Summary: | deskutils/remind: security update 3.1.13 -> 3.1.15 (fixes CVE-2015-5957 buffer overflow) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||
Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Some People | CC: | feld, junovitch, ports-secteam | ||||||
Priority: | --- | Keywords: | security | ||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(jadawin) junovitch: merge-quarterly+ |
||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
URL: | http://www.openwall.com/lists/oss-security/2015/08/07/1 | ||||||||
Attachments: |
|
Description
Jason Unovitch
2015-09-07 02:53:46 UTC
Note that it's not entirely clear what the real world impact is. The Red Hat CVE-2015-5957 tracking bug (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5957) just notes it as an "unspecified buffer overflow flaw" and the actual bug for the update has the upstream reporter recommending the fix but without any substantiation of the impact (https://bugzilla.redhat.com/show_bug.cgi?id=1215295). Created attachment 161158 [details] deskutils/remind: security update 3.1.13 -> 3.1.15 deskutils/remind: security update 3.1.13 -> 3.1.15 Security: CVE-2015-5957 I contacted Diane to clarify the impact since the material out there wasn't clear on the user visible aspect and got this feedback. I validated this is the case. > No, no in-depth comments. The bug can be manifested in old > versions of Remind by putting something like this in the Reminder file: > > DUMP $aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > which would cause a buffer overflow because we allocated a fixed-length > buffer for the name of a system variable (that is a special variable > whose name begins with '$') > > In the fixed version, the above command simply produces the result: > > Name too long > > Regards, > > Dianne. Created attachment 161159 [details]
Poudriere testport log from 10.1-RELEASE jail
Poudriere was checked on:
9.3-RELEASE-p24 amd64
9.3-RELEASE-p24 i386
10.1-RELEASE-p19 amd64
10.1-RELEASE-p19 i386
10.2-RELEASE-p2 amd64
10.2-RELEASE-p2 i386
11.0-CURRENT r287698 amd64
11.0-CURRENT r287698 arm.armv6
11.0-CURRENT r287698 i386
A commit references this bug: Author: junovitch Date: Fri Sep 18 00:33:01 UTC 2015 New revision: 397208 URL: https://svnweb.freebsd.org/changeset/ports/397208 Log: Document remind buffer overflow with malicious reminder file input PR: 202942 Security: CVE-2015-5957 Changes: head/security/vuxml/vuln.xml I haven't heard any update from maintainer. Is there an explicit "Approved by: ports-secteam" for this update? Approved by: ports-secteam (feld) Also for MFH Thanks Jason! A commit references this bug: Author: junovitch Date: Fri Sep 18 22:55:21 UTC 2015 New revision: 397302 URL: https://svnweb.freebsd.org/changeset/ports/397302 Log: deskutils/remind: security update 3.1.13 -> 3.1.15 PR: 202942 Approved by: ports-secteam (feld) Security: b55ecf12-5d98-11e5-9909-002590263bf5 Security: CVE-2015-5957 MFH: 2015Q3 Changes: head/deskutils/remind/Makefile head/deskutils/remind/distinfo head/deskutils/remind/files/patch-src_md5.c A commit references this bug: Author: junovitch Date: Fri Sep 18 22:56:32 UTC 2015 New revision: 397303 URL: https://svnweb.freebsd.org/changeset/ports/397303 Log: MFH: r397302 deskutils/remind: security update 3.1.13 -> 3.1.15 PR: 202942 Approved by: ports-secteam (feld) Security: b55ecf12-5d98-11e5-9909-002590263bf5 Security: CVE-2015-5957 Changes: _U branches/2015Q3/ branches/2015Q3/deskutils/remind/Makefile branches/2015Q3/deskutils/remind/distinfo branches/2015Q3/deskutils/remind/files/patch-src_md5.c |