Date: Sun, 28 Apr 2013 17:58:46 +0200 From: Alyssa Milburn <amilburn@...l.org> To: oss-security@...ts.openwall.com Subject: Multiple vulnerabilities in BOINC Hi all, There have been various recent(-ish) vulnerabilities found in the BOINC software for desktop grid computing. The major projects have (hopefully) fixed all of these by now, and the clients should only be vulnerable if they're connected to a hostile server. The commit ids below are all from the boinc-v2 repository, see http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view. These are the ones I consider to be obviously important: * CVE-2013-2298: various stack overflow vulnerabilities in the XML parser used by both the client and server software. I think that any 7.x version is vulnerable, but possibly not the 6.12 branch or earlier. No promises. (Found/reported by me. I notified all public projects I could find who were running obviously-vulnerable copies of the code, in early March.) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741 2fea03824925cbcb976f4191f4d8321e41a4d95b * Stack overflow in the client code by providing multiple file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x isn't. (This was fixed back in 2011, possibly accidentally.) 9a4140ae30a72e5175f3f31646d91f2d58df7156 * SQL injections in the server-side scheduler code: (Found/reported by me. I warned projects about this at the same time as the the above notifications, hopefully they've mostly patched it..) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635 * SQL injections in the user-facing web scripts: (These were possibly found by Michael Voß, see http://www.mdr.de/mdr-info/hacker-boinc100.html ) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658 e8d6c33fe158129a5616e18eb84a7a9d44aca15f 6e205de096da83b12ffb2f0183b43e51261eb0c4 ce3110489bc139b8218252ba1cb0862d69f72ae3 And some issues I'm not sure are quite so important: * Stack overflows in the trickle code on server and client side: (Fixed back in 2011, and these were only present in experimental 6.13.x releases, as far as I know.) 5b04b249db166ec38c1ee99a9eadcaa300c0f454 ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7 * From a few days ago, a possible format string issue(?) in the client code: (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the thread) http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9 * An SQL injection vulnerability in the locality code (apparently only used by one known project), so I mention this just for completeness just in case anyone happens to be using it: 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb - Alyssa
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