From theall at tenable.com Tue Dec 4 14:59:32 2012 From: theall at tenable.com (George A. Theall) Date: Tue, 4 Dec 2012 15:59:32 -0500 Subject: [VIM] Oracle MySQL 'acl_get()' Buffer Overflow Vulnerability Message-ID: <80A97DAE-2891-478B-8246-9671F1738CE6@tenable.com> There are currently two recent BIDs involving a buffer overflow in MySQL / MariaDB : 56750 and 56769. The later specifically mentions the 'acl_get()' function while the older does not have much in the way of details. Cross-referencing the CVEs, though, suggests they're the same issue, taking into account that Mitre had rejected CVE-2012-5579 and points people to CVE-2012-5611 instead. Venkat or Rob: are there plans to retire one of these BIDs? George -- theall at tenable.com From venkat_kantha at securityfocus.com Wed Dec 5 11:34:25 2012 From: venkat_kantha at securityfocus.com (venkat) Date: Wed, 05 Dec 2012 23:04:25 +0530 Subject: [VIM] Oracle MySQL 'acl_get()' Buffer Overflow Vulnerability In-Reply-To: <80A97DAE-2891-478B-8246-9671F1738CE6@tenable.com> References: <80A97DAE-2891-478B-8246-9671F1738CE6@tenable.com> Message-ID: <50BF85A1.3060606@securityfocus.com> Updated BID: 56769 with MariaDB information and retired BID: 56750 as a duplicate. Thanks George!! Regards Venkat On 05/12/12 02:29, George A. Theall wrote: > There are currently two recent BIDs involving a buffer overflow in MySQL / MariaDB : 56750 and 56769. The later specifically mentions the 'acl_get()' function while the older does not have much in the way of details. Cross-referencing the CVEs, though, suggests they're the same issue, taking into account that Mitre had rejected CVE-2012-5579 and points people to CVE-2012-5611 instead. > > Venkat or Rob: are there plans to retire one of these BIDs? > > George > From brian at opensecurityfoundation.org Wed Dec 12 15:14:05 2012 From: brian at opensecurityfoundation.org (Brian Martin) Date: Wed, 12 Dec 2012 14:14:05 -0700 Subject: [VIM] Two Firefox vulnerabilities from VUPEN and problems matching Message-ID: <50C8F39D.7000007@opensecurityfoundation.org> VUPEN announced two bugs in Mozilla Firefox. After discussion with Dan Veditz at Mozilla, with input from CVE, we cannot be absolutely sure these are new vulnerabilities. Dan has looked at comments from Chaouki Bekrar of VUPEN (via Twitter) and made his bess guess. This mail outlines what we know, and what we believe. I am sharing it with the list in case anyone has input, or VUPEN can clarify any more. Mozilla Firefox "DocumentViewerImpl" Class Remote Use-After-Free Vulnerability http://seclists.org/bugtraq/2012/Nov/93 https://twitter.com/cBekrar/status/275520998374244353 https://twitter.com/cBekrar/status/275949289967087616 Dan did some digging and said that "the only patch to the file containing the function mentioned --DocumentViewerImpl::Show()--was for bug 790856, an internally-found use-after-free involving that function. We fixed the bug we found as part of CVE-2012-3982 which was announced in http://www.mozilla.org/security/announce/2012/mfsa2012-74.html" He also said the one big discrepancy was that vulnerability was fixed in Firefox 16, and VUPEN claims their bug affects Firefox before 17. Between 16 and 17, no patches were commited related to the DocumentViewer, certainly no security fixes. Based on that, he believes this is the same bug but is awaiting any confirmation from VUPEN. Bekrar cites CVE-2012-4217 for the DocumentViewerImpl use-after-free, which we track as "nsViewManager::ProcessPendingUpdates() Function Use-after-free" and affecting multiple products. Dan indicates that the nsViewManager touched in that patch holds a reference to the DocumentViewerImpl, but he would have to do more digging to verify that. He also said that vulnerability was a Firefox 17 problem, where VUPEN's original advisory sais it affects the ESR branch too. This is the patch in question: https://hg.mozilla.org/releases/mozilla-beta/rev/c97fa88a0069 Mozilla Firefox "imgRequestProxy" Remote Use-After-Free Vulnerability http://seclists.org/bugtraq/2012/Nov/109 https://twitter.com/cBekrar/status/275520998374244353 https://twitter.com/cBekrar/status/275949289967087616 Dan looked into this one as well, and thinks it may be bug 802168 which fixed a use-after-free in imgRequestProxy in Firefox 17 and 10.0.11. He followed up saying "We didn't hit the problem in the OnStopRequest() method specifically but given the nature of the bug that could depend on the PoC." If that is the same vulnerability, then it is covered by CVE-2012-5842 in MFSA2012-91. After Chaouki replied on Twitter, Dan doesn't think that CVE-2012-5829 is correct