Vulnerability Roundup 6

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last hunt.

Notes on the list

1. The reports have been roughly grouped by the package name. This
   isn't perfect, but is intended to help identify if a whole group
   of reports is resolved already.
2. Some issues will be duplicated, because it affects multiple packages.
   For example, there are sometimes problems that impact thunderbird,
   and firefox. LWN might report in one vulnerability "thunderbird
   firefox". These names have been split to make sure both packages get
   addressed.
3. By each issue is a link to code search for the package name, and
   a Github search by filename. These are to help, but may not return
   results when we do in fact package the software. If a search
   doesn't turn up, please try altering the search criteria or
   looking in nixpkgs manually before asserting we don't have it.

Instructions:

1. Triage a report: If we don't have the software or our version isn't
   vulnerable, tick the box or add a comment with the report number,
   stating it isn't vulnerable.
2. Fix the issue: If we do have the software and it is vulnerable,
   either leave a comment on this issue saying so, even open a pull
   request with the fix. If you open a PR, make sure to tag this
   issue so we can coordinate.
3. When an entire section is completed, move the section to the
   "Triaged and Resolved Issues" details block below.

Upon Completion ...

• Update how to subscribe to security advisory notices for nixpkgs / nixos? #13515 with a
  summary.

Without further ado...

Assorted (7 issues)

• #703983 (search, files) epiphany: unspecified
• #704470 (search, files) libX11: insufficient validation
• #704249 (search, files) openslp: code execution
• #703983 (search, files) epiphany: unspecified
• #703767 (search, files) chromium-browser: multiple vulnerabilities
• #703987 (search, files) asterisk: denial of service
• #703975 (search, files) java-1.8.0-openjdk: multiple vulnerabilities

kernel (2 issues)

• #704120 (search, files) kernel: multiple vulnerabilities
• #704469 (search, files) kernel: denial of service

---

Total remaining: 9

---

Triaged and Resolved Issues

Assorted (10 issues)

• #704466 (search, files) php: multiple vulnerabilities
• #704467 (search, files) php-pecl-zip: multiple vulnerabilities
• #704248 (search, files) bind: denial of service
• #704589 (search, files) mysql: multiple unspecified vulnerabilities
• #703978 (search, files) dwarfutils: three vulnerabilities
• #704586 (search, files) virtualbox: multiple unspecified vulnerabilities
• #704468 (search, files) kdump: denial of service
• #703977 (search, files) tor: denial of service
• #703979 (search, files) libgd2: two vulnerabilities
• #703984 (search, files) libgit2: two vulnerabilities

qemu (2 issues)

• #704471 (search, files) qemu: denial of service
• #703985 (search, files) qemu: three vulnerabilities

Total done: 12

[grahamc]

5456d8f 0f42ee7 were ported in 732930b and bd2568a (php upgrades) to 16.09

[grahamc]

cc people who participated in the last one: @DamienCassou @NeQuissimus @aszlig @jgeerds.

[grahamc]

Firefox updates by @edolstra (thank you for backporting) bd2568a...0195ab8

[NeQuissimus]

I'll take care of the kernel notifications. We need to update 4.1.x

[grahamc]

Thank you :) Looks like 4.9 is out of date (rc2?) -- could you also look to see if the other kernels are seriously out of date, and just make a note here?

[NeQuissimus]

I think qemu is covered by what we have.

[NeQuissimus]

The OpenJDK one is definitely covered, I updated that yesterday

[grahamc]

I was just dreading that update :)

[grahamc]

I just collapsed the done items to make the rest easier to find.

[grahamc]

Whoa, I didn't actually expect updates on all the kernels! 💯 🏆

[NeQuissimus]

Might as well :D
I let each of them go beyond the asking for modules, which is generally where they fail if anything is wrong. I don't have the time to build 5 full kernels right now :D

[grahamc]

I'll do a merge and build them all on my build box today.

[NeQuissimus]

It would take me a while:

▶ cat /proc/cpuinfo | grep 'model name' | head -1
model name      : Intel(R) Core(TM) m3-6Y30 CPU @ 0.90GHz

[NeQuissimus]

You have the same epiphany notice twice and I would think it is not covered. But it seems to be part of GNOME 3.20/3.22 and I know there are a few PRs for that right now. Not sure if we'd break something... The epiphany files are auto-generated. (currently 3.20.3, needs 3.20.4)

[grahamc]

I usually ping @DamienCassou about Gnome issues (is @DamienCassou the one for that? :))

[NeQuissimus]

And I can't find libX11 in nixpkgs. I am not very familiar with X, so it might be in some other file but I am not sure where to look.

[grahamc]

Not sure who to ping on X11. I bet @vcunat knows?

[grahamc]

---

[grahamc]

9db03c1 should probably be backported.

[FRidh]

libX11 is at https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/x11/xorg/default.nix#L682

[vcunat]

That X advisory was fixed weeks ago in 53612bb. EDIT: it seems to me that SUSE guys were just rather late in this case.

[vcunat]

For future reference, I do seem to be the most active in updating basic X packages, and I do watch their announcement ML.

[grahamc]

@NeQuissimus re epiphany being listed twice, the second search is for webkitgtk.

[grahamc]

OK FWIW everything in the list (except Chromium) has a PR in for it. I'm running builds for the remaining PRs now and will hopefully have most of them done by morning, where we'll merge. OpenJDK hasn't been backported because the patch doesn't apply cleanly. I'm hoping Tim will check that out.

[grahamc]

Thank you everyone, for your great help! #6 is done :)