Date: Mon, 29 Apr 2013 13:25:00 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Alyssa Milburn <amilburn@...l.org> Subject: Re: Multiple vulnerabilities in BOINC -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2013 09:58 AM, Alyssa Milburn wrote: > Hi all, > > There have been various recent(-ish) vulnerabilities found in the > BOINC software for desktop grid computing. The major projects have > (hopefully) fixed all of these by now, and the clients should only > be vulnerable if they're connected to a hostile server. > > The commit ids below are all from the boinc-v2 repository, see > http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view. > > These are the ones I consider to be obviously important: > > * CVE-2013-2298: various stack overflow vulnerabilities in the XML > parser used by both the client and server software. I think that > any 7.x version is vulnerable, but possibly not the 6.12 branch or > earlier. No promises. > > (Found/reported by me. I notified all public projects I could find > who were running obviously-vulnerable copies of the code, in early > March.) > > http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741 > 2fea03824925cbcb976f4191f4d8321e41a4d95b > > * Stack overflow in the client code by providing multiple > file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x > isn't. > > (This was fixed back in 2011, possibly accidentally.) > > 9a4140ae30a72e5175f3f31646d91f2d58df7156 Please use CVE-2013-2019 for this issue. > * SQL injections in the server-side scheduler code: > > (Found/reported by me. I warned projects about this at the same > time as the the above notifications, hopefully they've mostly > patched it..) > > http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776 > 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635 > > * SQL injections in the user-facing web scripts: (These were > possibly found by Michael Voß, see > http://www.mdr.de/mdr-info/hacker-boinc100.html ) > > http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658 > e8d6c33fe158129a5616e18eb84a7a9d44aca15f > 6e205de096da83b12ffb2f0183b43e51261eb0c4 > ce3110489bc139b8218252ba1cb0862d69f72ae3 MERGING these two issues for now. Please use CVE-2013-2018 for this issue. And ignoring the rest unless someone says otherwise (like was this code really used/etc.). > And some issues I'm not sure are quite so important: > > * Stack overflows in the trickle code on server and client side: > > (Fixed back in 2011, and these were only present in experimental > 6.13.x releases, as far as I know.) > > 5b04b249db166ec38c1ee99a9eadcaa300c0f454 > ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7 > > * From a few days ago, a possible format string issue(?) in the > client code: > > (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the > thread) > > http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416 > 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9 > > * An SQL injection vulnerability in the locality code (apparently > only used by one known project), so I mention this just for > completeness just in case anyone happens to be using it: > > 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb > > - Alyssa > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRfskMAAoJEBYNRVNeJnmTdCgP/0mx6djzHz5ZUPaFN42t1zRb sJZYWUWrLlxAgdvx4G5I0kKK6GGehwt7ra2r9Z4/RdM9aTvPyrTPSHkE/ST5yAi8 G+pWi9L1wO1/N/sm0+H9cjPoUTm4xbQ5e1FyDMeoyK1AXkfR4/WUkYICrtsEz0Hu Qk6ZQg8N23vGHx7NLzi05rsOlRivuAAQmRRpNBB41gzk6LeeyOQeMppxo0YPFKw4 O16+UjOmIUxwEBaCOEoUQu0sSy8W3ynr+7wAB+KVtp9u07bR9Q8JJ/WrBGu6Xj5m 49K+NUilyJSDXI9MmMgRUJ+LeSu9Oh9ACcMncSJsPpH8Im13ntFOcMlg+7kc8pMd AHNBCSRmQVMafwv8Ib/nJKGiX1eX5nogMXR1HM2ARxC65OdNyZ4wjU3mIdRqkLFH 2U2OLwn+Hikl519th3qzo7yHx/DkkNvW2gMEjQMt+uYQzCJ+7AQA+RHA2HSptg00 nbXzVoNhZfGnzdUoJVC8mixHnBbhEffZ0NXGFS59z3cOpwElxidl40vRp9RhKd6D cRzYYxrnaXhJht2E3BClwAeI1wMp7qxTx1bGShpxmDg+XVPIfgUcBJ9V3NFdy67E HN5rOJGAW2W+Ao4KTfvgnl/rNfnh6UkNjhfchMVJCK/MmYMBEkolJfq/NWaQQVPz ukNnyMIQvwNx5S8hRQVo =ETc4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.