for the imgRequestProxy bug at all. He says that bug is "Linux/Gtk only, and the stacks for that bug go nowhere near the image library." He says that was patched in both releases as their advisory says, making it seem like a good match. This is the relevant patch: https://hg.mozilla.org/releases/mozilla-esr10/rev/53363548ad9b VUPEN has the testcases and can try builds with only those patches to verify if these are truly new vulnerabilities, or related to the previously patched ones. Hopefully they can provide insight into this matter. Based on the two posts, CVE and OSVDB does not have enough actionable details to warrant adding new entries to our databases. If VUPEN can confirm these are new issues, we will of course add entries right away. Brian OSVDB / OSF From jericho at attrition.org Fri Dec 21 14:55:54 2012 From: jericho at attrition.org (security curmudgeon) Date: Fri, 21 Dec 2012 14:55:54 -0600 (CST) Subject: [VIM] BID entries need retiring? Message-ID: BID team; We recently noticed that you create an entry as a pre-release tracker for Microsoft patch Tuesday (and Oracle as well), and then retire the entry after the information comes out and new entries are created. e.g. BID 56450 & 54944 In that theme, there are some previous entries like this that don't appear to have been retired, that likely should unless there is something different about them? 37664 - Jan 2010 49515 - Sep 2011 50513 - Nov 2011 50980 - Dec 2011 54318 - Jul 2012 55472 - Sep 2012 55794 - Oct 2012 55888 - Oct 2012 (Oracle) 56838 - Dec 2012 Also, noticed 25247, 22008, 24771, 26380, 28124, 31667, and 32153 uses "Retired" instead of the normal more prominant "RETIRED" .b From brian at opensecurityfoundation.org Fri Dec 21 21:33:48 2012 From: brian at opensecurityfoundation.org (Brian Martin) Date: Fri, 21 Dec 2012 20:33:48 -0700 Subject: [VIM] Fwd: Question about advisory and discrepancy between IBM / XForce In-Reply-To: <50CB7CB9.6000300@opensecurityfoundation.org> References: <50CB7CB9.6000300@opensecurityfoundation.org> Message-ID: <50D52A1C.7000408@opensecurityfoundation.org> I got a bounce from the xforce at iss.net address that worked for so many years. No reply from IBM PSIRT yet. XForce now wants contact via a form that asks for name, phone number, address, and more, because it is a sales form that I am not going to waste time with. Throwing this out in case anyone else has insight. -------- Original Message -------- Subject: Question about advisory and discrepancy between IBM / XForce Date: Fri, 14 Dec 2012 12:23:37 -0700 From: Brian Martin To: psirt at vnet.ibm.com CC: Daniel Moeller , ISS XForce IBM & X-Force; The Nov 19, 2012 advisory on IBM Power 5 Systems [1] describes a flaw where firewall rules are not always executed, leading to network configurations allowing for privileged connections that would otherwise be denied. This advisory references CVE-2012-4856 and ISS XF 79736. ISS XF 79736 [2] describes the flaw as multiple default accounts, and also references CVE-2012-4856. These are two fairly distinct and different issues, that should not receive the same CVE assignment. Could one of you clarify if there are really two issues here, or if there is miscommunication between departments in documenting the vulnerability? Thanks, Brian Martin OSF / OSVDB.org [1] http://aix.software.ibm.com/aix/efixes/security/squadrons_advisory.asc [2] http://xforce.iss.net/xforce/xfdb/79736 From jericho at attrition.org Fri Dec 28 21:47:45 2012 From: jericho at attrition.org (security curmudgeon) Date: Fri, 28 Dec 2012 21:47:45 -0600 (CST) Subject: [VIM] BID 57053 provenance? Message-ID: http://www.securityfocus.com/bid/57053/info Published: Dec 26 2012 12:00AM no CVE, no vulnerable version, no 'not' vulnerable version. http://www.securityfocus.com/bid/57053/solution A vendor patch is available. Please see the references for more information. http://www.securityfocus.com/bid/57053/references NuSOAP - Homepage (NuSOAP) There is basically no actionable information here. Going to the vendor page, we see that the last version is apparently 0.9.5, which was updated 2010-04-26. Saying a patch is available and linking to the vendor page is a bit vague. Browsing their CVS: http://nusoap.cvs.sourceforge.net/viewvc/nusoap/lib/ http://nusoap.cvs.sourceforge.net/viewvc/nusoap/docs/ http://nusoap.cvs.sourceforge.net/viewvc/nusoap/samples/ http://nusoap.cvs.sourceforge.net/viewvc/nusoap/tools/ Nothing has been updated in some time. A brief Google search doesn't have any obvious hits. Could BID elaborate on where it found the information on this, and add it as a reference? Thanks, jericho