Monthly Archives: April 2015

Drupal

HybridAuth Social Login – Less Critical – Information Disclosure – SA-CONTRIB-2015-097

Description

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

The module may store user passwords in plain text.

This vulnerability is mitigated by the fact that the option “Ask user for a password when registering” must be enabled. The information is disclosed to anyone with access to the database, “administer users” or “administer site configuration” permission.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
CentOS

CESA-2015:0869 Important CentOS 5 kvm SecurityUpdate

CentOS Errata and Security Advisory 2015:0869 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0869.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 


x86_64:
110cfc729e2e536ea057491fa59ad58b2a601de7a68914954d47b359df8ce677  kmod-kvm-83-270.el5.centos.x86_64.rpm
f23c984edf95cb75ab3a14337693c29cc031b98a2c83203742910742bfbb2a4a  kmod-kvm-debug-83-270.el5.centos.x86_64.rpm
efd27316bb50ba740b8572395eda046d47b82c0cfa4fb17954a6414442d55c83  kvm-83-270.el5.centos.x86_64.rpm
be2b6fe5f10ea4ae06b261269c6b2b4cd1a960b40322770584a23515ecde78da  kvm-qemu-img-83-270.el5.centos.x86_64.rpm
d5c445566348626991bb0d9a11a62e8002df8e542d79c8ecdd7bc4b4d30d673f  kvm-tools-83-270.el5.centos.x86_64.rpm

Source:
eb82ad54a0dd3a25e5f95c1c2a4ea4c9bb4d8e9039427c55c485edaef20a0fc5  kvm-83-270.el5.centos.src.rpm
CentOS

CEBA-2015:0871 CentOS 6 dbus BugFix Update

CentOS Errata and Bugfix Advisory 2015:0871 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0871.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
154884ae0ff5a4a9ed7aff22f58bb5539f932f18ca469890a30193e10e21da45  dbus-1.2.24-8.el6_6.i686.rpm
1032a57d04f2f53d29f758562d5a58490ca395fdfa59b96d4a8845becbe9c601  dbus-devel-1.2.24-8.el6_6.i686.rpm
5e3ebdeaec7d9e936bed965c6126fa5c2e09cae009d9113ab2fd3ab524108ca5  dbus-doc-1.2.24-8.el6_6.noarch.rpm
831edc20cf2faf3c49c669de67053534dcd46c21a9320331441bbb5667d952c1  dbus-libs-1.2.24-8.el6_6.i686.rpm
dc5db046ac22f2ba0520805021f4a3207290fbff10226befa0bd2f36e706f3c7  dbus-x11-1.2.24-8.el6_6.i686.rpm

x86_64:
62d7b03f9a215c2ed46745f01d8840de1dda8747eee4eae317fad942850c43f8  dbus-1.2.24-8.el6_6.x86_64.rpm
1032a57d04f2f53d29f758562d5a58490ca395fdfa59b96d4a8845becbe9c601  dbus-devel-1.2.24-8.el6_6.i686.rpm
82901ad649682842fedda2f2641b44a32a536d2eaeb431c0d5dee96d54fa9302  dbus-devel-1.2.24-8.el6_6.x86_64.rpm
5e3ebdeaec7d9e936bed965c6126fa5c2e09cae009d9113ab2fd3ab524108ca5  dbus-doc-1.2.24-8.el6_6.noarch.rpm
831edc20cf2faf3c49c669de67053534dcd46c21a9320331441bbb5667d952c1  dbus-libs-1.2.24-8.el6_6.i686.rpm
e412f3b9c5a250d9b08617f967ff5a0b81cddd7dc31c57bd4dc6a8fba2fee7da  dbus-libs-1.2.24-8.el6_6.x86_64.rpm
e5af547513f8bd81ad1b52eea43b7d93b3a00304c882e072744634b25727ba9b  dbus-x11-1.2.24-8.el6_6.x86_64.rpm

Source:
97c5927a869793f0edd404c59b0d89d15c2d4db3b466b49ed25f00949b1eca84  dbus-1.2.24-8.el6_6.src.rpm
Redhat

Regular expressions and recommended practices

Whenever a security person crosses a vulnerability report, one of the the first steps is to ensure that the reported problem is actually a vulnerability. Usually, the issue falls into well known and studied categories and this step is done rather quickly. Occasionally, however, one can come across bugs where this initial triage is a bit more problematic. This blog post is about such an issue, which will ultimately lead us to the concept of “recommended practice”.

What happened?

On July 31st 2014, Maksymilian Arciemowicz of cxsecurity reported that “C++11 [is] insecure by default.”, with upstream GCC bugs 61601 and 61582. LLVM/Clang’s libc++ didn’t dodge the bullet either, more details are available in LLVM bug 20291.

Not everybody can be bothered to go through so many links, so here is a quick summary: C++11, a new C++ standard approved in 2011, introduced support for regular expressions. Regular expressions (regexes from here on) are an amazingly powerful processing tool – but one that can become extremely complex to handle correctly. Not only can the regex itself become hideous and hard to understand, but also the way how the regex engine deals with it can lead to all sorts of problems. If certain complex regexes are passed to a regex engine, the engine can quickly out-grow the available CPU and memory constraints while trying to process the expression, possibly leading to a catastrophic event, which some call ReDoS, a “regular expression denial of service”.

