Vulnerability roundup 47 (master)

[ckauhaus]

Scanned nixos/release-combined.nix @ 5664e64. Filtered out previously reported CVEs. May contain false positives.

binutils-2.30 (search, files)

• CVE-2018-12641
• CVE-2018-12697
• CVE-2018-12698
• CVE-2018-12699
• CVE-2018-12700
• CVE-2018-12934
• CVE-2018-13033

exempi-2.4.5 (search, files)

• CVE-2018-12648

ffmpeg-3.4.4 (search, files)

• CVE-2018-14394
• CVE-2018-14395

libsndfile-1.0.28 (search, files)

• CVE-2018-13139 libsndfile: Add patch for CVE-2018-13139 #47160
• CVE-2018-13419

libtiff-4.0.9 (search, files)

• CVE-2018-12900

openjpeg-2.3.0 (search, files)

• CVE-2018-14423

procps-3.3.15 (search, files)

• CVE-2018-1121

sddm-0.17.0 (search, files)

• CVE-2018-14345

zip-3.0 (search, files)

• CVE-2018-13410

Cc: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7, @grahamc, @adisbladis, @fpletz, @vcunat

Contact @ckauhaus for any questions.

[ckauhaus]

An attempt to incorporate some 2.30 patches got stuck at #41042

[andrew-d]

Some initial investigations:

CVE-2018-12900 (libtiff) is marked as "no upstream fix yet" in Ubuntu's tracker.

CVE-2018-14423 (openjpeg) was reported on July 16th but appears to not have a fix yet (unmerged PR is here).

CVE-2018-1121 (procps) - "As of 2018-09-12 no upstream fix is available" from here.

CVE-2018-14345 (sddm) - #43978

CVE-2018-13410 (zip) - This appears to be disputed:

NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands.

[andrew-d]

Looks like CVE-2018-13419 doesn't yet have a proof-of-concept, and nobody except the reporter has been able to reproduce (see here).

[andrew-d]

For CVE-2018-14394 and CVE-2018-14395 in ffmpeg, it looks like these fixes are included in the ffmpeg 3.4.4 release? I'm possibly reading this wrong, but:

• CVE-2018-14394 links to this commit, which was cherry-picked into the 3.4 branch here and should be in 3.4.4.
• CVE-2018-14395 links to this commit, which was cherry-picked into the 3.4 branch here, and should be in 3.4.4.

You can confirm that both of those fixes are present in the given release tag here.

[ckauhaus]

CVE-2018-14394 and CVE-2018-14395 seem to be in. vulnix reports false positives in some cases.

[xeji]

exempi: fix proposed in hfiguiere/exempi#7 , not yet merged.

[Ma27]

excempi (CVE-2018-12648) has been fixed on master in #47496.

[vcunat]

procps CVE-2018-1121: I'm satisfied by https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3

[Ekleog]

Most unchecked vulns had already been fixed in the mean time, I just backported the openjpeg fix to master.

CVE-2018-13410, the last non-fixed one, is disputed with what looks like a real argument: it's an off-by-one that can be triggered only when using an option that allows arbitrary code execution. As this is the last one of this report, I'm going to close this issue. Thank you all! :)