Enea CVE Database

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

Enea fix: Enea Linux 7.0

sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.

Enea fix: Enea Linux 7.0

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE.

Enea fix: Enea Linux 7.0

The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.

Enea fix: Enea Linux 7.0

 A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86

Enea fix: Enea Linux 7.0

 The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

Enea fix: Enea Linux 7.0

 All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

Enea fix: Enea Linux 7.0

Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.

Enea fix: Enea Linux 7.0

curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing.

Enea fix: Enea Linux 7.0

When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer.

Enea fix: Enea Linux 7.0

 systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.

Enea fix: Enea Linux 7.0

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.

Enea fix: Enea Linux 7.0

Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.

Enea fix: Enea Linux 7.0

The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.

Enea fix: Enea Linux 7.0

Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.

Enea fix: Enea Linux 7.0

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients

Enea fix: Enea Linux 7.0

The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.

Enea fix: Enea Linux 7.0

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Enea fix: Enea Linux 7.0

The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.

Enea fix: Enea Linux 7.0

The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.

Enea fix: Enea Linux 7.0

The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.

Enea fix: Enea Linux 7.0

The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.

Enea fix: Enea Linux 7.0

The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

 The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

 The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.

Enea fix: Enea Linux 7.0

In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

Enea fix: Enea Linux 7.0

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

Enea fix: Enea Linux 7.0

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

Enea fix: Enea Linux 7.0

 libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Enea fix: Enea Linux 7.0

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Enea fix: Enea Linux 7.0

The print_symbol_for_build_attribute function in reade
lf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.

Enea fix: Enea Linux 7.0

readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.

Enea fix: Enea Linux 7.0

 GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.

Enea fix: Enea Linux 7.0

GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.

Enea fix: Enea Linux 7.0

GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.

Enea fix: Enea Linux 7.0

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

Enea fix: Enea Linux 7.0

The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability.

Enea fix: Enea Linux 7.0

 The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.

Enea fix: Enea Linux 7.0

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Enea fix: Enea Linux 7.0

 The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.

Enea fix: Enea Linux 7.0

dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.

Enea fix: Enea Linux 7.0

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

Enea fix: Enea Linux 7.0

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

Enea fix: Enea Linux 7.0

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.

Enea fix: Enea Linux 7.0

 The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.

Enea fix: Enea Linux 7.0

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.

Enea fix: Enea Linux 7.0

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

Enea fix: Enea Linux 7.0

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

Enea fix: Enea Linux 7.0

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

Enea fix: Enea Linux 7.0

The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.

Enea fix: Enea Linux 7.0

drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.

Enea fix: Enea Linux 7.0

drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

 drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

rypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.

Enea fix: Enea Linux 7.0

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).

libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster.

This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

Affected Enea Linux Release/s:
Enea Linux 6.0

Enea fix: Enea Linux 6.0

The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.

Affected Enea Linux Release/s:
Enea Linux 6.0

Enea fix: Enea Linux 6.0

CVE-2017-5754
(Meltdown)

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Read more about this vulnerability here.

Affected Enea Releases:
Enea releases are affected but the problem is only known to exist on certain processors from Intel, AMD, NXP and Arm which implement speculative execution. Please refer to your hardware vendor or the Enea support team if you need to know whether your specific piece of hardware is affected.

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Read more about this vulnerability here.

Affected Enea Releases:
Enea releases are affected but the problem is only known to exist on certain processors from Intel, AMD, NXP and Arm which implement speculative execution. Please refer to your hardware vendor or the Enea support team if you need to know whether your specific piece of hardware is affected.

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Read more about this vulnerability here.

Affected Enea Releases:
Enea releases are affected but the problem is only known to exist on certain processors from Intel, AMD, NXP and Arm which implement speculative execution. Please refer to your hardware vendor or the Enea support team if you need to know whether your specific piece of hardware is affected.

Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.

Affected Enea Linux Release/s:
Enea Linux 6.0, Enea Linux 5.0, Enea Linx 4.0

Enea fix: Enea Linux 6.0:  linux-yocto 4.4, linux-qoriq_3.12, linux-ls1_3.12

curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error.

Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.

This flaw also exists in the command line tool (--cert-status).

Affected Enea Linux Release/s:
Enea Linux 6.0

Enea fix: Enea Linux 6.0

udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.

Enea fix: Enea Linux 6.0: linux-qoriq_3.12, linux-ls1_3.12 and linux-yocto 4.4

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

Enea fix: Enea Linux 6.0

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

Enea fix: Enea Linux 6.0

 libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable. This function is brand new in 7.52.0.

Enea fix: Enea Linux 6.0

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary checks.

Enea fix: Enea Linux 6.0

When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard.

This misalignment causes problems with for example domains using the German ß character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which is used at times in the .de TLD and is translated differently in the two IDNA standards, leading to users potentially and unknowingly issuing network transfer requests to the wrong host.

Enea fix: Enea Linux 6.0

curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

Enea fix: Enea Linux 6.0

libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That funcion however only returns a list with *references* back to the original strings for name, value, path and so on. Therefore, if another thread quickly takes the lock and frees one of the original cookie structs together with its strings, a use-after-free can occur and lead to information disclosure. Another thread can also replace the contents of the cookies from separate HTTP responses or API calls.

Enea fix: Enea Linux 6.0

The URL percent-encoding decode function in libcurl is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. This can be triggered by a user on a 64bit system if the user can send in a custom (very large) URL to a libcurl using program.

