Discussion:
[blfs-support] Latest vulnerabilities
Ken Moffat via blfs-support
2018-10-09 21:46:04 UTC
Permalink
I'm sure you are all keeping up to date with fixing vulnerabilities,
so I won't detail today's update to texlive source, or the other
security fixes in the past few days, but exceptionally I'm going to
mention the update to ghostscript which I've just committed.

For gs-9.25, apply the ghostscript-9.25-security_fixes-1.patch which
is in lfs patches, and should be directly linked from the book when
it is next rendered.

The reason I'm mentioning this is that a reasonably-benign proof of
concept is available, as well as others, and can be triggered by
opening malicious postscript files. In particular, opening in gimp
and evince (known to be possible with gs-9.24) and probably several
others. The vulnerability applies to all versions of ghostscript
that are likely to still be in use, although the patch probably only
applies to 9.25.

ĸen
--
Is it about a bicycle ?
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe:
renodr via blfs-support
2018-10-09 22:32:24 UTC
Permalink
Post by Ken Moffat via blfs-support
I'm sure you are all keeping up to date with fixing vulnerabilities,
so I won't detail today's update to texlive source, or the other
security fixes in the past few days, but exceptionally I'm going to
mention the update to ghostscript which I've just committed.
For gs-9.25, apply the ghostscript-9.25-security_fixes-1.patch which
is in lfs patches, and should be directly linked from the book when
it is next rendered.
The reason I'm mentioning this is that a reasonably-benign proof of
concept is available, as well as others, and can be triggered by
opening malicious postscript files. In particular, opening in gimp
and evince (known to be possible with gs-9.24) and probably several
others. The vulnerability applies to all versions of ghostscript
that are likely to still be in use, although the patch probably only
applies to 9.25.
ĸen
--
Is it about a bicycle ?
I'd like to add onto this by saying that, for 8.3, I have some errata
that needs to be generated.

In GDM, there is a security vulnerability that allows a user to unlock a
GNOME-based system, as used in 8.3, with a couple of simple keypresses.
This will be fixed in SVN within the next day or two, and if you are
running GNOME on BLFS 8.3, I highly recommend patching this.
Unfortunately, the CVE ID for this is still under embargo as Red Hat has
not patched RHEL yet.

There is a critical security vulnerability with the version of OpenSSH
shipped with BLFS 8.3 that allows remote attackers to enumerate
usernames from the OpenSSH server. This should be patched IMMEDIATELY if
you are running BLFS 8.3 and have OpenSSH installed. This has the
identifier of CVE-2018-15473, and more information about it can be found
on the Qualys website.

There have been numerous vulnerabilities fixed in WebKitGTK+ and
QTWebEngine in the versions that came out extremely soon after BLFS 8.3.
If you have WebKitGTK installed, please update to 2.22.x, and if you
have QtWebEngine installed, please update to 5.11.2. These updates
should be considered urgent, as they lead to crashes, information
disclosure, and remote shell access.

There was a PHP security update that was added recently to BLFS. If
you're running either SVN or 8.3, I highly recommend patching this.

For glib2, two security patches were released for glib2-2.56.2 ONLY (as
used in BLFS 8.3). These have the CVE IDs of 2018-16428 and 2018-16429,
and patches are available upstream (although I have plans on generating
one for BLFS 8.3). PoCs are readily available for these two
vulnerabilities.

There have been Firefox and Thunderbird security updates since BLFS 8.3
was released.

For Samba users, there was a data corruption issue fixed in Samba 4.9.1.
I highly recommend patching to that version if you have Samba installed.

Last month, YouTube made some changes that made videos unplayable in
Epiphany and other WebKit-based browsers due to lack of proper codecs
(MSE support). This issue is still ongoing, I'm working on it in ticket
#11170. This will hit with the rest of the GNOME updates that are needed
(one of which is needed urgently, detailed below).

With gnome-settings-daemon-3.26.0 and above, there is a critical data
corruption problem with systems that have ACPI support for standby and
hibernation. When a system wakes from sleep or hibernation, it has a
chance of not restarting services properly, and may cause file
corruption as a result. gnome-settings-daemon-3.30.1.1 was released a
day or two ago that solves this issue. I'm treating this issue as the
most critical one on my list next to verifying that the ghostscript
issue was fixed in Okular and Nautilus, and there should hopefully be an
update in the next day or two. If you are running GNOME on SVN or 8.3, I
highly recommend applying this update when it becomes available. There
are also memory leaks in Evolution as shipped in BLFS 8.3 that will be
fixed by the version coming soon in SVN.

Finally, there were 30+ vulnerabilities fixed in ghostscript between
9.23 and 9.25, not including the patch that was just added to BLFS. If
you are running a BLFS 8.3 system, I highly recommend updating to this
IMMEDIATELY.

I'm going to update the errata page for BLFS 8.3 when all of my updates
and verification processes are completed.

Douglas R. Reno
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the a
Ken Moffat via blfs-support
2018-10-12 01:11:52 UTC
Permalink
Post by Ken Moffat via blfs-support
For gs-9.25, apply the ghostscript-9.25-security_fixes-1.patch which
is in lfs patches, and should be directly linked from the book when
it is next rendered.
Apparently, those fixes are incomplete - they fixed the known
exploit, but other places in the code have now been fixed upstream
(but I do not have a PoC exploit to test any of this).

A -2 version of the patch will need to be produced, somewhen. For
the moment, this is not my personal priority.

ĸen
--
Is it about a bicycle ?
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above
Ken Moffat via blfs-support
2018-10-21 00:58:32 UTC
Permalink
Post by Ken Moffat via blfs-support
For gs-9.25, apply the ghostscript-9.25-security_fixes-1.patch which
is in lfs patches, and should be directly linked from the book when
it is next rendered.
Patch now updated to -2, there were further vulnerabilities found
about a week later. This was messy (Artifex's master git is only
accessible from a web interface, picking out sufficient patches to
be able to apply the needed ones was very error-prone), and I lacked
an exploit. I've now been given one, and to my shock it came as a
PDF - I thought this was only for .ps files.

So, now fixed (patch is in patches/, will be picked up when the book
is next rendered). Please update if you use ghostscript, particularly
if you install the shared lib. Thanks.

ĸen
--
Is it about a bicycle ?
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq
Loading...