Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Apr 2013 13:25:00 -0600
From: Kurt Seifried <>
CC: Alyssa Milburn <>
Subject: Re: Multiple vulnerabilities in BOINC

Hash: SHA1

On 04/28/2013 09:58 AM, Alyssa Milburn wrote:
> Hi all,
> There have been various recent(-ish) vulnerabilities found in the
> BOINC software for desktop grid computing. The major projects have
> (hopefully) fixed all of these by now, and the clients should only
> be vulnerable if they're connected to a hostile server.
> The commit ids below are all from the boinc-v2 repository, see 
> for a web view.
> These are the ones I consider to be obviously important:
> * CVE-2013-2298: various stack overflow vulnerabilities in the XML
> parser used by both the client and server software. I think that
> any 7.x version is vulnerable, but possibly not the 6.12 branch or
> earlier. No promises.
> (Found/reported by me. I notified all public projects I could find
> who were running obviously-vulnerable copies of the code, in early
> March.)
> 2fea03824925cbcb976f4191f4d8321e41a4d95b
> * Stack overflow in the client code by providing multiple
> file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x
> isn't.
> (This was fixed back in 2011, possibly accidentally.)
> 9a4140ae30a72e5175f3f31646d91f2d58df7156

Please use CVE-2013-2019 for this issue.

> * SQL injections in the server-side scheduler code:
> (Found/reported by me. I warned projects about this at the same
> time as the the above notifications, hopefully they've mostly
> patched it..)
> 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635
> * SQL injections in the user-facing web scripts: (These were
> possibly found by Michael Voß, see 
> )
> e8d6c33fe158129a5616e18eb84a7a9d44aca15f 
> 6e205de096da83b12ffb2f0183b43e51261eb0c4 
> ce3110489bc139b8218252ba1cb0862d69f72ae3

MERGING these two issues for now. Please use CVE-2013-2018 for this issue.

And ignoring the rest unless someone says otherwise (like was this
code really used/etc.).

> And some issues I'm not sure are quite so important:
> * Stack overflows in the trickle code on server and client side:
> (Fixed back in 2011, and these were only present in experimental
> 6.13.x releases, as far as I know.)
> 5b04b249db166ec38c1ee99a9eadcaa300c0f454 
> ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7
> * From a few days ago, a possible format string issue(?) in the
> client code:
> (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the
> thread)
> 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9
> * An SQL injection vulnerability in the locality code (apparently
> only used by one known project), so I mention this just for
> completeness just in case anyone happens to be using it:
> 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb
> - Alyssa

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