This is exactly what Maksymilian Arciemowicz exploits: he passes specially crafted regexes to the regex engines provided by the C++11 implementations of GCC and Clang, causing them to use a huge amount of CPU resources or even crash (e.g. due to extreme recursion, which will exhaust all the available stack space, leading to a stack-overflow).

Is it a vulnerability?

CPU exhaustion and crashes are often good indicators for a vulnerability. Additionally, the C++11 standard even suggests error return codes for the exact problems triggered, but the implementations at hand fail to catch these situations. So, this must be a vulnerability, right? Well, this is the point where opinions differ. In order to understand why, it’s necessary to introduce a new concept:

The “recommended practice” concept

“Recommended practice” is essentially a mix of common sense and dos and don’ts. A huge problem is that they are informal, so there’s no ultimate guide on the subject, which leaves best practices open to personal experiences and opinion. Nevertheless, the vast majority of the programming community should know about the dangers of regular expressions; dangers just like the issues Maksymilian Arciemowicz reported in GCC/Clang. That said, passing arbitrary, unfiltered regexes from an untrusted source to the regex engine should be considered as a recommended practice case of “don’t do this; it’ll blow up in your face big time”.

To further clear this up: if an application uses a perfectly reasonable, well defined regex and the application crashes because the regex engine chocked when processing certain specially crafted input, it’s (most likely) a vulnerability in the regex engine. However, if the application uses a regex thought to be well defined, efficient and trusted, but turns out to e.g. take overly long to process certain specially crafted input, while other, more efficient regexes will do the job just fine, it’s (probably) a vulnerability in the application. But if untrusted regexes are passed to the regex engine without somehow filtering them for sanity first (which is incredibly hard to do for anything but the simplest of regexes, so better to avoid it), it is violating what a lot of people believe to be recommended practice, and thus it is often not considered to be a strict vulnerability in the regex engine.

So, next time you feel inclined to pass regexes verbatim to the engine, you’ll hopefully remember that it’s not a good idea and refrain from doing so. If you have done so in the past, you should probably go ahead and fix it.

Redhat

Regular expressions and recommended practices

Whenever a security person crosses a vulnerability report, one of the the first steps is to ensure that the reported problem is actually a vulnerability. Usually, the issue falls into well known and studied categories and this step is done rather quickly. Occasionally, however, one can come across bugs where this initial triage is a bit more problematic. This blog post is about such an issue, which will ultimately lead us to the concept of “recommended practice”.

What happened?

On July 31st 2014, Maksymilian Arciemowicz of cxsecurity reported that “C++11 [is] insecure by default.”, with upstream GCC bugs 61601 and 61582. LLVM/Clang’s libc++ didn’t dodge the bullet either, more details are available in LLVM bug 20291.

Not everybody can be bothered to go through so many links, so here is a quick summary: C++11, a new C++ standard approved in 2011, introduced support for regular expressions. Regular expressions (regexes from here on) are an amazingly powerful processing tool – but one that can become extremely complex to handle correctly. Not only can the regex itself become hideous and hard to understand, but also the way how the regex engine deals with it can lead to all sorts of problems. If certain complex regexes are passed to a regex engine, the engine can quickly out-grow the available CPU and memory constraints while trying to process the expression, possibly leading to a catastrophic event, which some call ReDoS, a “regular expression denial of service”.

This is exactly what Maksymilian Arciemowicz exploits: he passes specially crafted regexes to the regex engines provided by the C++11 implementations of GCC and Clang, causing them to use a huge amount of CPU resources or even crash (e.g. due to extreme recursion, which will exhaust all the available stack space, leading to a stack-overflow).

Is it a vulnerability?

CPU exhaustion and crashes are often good indicators for a vulnerability. Additionally, the C++11 standard even suggests error return codes for the exact problems triggered, but the implementations at hand fail to catch these situations. So, this must be a vulnerability, right? Well, this is the point where opinions differ. In order to understand why, it’s necessary to introduce a new concept:

The “recommended practice” concept

“Recommended practice” is essentially a mix of common sense and dos and don’ts. A huge problem is that they are informal, so there’s no ultimate guide on the subject, which leaves best practices open to personal experiences and opinion. Nevertheless, the vast majority of the programming community should know about the dangers of regular expressions; dangers just like the issues Maksymilian Arciemowicz reported in GCC/Clang. That said, passing arbitrary, unfiltered regexes from an untrusted source to the regex engine should be considered as a recommended practice case of “don’t do this; it’ll blow up in your face big time”.

To further clear this up: if an application uses a perfectly reasonable, well defined regex and the application crashes because the regex engine chocked when processing certain specially crafted input, it’s (most likely) a vulnerability in the regex engine. However, if the application uses a regex thought to be well defined, efficient and trusted, but turns out to e.g. take overly long to process certain specially crafted input, while other, more efficient regexes will do the job just fine, it’s (probably) a vulnerability in the application. But if untrusted regexes are passed to the regex engine without somehow filtering them for sanity first (which is incredibly hard to do for anything but the simplest of regexes, so better to avoid it), it is violating what a lot of people believe to be recommended practice, and thus it is often not considered to be a strict vulnerability in the regex engine.

So, next time you feel inclined to pass regexes verbatim to the engine, you’ll hopefully remember that it’s not a good idea and refrain from doing so. If you have done so in the past, you should probably go ahead and fix it.