Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
Show Notes
Overview
Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
Heap based buffer overflow in RTSP connection parser - could allow a
malicious server to gain remote code execution on the client - session id
can contain attributes separated by semi-colons - would assume when
encountering a semi-colon that this delimits the maximum size of the
session id - however the session id has a maximum size of 512 bytes -
would overflow by using the user-supplied session id length rather than
sticking to the maximum structure length - changed to only parse up to
the maximum size of the structure to ensure we then don’t overflow when
copying
Failed to check return values when calling functions for libTIFF - these
return the pixel data from an embedded TIFF image - on failure would end
up rendering uninitialised memory rather than the TIFF image - fixed to
check return values and bail out on error
Fuzzing via valgrind - found if no sample rate was specified then a stack
declared but uninitialized value would be used - could cause a crash etc
since could be anything - fixed to initialise it to 0 and to check if
still zero before proceeding to process
Two issues related to authentication in recent versions of dovecot - if
client aborts authentication the serer could crash due to a NULL pointer
dereference, and if using TLS but send an invalid authentication message
could crash as well
Use after free in png image cleanup - originally was called under
png_safe_execute() - this is an internal function which itself calls
png_image_free() - so after freeing the image would free it a second time
in certain conditions - changed to just call the free function directly
rather than via png_safe_execute()
Possible NULL pointer dereference via local command interface due to
insufficient checks when parsing input - commands require 4 input tokens
but only checked for 3 (off-by-one) - could allow an attacker with access
to the command interface to crash memcached
Possible to trick gnupg to decrypt ciphertext other than the intended one
when an attacker can control the passphrase to gnupg and the ciphertext
is assumed trusted - this uses the command-interface of gnupg and passes
the passphrase directly to it - along with the ciphertext - so if
attacker includes newlines in the supplied passphrase can then inject
their own ciphertext (or plaintext in the context of encryption) - fixed
to check passphrase does not contain line-feed or carriage return
characters
Possible to trick by including what looks like the return response from
gnupg directly in the filename to be decrypted when using verbose output
mode - fixed by sanitising this filename first
Discussion with Joe McManus about another IoT compromise and DockerHub