Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Apr 2013 13:25:00 -0600
From: Kurt Seifried <>
CC: Alyssa Milburn <>
Subject: Re: Multiple vulnerabilities in BOINC

Hash: SHA1

On 04/28/2013 09:58 AM, Alyssa Milburn wrote:
> Hi all,
> There have been various recent(-ish) vulnerabilities found in the
> BOINC software for desktop grid computing. The major projects have
> (hopefully) fixed all of these by now, and the clients should only
> be vulnerable if they're connected to a hostile server.
> The commit ids below are all from the boinc-v2 repository, see 
> for a web view.
> These are the ones I consider to be obviously important:
> * CVE-2013-2298: various stack overflow vulnerabilities in the XML
> parser used by both the client and server software. I think that
> any 7.x version is vulnerable, but possibly not the 6.12 branch or
> earlier. No promises.
> (Found/reported by me. I notified all public projects I could find
> who were running obviously-vulnerable copies of the code, in early
> March.)
> 2fea03824925cbcb976f4191f4d8321e41a4d95b
> * Stack overflow in the client code by providing multiple
> file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x
> isn't.
> (This was fixed back in 2011, possibly accidentally.)
> 9a4140ae30a72e5175f3f31646d91f2d58df7156

Please use CVE-2013-2019 for this issue.

> * SQL injections in the server-side scheduler code:
> (Found/reported by me. I warned projects about this at the same
> time as the the above notifications, hopefully they've mostly
> patched it..)
> 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635
> * SQL injections in the user-facing web scripts: (These were
> possibly found by Michael Voß, see 
> )
> e8d6c33fe158129a5616e18eb84a7a9d44aca15f 
> 6e205de096da83b12ffb2f0183b43e51261eb0c4 
> ce3110489bc139b8218252ba1cb0862d69f72ae3

MERGING these two issues for now. Please use CVE-2013-2018 for this issue.

And ignoring the rest unless someone says otherwise (like was this
code really used/etc.).

> And some issues I'm not sure are quite so important:
> * Stack overflows in the trickle code on server and client side:
> (Fixed back in 2011, and these were only present in experimental
> 6.13.x releases, as far as I know.)
> 5b04b249db166ec38c1ee99a9eadcaa300c0f454 
> ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7
> * From a few days ago, a possible format string issue(?) in the
> client code:
> (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the
> thread)
> 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9
> * An SQL injection vulnerability in the locality code (apparently
> only used by one known project), so I mention this just for
> completeness just in case anyone happens to be using it:
> 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb
> - Alyssa

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.