Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 31 Mar 2011 22:41:20 +0200
From: Rickard Green <rickard@...ang.org>
To: Jan Lieskovsky <jlieskov@...hat.com>
CC: "Steven M. Christey" <coley@...us.mitre.org>,
        Bjorn-Egil Dahlberg <psyeugenic@...il.com>,
        Sverker Eriksson <sverker@...ang.org>, Patrik Nyblom <pan@...ang.org>,
        Raimo Niskanen <raimo@...ang.org>, Bjorn Gustavsson <bjorn@...ang.org>,
        Niclas Axelsson <burbas@...ang.org>, Hans Bolinder <hasse@...ang.org>,
        oss-security <oss-security@...ts.openwall.com>
Subject: Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP
 R14B02 -- multiple security fixes

Hi,

I don't know how you would like to classify an emulator crash (DOS?). If 
an emulator crash is considered a security issue, then OTP-8999 and 
OTP-9005 are security fixes due to this.

I also don't know how you want to classify memory leaks (which in the 
long run can cause an emulator crash). If a memory leak is considered a 
security issue, then OTP-8810 and OTP-8999 are security fixes due to this.

OTP-8925 and OTP-9105 (OTP-9105 isn't part of your list) affect the 
application's control flow, and should therefore according to Steven's 
mail be considered security fixes. (The rickard/rwmutex-bug/OTP-8925 
branch has been merged to the dev branch multiple times. The commit 
pointed to below fixes a harmless assertion bug, but the fix contains 
more code.)

I don't consider OTP-8781 a security fix. The functionality wasn't 
working at all which was fixed.

Regards,
Rickard Green

Jan Lieskovsky wrote:
> Hello Steve, vendors,
> 
>  based on:
>  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
> 
>  and:
>  [2] http://www.erlang.org/download/otp_src_R14B.readme
>  [3] http://www.erlang.org/download/otp_src_R14B01.readme
>  [4] http://www.erlang.org/download/otp_src_R14B02.readme
> 
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
> 
> The distribution of OTPs is as follows:
> =======================================
> Rickard Green:          OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
> Bjorn-Egil Dahlberg:    OTP-8814, OTP-8827, OTP-8943
> Sverker Eriksson:       OTP-8945, OTP-8716
> Patrik Nyblom:          OTP-7178, OTP-8780, OTP-8993
> Raimo Niskanen:         OTP-8729, OTP-8795
> Bjorn Gustavsson:       OTP-8831, OTP-8892, OTP-9117
> Niclas Axelsson:        OTP-9101
> Hans Bolinder:          OTP-8898
> 
> Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)
> 
> Help / guidance from your side is really appreciated to resolve
> this one.
> 
> Thank you in advance for your time and cooperation.
> 
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> crypto:
>   - 1), multiple memory leaks OTP-8810
>     Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1
>     Note: Hard to tell if has security implications, but from the
> patch looks certain
>           memory content leaks were possible
> 
>   - 2), rc4 not working correctly (silent data corruption) OTP-8781
>     Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
>     Note: Seems to be just bugfix
>     From the patch log: RC4 stream cipher didn't work.
> 
> erl_interface:
>   - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
>     Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
>     Note: security, stack based buffer overflow possible
> 
>   - 4), erl_call: fix multiple buffer overflows OTP-8827
>     Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b
>     Note: security, multiple heap overflows possible
> 
>   - 5), Check the length of the node name to prevent an overflow OTP-8943
>     Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d
>     Note: security
> 
>   - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
>     Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6
>     Note: Hard to tell if has security implications
> erts:
>   - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178
>     Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5
>     Note: ignore underflow in list_to_float and return 0.0
> 
>   - 8), Fix faulty 64-bit integer term output from drivers (crash or
> silent data corruption) OTP-8716
>     Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97
>     Note: security
> 
>   - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
>     Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03
>     Note: seems to be just bugfix
> 
>   - 10), Removed some potential vulnerabilities from epmd OTP-8780
>     Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44
>     Note: security
>     From patch log: Remove two buffer overflow vulnerabilities in EPMD
> 
>   - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
>     Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c
>     Note: seems to be just bugfix
> 
>   - 12), Multiple Buffer overflows have been prevented OTP-8892
>     Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1
>     Note: security
>     From patch log:
>       * ms/security-fixes: erlc: remove unused variable, typer:
> prevent buffer overflows,
>         run_test: prevent buffer overflow, heart: prevent buffer overflow,
>         escript: prevent buffer overflows, erlexec: prevent buffer overflows,
>         erlc: prevent buffer overflows, dialyzer: prevent buffer overflows
> 
>   - 13), The ERTS internal rwlock implementation could get into an
> inconsistent state OTP-8925
>     Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
>     Note: Assertion failure, but not sure if exploitable for DoS
> 
>   - 14), Some malformed distribution messages could cause VM to crash OTP-8993
>     Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7
>     Note: security
>     From patch log: Teach VM not to dump core on bad dist message structure
> 
>   - 15), A bug in the exit/2 BIF could potentially cause an emulator
> crash OTP-9005
>     Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb
>     Note: Not sure if has security implications
> 
>   - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
>     Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2
>     Note: Not sure if has security implications
> 
>   - 17), Attempting to create binaries exceeding 2Gb (using for
>     example term_to_binary/1) would crash the emulator OTP-9117
>     Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a
>     Note: Hard to tell if has security implications
> 
> hipe:
>   - 18), Fix bug in the simplification of inexact comparisons OTP-9101
>     Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
>     Note: Seems to be just bugfix
> 
> kernel:
>   - 19), inet:getsockopt for SCTP sctp_default_send_param, random
> answers OTP-8795
>     Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024
>     Note: Seems to be just bugfix
> 
> stdlib:
>   - 20), race condition/silent data corruption in dets OTP-8898
>     Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
>     Note: Hard to tell if has security implications
> 
> Note: Are there potentially more ones, I missed?
> =====
> 


-- 
Rickard Green, Erlang/OTP, Ericsson AB.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.