Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 31 Mar 2011 09:45:06 +0200
From: Raimo Niskanen <raimo@...x.ericsson.se>
To: oss-security <oss-security@...ts.openwall.com>
CC: "Steven M. Christey" <coley@...us.mitre.org>, Rickard Green
	<rickard@...ang.org>, Bjorn-Egil Dahlberg <psyeugenic@...il.com>, Sverker
 Eriksson <sverker@...ang.org>, Patrik Nyblom <pan@...ang.org>, Raimo Niskanen
	<raimo@...ang.org>, Bjorn Gustavsson <bjorn@...ang.org>, Niclas Axelsson
	<burbas@...ang.org>, Hans Bolinder <hasse@...ang.org>,
	<kenneth.lundin@...csson.com>, <lars.thorsen@...csson.com>
Subject: Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes

I had to look it up: Common Vulnerabilities and Exposures.

On Wed, Mar 30, 2011 at 07:13:37PM +0200, Jan Lieskovsky wrote:
> Hello Steve, vendors,
> 
>   based on:
>   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
> 
>   and:
>   [2] http://www.erlang.org/download/otp_src_R14B.readme
>   [3] http://www.erlang.org/download/otp_src_R14B01.readme
>   [4] http://www.erlang.org/download/otp_src_R14B02.readme
> 
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
> 
> The distribution of OTPs is as follows:
> =======================================
> Rickard Green:          OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
> Bjorn-Egil Dahlberg:    OTP-8814, OTP-8827, OTP-8943
> Sverker Eriksson:       OTP-8945, OTP-8716
> Patrik Nyblom:          OTP-7178, OTP-8780, OTP-8993
> Raimo Niskanen:         OTP-8729, OTP-8795

OTP-8729. Bugfix. An UDP connect error showed up delayed when the socket
	  was used.
OTP-8795. Bugfix. inet:getsockopt for SCTP sctp_default_send_param failed
	  to set a query field, causing query for random assoc_id instead
	  of specified.


> Bjorn Gustavsson:       OTP-8831, OTP-8892, OTP-9117
> Niclas Axelsson:        OTP-9101
> Hans Bolinder:          OTP-8898
> 
> Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)
> 
> Help / guidance from your side is really appreciated to resolve
> this one.
> 
> Thank you in advance for your time and cooperation.
> 
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

> crypto:
>    - 1), multiple memory leaks OTP-8810
>      Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1
>      Note: Hard to tell if has security implications, but from the patch looks certain
>            memory content leaks were possible
> 
>    - 2), rc4 not working correctly (silent data corruption) OTP-8781
>      Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
>      Note: Seems to be just bugfix
>      From the patch log: RC4 stream cipher didn't work.
> 
> erl_interface:
>    - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
>      Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
>      Note: security, stack based buffer overflow possible
> 
>    - 4), erl_call: fix multiple buffer overflows OTP-8827
>      Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b
>      Note: security, multiple heap overflows possible
> 
>    - 5), Check the length of the node name to prevent an overflow OTP-8943
>      Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d
>      Note: security
> 
>    - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
>      Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6
>      Note: Hard to tell if has security implications
> erts:
>    - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178 
>      Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5
>      Note: ignore underflow in list_to_float and return 0.0
> 
>    - 8), Fix faulty 64-bit integer term output from drivers (crash or silent data corruption) OTP-8716
>      Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97
>      Note: security     
> 
>    - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
>      Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03
>      Note: seems to be just bugfix     
Bugfix. See above.

> 
>    - 10), Removed some potential vulnerabilities from epmd OTP-8780
>      Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44
>      Note: security
>      From patch log: Remove two buffer overflow vulnerabilities in EPMD 
>          
>    - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
>      Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c
>      Note: seems to be just bugfix
> 
>    - 12), Multiple Buffer overflows have been prevented OTP-8892
>      Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1
>      Note: security
>      From patch log: 
>        * ms/security-fixes: erlc: remove unused variable, typer: prevent buffer overflows,
>          run_test: prevent buffer overflow, heart: prevent buffer overflow,
>          escript: prevent buffer overflows, erlexec: prevent buffer overflows, 
>          erlc: prevent buffer overflows, dialyzer: prevent buffer overflows
>  
>    - 13), The ERTS internal rwlock implementation could get into an inconsistent state OTP-8925
>      Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
>      Note: Assertion failure, but not sure if exploitable for DoS
> 
>    - 14), Some malformed distribution messages could cause VM to crash OTP-8993
>      Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7
>      Note: security
>      From patch log: Teach VM not to dump core on bad dist message structure
> 
>    - 15), A bug in the exit/2 BIF could potentially cause an emulator crash OTP-9005
>      Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb
>      Note: Not sure if has security implications
> 
>    - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
>      Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2
>      Note: Not sure if has security implications
> 
>    - 17), Attempting to create binaries exceeding 2Gb (using for
>      example term_to_binary/1) would crash the emulator OTP-9117
>      Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a
>      Note: Hard to tell if has security implications
>     
> hipe:
>    - 18), Fix bug in the simplification of inexact comparisons OTP-9101
>      Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
>      Note: Seems to be just bugfix
> 
> kernel:
>    - 19), inet:getsockopt for SCTP sctp_default_send_param, random answers OTP-8795
>      Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024
>      Note: Seems to be just bugfix
Bugfix. See above.

> 
> stdlib:
>    - 20), race condition/silent data corruption in dets OTP-8898
>      Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
>      Note: Hard to tell if has security implications
> 
> Note: Are there potentially more ones, I missed?
> =====


-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.