Пакет обновлений безопасности 27102017SE15 для Astra Linux Special Edition
Производителем ОС (НПО «РусБИТех») выпущен пакет обновлений № 27102017SE15 для Astra Linux Special Edition, касающийся безопасности и исправляющие некоторые ошибки. Пакет является накопительным и включает ранее вышедшие пакеты № 29032017SE15 и № 16092016SE15.
Для удобства пользователей данные обновления выкладываются в наш репозиторий http://packages.lab50.net/security.
Все пакеты, также как и сам репозиторий, представлены в оригинальном неизменном виде и подписаны ключами производителя. Для его использования дополнительных ключей не требуется.
Для подключения репозитория безопасности создайте файл /etc/apt/sources.list.d/security.list:
deb http://packages.lab50.net/security/ smolensk main contrib non-free
После подключения обновить систему можно с помощью команд:
sudo aptitude update sudo aptitude full-upgrade
Уязвимости и исправления
Критические
CVE-2017-9462 | mercurial | In Mercurial before 4.1.3, «hg serve —stdio» allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using —debugger as a repository name. |
CVE-2016-1935 | thunderbird | Buffer overflow in the BufferSubData function in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allows remote attackers to execute arbitrary code via crafted WebGL content. |
Важные
CVE-2017-3167 | apache | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. |
CVE-2017-3169 | apache | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. |
CVE-2017-7668 | apache | The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. |
CVE-2017-7669 | apache | In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. |
CVE-2017-7555 | augeas | Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution. |
CVE-2016-0729 | apache | Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document. |
CVE-2017-9257 | audiocoding | The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted mp4 file. |
CVE-2017-13777 | graphicsmagick | GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c «Read hex image data» version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. |
CVE-2017-13777 | graphicsmagick | GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c «Read hex image data» version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it. |
CVE-2016-4024 | imlib | Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows remote attackers to execute arbitrary code via large dimensions in an image, which triggers an out-of-bounds heap memory write operation. |
CVE-2017-1000376 | libffi | libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1. |
CVE-2017-14062 | libidn2 | Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. |
CVE-2017-9433 | libmwaw | Document Liberation Project libmwaw before 2017-04-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the MsWrd1Parser::readFootnoteCorrespondance function in lib/MsWrd1Parser.cxx. |
CVE-2017-12562 | libsndfile | Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. |
CVE-2017-7533 | linux | Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions. |
CVE-2017-1000116 | mercurial | Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. |
CVE-2017-10989 | sqlite | The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact. |
CVE-2017-9800 | apache | A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server’s repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. |
CVE-2016-10375 | yodl | Yodl before 3.07.01 has a Buffer Over-read in the queue_push function in queue/queuepush.c. |
Средние
CVE-2017-9798 | apache | Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user’s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. |
CVE-2017-9788 | apache | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type ‘Digest’ was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no ‘=’ assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. |
CVE-2017-1000254 | curl | libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it — the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. |
CVE-2017-12836 | cvs | CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by «-oProxyCommand=id;localhost:/bar.» |
CVE-2017-14494 | dnsmasq | dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. |
CVE-2017-9233 | libexpat | XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. |
CVE-2017-1000083 | gnome | backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a «—» command-line option substring, as demonstrated by a —checkpoint-action=exec=bash at the beginning of the filename. |
CVE-2017-11568 | fontforge | FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file. |
CVE-2017-2862 | gnome | An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. |
CVE-2017-11714 | ghostscript | psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the scanner state structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document, related to an out-of-bounds read in the igc_reloc_struct_ptr function in psi/igc.c. |
CVE-2017-8386 | git | git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a — (dash) character. |
CVE-2017-1000117 | git-scm | A malicious third-party can give a crafted «ssh://…» URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running «git clone —recurse-submodules» to trigger the vulnerability. |
