Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Apr 2013 17:58:46 +0200
From: Alyssa Milburn <>
Subject: Multiple vulnerabilities in BOINC

Hi all,

There have been various recent(-ish) vulnerabilities found in the BOINC
software for desktop grid computing. The major projects have (hopefully)
fixed all of these by now, and the clients should only be vulnerable if
they're connected to a hostile server.

The commit ids below are all from the boinc-v2 repository, see for a web view.

These are the ones I consider to be obviously important:

* CVE-2013-2298: various stack overflow vulnerabilities in the XML parser
  used by both the client and server software. I think that any 7.x version
  is vulnerable, but possibly not the 6.12 branch or earlier. No promises.

  (Found/reported by me. I notified all public projects I could find who
   were running obviously-vulnerable copies of the code, in early March.)

* Stack overflow in the client code by providing multiple file_signature
  elements. 6.10.58 and 6.12.34 are vulnerable. 7.x isn't.

  (This was fixed back in 2011, possibly accidentally.)


* SQL injections in the server-side scheduler code:

  (Found/reported by me. I warned projects about this at the same time
   as the the above notifications, hopefully they've mostly patched it..)

* SQL injections in the user-facing web scripts:
  (These were possibly found by Michael Voß, see )

And some issues I'm not sure are quite so important:

* Stack overflows in the trickle code on server and client side:

  (Fixed back in 2011, and these were only present in experimental 6.13.x
   releases, as far as I know.)


* From a few days ago, a possible format string issue(?) in the client

  (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the thread)

* An SQL injection vulnerability in the locality code (apparently only
  used by one known project), so I mention this just for completeness
  just in case anyone happens to be using it:


- Alyssa

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