Enea fix: Enea Linux 6.0

The `curl_getdate` converts a given date string into a numerical timestamp and it supports a range of different formats and possibilites to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies (possibly received from remote servers) and it can be used when doing conditional HTTP requests. The date parser function uses the libc sscanf() function at two places, with the parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being that it would parse either a string with HH:MM (two digits colon two digits) or HH:MM:SS (two digits colon two digits colon two digits). If instead the piece of time that was sent in had the final digit cut off, thus ending with a single-digit, the date parser code would advance its read pointer one byte too much and end up reading out of bounds.

Enea fix: Enea Linux 6.0

The curl tool's "globbing" feature allows a user to specify a numerical range through which curl will iterate. It is typically specified as [1-5],
specifying the first and the last numbers in the range. Or with [a-z], using letters.

1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with no complaints and have the latter `-1` number get turned into the largest unsigned long value the system can handle. This would ultimately cause curl to write outside the dedicated malloced buffer after no less than 100,000 iterations, since it would have room for 5 digits but not 6.

2. When the range is specified with letters, and the ending letter is left out `[L-]`, the code would still advance its read pointer 5 bytes even if the string was just 4 bytes and end up reading outside the given buffer 

 In curl's implementation of the Kerberos authentication mechanism, the function `read_data()` in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0. This would lead to realloc() getting called with a zero size and when doing so realloc() returns NULL *and* frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory *again* in the error path. This flaw could be triggered by a malicious or just otherwise ill-behaving server.

The libcurl API function called `curl_maprintf()` can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. The function is also used internallty in numerous situations. The function doubles an allocated memory area with realloc() and allows the size to wrap and become zero and when doing so realloc() returns NULL *and* frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory *again* in the error path. Systems with 64 bit versions of the `size_t` type are not affected by this issue. This behavior is triggable using the publicly exposed function.

 In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten. If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user` option), this vulnerability can be triggered. The name has to be at least 512MB big in a 32bit system. Systems with 64 bit versions of the `size_t` type are not affected by this issue.

When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.

If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the `fgets()` function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server. 

It was found that provided string length arguments in four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into. This flaw does not affect the curl command line tool. 

 After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection.

Race condition in the ioctl_send_fib function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows
local users to cause a denial of service (out-of-bounds access or system
crash) by changing a certain size value, aka a "double fetch"
vulnerability.

Enea fix: Enea Linux 6.0

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Enea Fix: Enea 6.0

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

Enea fix: Enea Linux 6.0

CPython
before 2.7.12

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as TLS backend. The documentation for mbedTLS and PolarSSL (wrongly) says that the API function *ssl_set_hostname() is used only for setting the name for the TLS extension SNI. The set string is however even more importantly used by the libraries to verify the server certificate, and if no "hostname" is set it will just skip the check and successfully continue with the handshake. libcurl would wrongly avoid using the function when the specified host name was given as an IP address or when SSLv3 is used, as SNI isn't supposed to be used then. This then leads to that all uses of TLS oriented protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc) will allow connections to servers with unverified server certificates as long as they're specified as IP addresses or using SSLv3. By tricking a libcurl-using client to use a URL with a host specified as IP address only, an application could be made to connect to an impostor server or Man In The Middle host without noticing. 

Enea fix: Enea Linux 6.0

CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.

Enea fix: Enea Linux 6.0

buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

Enea fix: Enea Linux 6.0

ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

Enea fix: Enea Linux 6.0

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Enea fix: Enea Linux 6.0 (upgrade to OpenSSL1.0.2h fixes this CVE)

The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

Enea fix: Enea Linux 6.0

Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

Enea fix: Enea Linux 5.0

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Enea fix: Enea Linux 5.0, Enea Linux 4.0

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard's rho) that can solve this problem in O(2^63) operations. Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions.
The bug was found during an internal code review by Aris Adamantiadis of the libssh team.

Enea fix: Enea Linux 5.0

ISC DHCP 4.x before 4.1-ESV-R12-P1 and 4.2.x and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.

Enea fix: Enea Linux 6.0

linux-qoriq_3.12 & linux-ls1_3.12

fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.
Enea fix: Enea Linux 5.0

Race condition checking digests/checksums in sudoers

Enea fix: Enea Linux 6.0

A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash.

privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

Enea fix: Enea Linux 5.0

The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.
Enea fix: linux-qoriq 3.12, linux-yocto 3.14

The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.

kernel

(x86, 3.10.38)

Kernel
(Hierofalcon 3.19)

The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem.
Enea fix:
linux-yocto 3.14

Kernel
(linux-yocto 3.14)

kernel
(linux-yocto 3.14, linux-qoriq 3.12)

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."

kernel

(x86, 3.10.38)

kernel
linyx-qoriq 3.8

The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack.

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

cURL and libcurl 7.10.6 through  7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

util-linux has a command injection flaw in blkid. The exact description  of this vulnerability is reserved.

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
[This vulnerability affects QEMU 2.1 and has been fixed in v2.1.0-rc3]

kernel

(FSL kernel, 3.8.11)

kernel

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

A critical subtle integer overflow vulnerability has been detected in Lempel-Ziv-Oberhumer (LZO), an extremely efficient data compression algorithm that focuses on decompression speed, which is almost five times faster than zlib and bzip compression algorithms.

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel,3.8.11)

The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL kernel, 3.8.11)

kernel

(FSL, 3.8.11)

GnuTLS 3.3.5

GnuTLS 3.3.5

GnuTLS 3.3.5

GnuTLS 3.3.5

GnuTLS 3.3.5

libpng

It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.

QEMU 2.1

kernel: net

(M400)

kernel

(FSL kernel, 3.8.11)

kernel: 3.4+ arbitrary write with CONFIG_X86_X32 (linux-yocto/3.10 &M400)

CVE-2013-1847

CVE-2013-1846

The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. This CVE was reported 2012-06-14 but updated 2014-12-05.