CVE-2013-7447 | gtk | Integer overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c in GTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, and possibly other applications, allows remote attackers to cause a denial of service (crash) via a large image file, which triggers a large memory allocation. |
CVE-2017-11103 | heimdal | Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus’ Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in ‘enc_part’ instead of the unencrypted version stored in ‘ticket’. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. |
CVE-2017-9261 | imagemagick | In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file. |
CVE-2017-9262 | imagemagick | In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file. |
CVE-2017-9405 | imagemagick | In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows attackers to cause a denial of service (memory leak) via a crafted file. |
CVE-2017-9407 | imagemagick | In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file. |
CVE-2017-9409 | imagemagick | In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file. |
CVE-2017-9439 | imagemagick | In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. |
CVE-2017-9500 | imagemagick | In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. |
CVE-2017-9501 | imagemagick | In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. |
CVE-2017-13658 | imagemagick | In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missing NULL check in the ReadMATImage function in coders/mat.c, leading to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c. |
CVE-2011-5326 | imlib2 | imlib2 before 1.4.9 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) by drawing a 2×1 ellipse. |
CVE-2016-3993 | imlib2 | Off-by-one error in the __imlib_MergeUpdate function in lib/updates.c in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted coordinates. |
CVE-2016-3994 | imlib2 | The GIF loader in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (application crash) or obtain sensitive information via a crafted image, which triggers an out-of-bounds read. |
CVE-2016-7166 | libarchive | libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file. |
CVE-2017-7890 | php | The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information. |
CVE-2017-11590 | gnome | There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack. |
CVE-2017-9832 | libmtp | An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable. |
CVE-2017-6892 | libsndfile | In libsndfile version 1.0.28, an error in the «aiff_read_chanmap()» function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. |
CVE-2017-10790 | libtasn1 | The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. |
CVE-2017-9049 | libxml2 | libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. |
CVE-2017-9050 | libxml2 | libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. |
CVE-2017-9951 | memcached | The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705. |
CVE-2017-9116 | openexr | In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. |
CVE-2017-7520 | openvpn | OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. |
CVE-2016-2335 | novell | The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9.20 and 15.05 beta and p7zip allows remote attackers to cause a denial of service (out-of-bounds read) or execute arbitrary code via the PartitionRef field in the Long Allocation Descriptor in a UDF file. |
CVE-2017-6512 | file-path | Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. |
CVE-2017-11147 | php | In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c. |
CVE-2017-0901 | rubygems | RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
CVE-2017-6318 | sane-backends | saned in sane-backends 1.0.25 allows remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet. |
CVE-2017-7506 | spice | spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak. |
CVE-2017-10688 | libtiff | In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. |
CVE-2017-11109 | vim | Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance. |
CVE-2015-6749 | vorbis | Buffer overflow in the aiff_open function in oggenc/audio.c in vorbis-tools 1.4.0 and earlier allows remote attackers to cause a denial of service (crash) via a crafted AIFF file. |
CVE-2017-13077 | wpa | Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. |
Низкие
CVE-2017-1000250 | bluez | All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. |
CVE-2017-1000380 | linux | sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. |
Неизвестно
CVE-2017-3143 | Неизвестно | Описание отсутствует |
CVE-2017-1000100 | Неизвестно | When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn’t restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl’s redirect protocols with —proto-redir and libcurl’s with CURLOPT_REDIR_PROTOCOLS. |
CVE-2017-7793 | Неизвестно | Описание отсутствует |
CVE-2017-2924 | Неизвестно | Описание отсутствует |
CVE-2017-2923 | Неизвестно | Описание отсутствует |
CVE-2017-7526 | Неизвестно | Описание отсутствует |
CVE-2017-7376 | Неизвестно | Описание отсутствует |
CVE-2017-15038 | Неизвестно | Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. |
нет | fly-wm | Уязвимость приводящая к аварийному завершению приложения. |
нет | libflycore | Уязвимость позволяющая злоумышленнику вызвать отказ в обслуживании. |
нет | linux-astra-modules | Уязвимость позволяющая локальному пользователю нарушить целостность данных. |
нет | parsec | Уязвимость модуля безопасности позволяющая вызвать отказ в обслуживании. |