11e5-8fda-002590263bf5 Security: CVE-2015-2060 Submitted by: Jason Unovitch <jason unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk> Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/archivers/cabextract/Makefile branches/2015Q2/archivers/cabextract/distinfo
Patch applied as a maintainer timeout because this wasn't touched for quite some time and the problem can enable a remote attacker to e.g. provoke the bug by sending a malicious email to a mail scanning system.