Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Apr 2013 13:25:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Alyssa Milburn <amilburn@...l.org>
Subject: Re: Multiple vulnerabilities in BOINC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2013 09:58 AM, Alyssa Milburn wrote:
> Hi all,
> 
> There have been various recent(-ish) vulnerabilities found in the
> BOINC software for desktop grid computing. The major projects have
> (hopefully) fixed all of these by now, and the clients should only
> be vulnerable if they're connected to a hostile server.
> 
> The commit ids below are all from the boinc-v2 repository, see 
> http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view.
> 
> These are the ones I consider to be obviously important:
> 
> * CVE-2013-2298: various stack overflow vulnerabilities in the XML
> parser used by both the client and server software. I think that
> any 7.x version is vulnerable, but possibly not the 6.12 branch or
> earlier. No promises.
> 
> (Found/reported by me. I notified all public projects I could find
> who were running obviously-vulnerable copies of the code, in early
> March.)
> 
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741 
> 2fea03824925cbcb976f4191f4d8321e41a4d95b
> 
> * Stack overflow in the client code by providing multiple
> file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x
> isn't.
> 
> (This was fixed back in 2011, possibly accidentally.)
> 
> 9a4140ae30a72e5175f3f31646d91f2d58df7156

Please use CVE-2013-2019 for this issue.


> * SQL injections in the server-side scheduler code:
> 
> (Found/reported by me. I warned projects about this at the same
> time as the the above notifications, hopefully they've mostly
> patched it..)
> 
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776 
> 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635
> 
> * SQL injections in the user-facing web scripts: (These were
> possibly found by Michael Voß, see 
> http://www.mdr.de/mdr-info/hacker-boinc100.html )
> 
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658 
> e8d6c33fe158129a5616e18eb84a7a9d44aca15f 
> 6e205de096da83b12ffb2f0183b43e51261eb0c4 
> ce3110489bc139b8218252ba1cb0862d69f72ae3

MERGING these two issues for now. Please use CVE-2013-2018 for this issue.

And ignoring the rest unless someone says otherwise (like was this
code really used/etc.).

> And some issues I'm not sure are quite so important:
> 
> * Stack overflows in the trickle code on server and client side:
> 
> (Fixed back in 2011, and these were only present in experimental
> 6.13.x releases, as far as I know.)
> 
> 5b04b249db166ec38c1ee99a9eadcaa300c0f454 
> ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7
> 
> * From a few days ago, a possible format string issue(?) in the
> client code:
> 
> (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the
> thread)
> 
> http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416 
> 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9
> 
> * An SQL injection vulnerability in the locality code (apparently
> only used by one known project), so I mention this just for
> completeness just in case anyone happens to be using it:
> 
> 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb
> 
> - Alyssa
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfskMAAoJEBYNRVNeJnmTdCgP/0mx6djzHz5ZUPaFN42t1zRb
sJZYWUWrLlxAgdvx4G5I0kKK6GGehwt7ra2r9Z4/RdM9aTvPyrTPSHkE/ST5yAi8
G+pWi9L1wO1/N/sm0+H9cjPoUTm4xbQ5e1FyDMeoyK1AXkfR4/WUkYICrtsEz0Hu
Qk6ZQg8N23vGHx7NLzi05rsOlRivuAAQmRRpNBB41gzk6LeeyOQeMppxo0YPFKw4
O16+UjOmIUxwEBaCOEoUQu0sSy8W3ynr+7wAB+KVtp9u07bR9Q8JJ/WrBGu6Xj5m
49K+NUilyJSDXI9MmMgRUJ+LeSu9Oh9ACcMncSJsPpH8Im13ntFOcMlg+7kc8pMd
AHNBCSRmQVMafwv8Ib/nJKGiX1eX5nogMXR1HM2ARxC65OdNyZ4wjU3mIdRqkLFH
2U2OLwn+Hikl519th3qzo7yHx/DkkNvW2gMEjQMt+uYQzCJ+7AQA+RHA2HSptg00
nbXzVoNhZfGnzdUoJVC8mixHnBbhEffZ0NXGFS59z3cOpwElxidl40vRp9RhKd6D
cRzYYxrnaXhJht2E3BClwAeI1wMp7qxTx1bGShpxmDg+XVPIfgUcBJ9V3NFdy67E
HN5rOJGAW2W+Ao4KTfvgnl/rNfnh6UkNjhfchMVJCK/MmYMBEkolJfq/NWaQQVPz
ukNnyMIQvwNx5S8hRQVo
=ETc4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.