Headline
CVE-2016-9840: MOSS/Secure Open Source/Completed - MozillaWiki
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
Secure Open Source has completed the following audits.
Contents
- 1 2019
- 1.1 tcpdump & libpcap
- 1.2 libssh
- 2 2018
- 2.1 graphite
- 2.2 Thunderbird and Enigmail
- 2.3 SimpleSAMLphp
- 2.4 oauth2-server
- 2.5 Knot DNS
- 3 2017
- 3.1 CakePHP
- 3.2 chrony
- 3.3 expat
- 3.4 GNU libmicrohttpd
- 3.5 oauth2-server
- 3.6 dovecot
- 3.7 ntp
- 3.8 ntpsec
- 4 2016
- 4.1 PCRE
- 4.2 libjpeg-turbo
- 4.3 phpMyAdmin
- 4.4 dnsmasq
- 4.5 zlib
- 4.6 curl
2019****tcpdump & libpcap
Dates: 2019
tcpdump & libpcap are a powerful command-line packet analyzer and a portable C/C++ library for network traffic capture, respectively. The audit was performed by Michael Richardson.
The team found the following problems:
- 8 Verified Fixes
The documents are as follows:
- Audit report
- Fix and validation log
libssh
Dates: 2019
libshh is a multiplatform C library implementing the SSHv2 protocol on client and server side. The audit was performed by Cure53.
The team found the following problems:
- 1 Critical
- 1 Medium
- 7 Low
- 3 Informational
The documents are as follows:
- Audit report
- Fix and validation log
2018****graphite
Dates: August 2018
graphite is "a “smart font” system developed specifically to handle the complexities of lesser-known languages of the world. The audit was performed by Radically Open Security.
The team found the following problems:
- 1 Elevated
- 9 Moderate
- 11 Low
The documents are as follows:
- Audit report
- Fix and validation log
Thunderbird and Enigmail
Dates: January 2018
Thunderbird and Enigmail work together to provide a free, simple interface for OpenPGP email security. The audit was performed by Cure53.
The team found the following problems:
- 3 Critical
- 3 High
- 3 Medium
The documents are as follows:
- Audit report
- Fix and validation log
SimpleSAMLphp
Dates: January 2018
SimpleSAMLphp is an application written in native PHP that deals with authentication. The audit was performed by Cure53.
The team found the following problems:
- 1 Critical
- 3 Medium
- 1 Informational
The documents are as follows:
- Audit report
- Fix and validation log
oauth2-server
Dates: September 2017 - February 2018
oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by Least Authority.
The team found the following problems:
- 1 High
- 3 Medium
- 1 Low
- 2 Informational
The documents are as follows:
- Audit report
- Fix and validation log
Knot DNS
Dates: September 2017 - January 2018
Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the modern domain name system. Also audited was Knot Resolver, a caching full DNS resolver implementation, including both a resolver library and a daemon. The audit was performed by Least Authority.
The team found the following problems:
- 4 Medium
- 7 Low
- 2 Informational
Least Authority made the following comment on the code quality: “Overall, we found the code to be well structured and cleanly written. Additionally Knot makes good use of available tools, such as fuzzers and compiler sanitizers.”
The documents are as follows:
- Audit report
- Fix and validation log
2017****CakePHP
Dates: July - November 2017
CakePHP is an open source web framework in PHP. The audit was performed by NCC Group.
The team found the following problems:
- 1 High
- 5 Medium
- 9 Low
- 5 Informational
The documents are as follows:
- Audit report
- Fix and validation log
chrony
Dates: June - September 2017
chrony is an implementation of the Network Time Protocol, used either to set the time on a particular machine or act as an NTP server for other machines on the network. The audit was performed by Cure53, and kindly funded by CII.
The team found the following problems:
- 2 Low
Cure53 write: The overwhelmingly positive result of this security assignment performed by three Cure53 testers can be clearly inferred from a marginal number and low-risk nature of the findings amassed in this report. Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. It is quite safe to assume that untested software in the Chrony family is of a similarly exceptional quality. In general, the software proved to be well-structured and marked by the right abstractions at the appropriate locations. While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy.
The documents are as follows:
- Audit report
- Fix and validation log
expat
Dates: February - July 2017
expat is a stream-oriented XML parser library written in C. The audit was performed by Radically Open Security.
The team found the following problems:
- 4 Medium
- 3 Low
The documents are as follows:
- Audit report
- Fix and validation log
GNU libmicrohttpd
Dates: January - May 2017
GNU libmicrohttpd is a small embeddable HTTP 1.1 server written in C which supports TLS and IPv6. The audit was performed by Least Authority.
The team found the following problems:
- 1 Medium
- 2 Low
- 1 Informational
The documents are as follows:
- Audit report
- Fix and validation log
oauth2-server
Dates: December 2016 - January 2017
oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by independent auditor Brian Carpenter.
The team found the following problems:
- 1 Low
There is no fix and validation log; the subsystem in which the issue was found is being removed.
- Audit report
dovecot
Dates: October 2016 - January 2017
dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server deployments worldwide. The audit was performed by Cure53.
The team found the following problems:
- 3 Low
The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: “Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.”
- Audit report
- Fix and validation log
- Developer blog post
ntp
Dates: December 2016 - March 2017
ntp is a implementation of the Network Time Protocol. The audit was performed by Cure53.
The team found the following problems:
- 1 Critical
- 2 High
- 1 Medium
- 8 Low
- 2 Informational
This audit was performed at the same time as an audit of ntpsec, which is based on a version of the ntp code.
- Audit report
- Fix and validation log
- Developer security announcement
ntpsec
Dates: December 2016 - March 2017
ntpsec is a implementation of the Network Time Protocol, a fork of ntp. The audit was performed by Cure53.
The team found the following problems:
- 3 High
- 1 Medium
- 3 Low
- 1 Informational
This audit was performed at the same time as an audit of ntp, of which this codebase is a fork.
- Audit report
- Fix and validation log
- Developer blog post
2016****PCRE
Dates: October 2015 - June 2016
PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by Cure53.
The team found the following problems:
- 1 Critical
- 5 Medium
- 20 Low
- 3 Informational
The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions.
- Audit report
- Fix and validation log
libjpeg-turbo
Dates: November 2015 - June 2016
libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by Cure53.
The team found the following problems:
- 1 High
- 2 Medium
- 2 Low
The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code.
- Audit report
- Fix and validation log
- Special report on issues in the JPEG standard
phpMyAdmin
Dates: May - June 2016
phpMyAdmin is a web-based administration tool for MySQL databases. The audit was performed by NCC Group.
The team found the following problems:
- 3 Medium
- 5 Low
- 1 Informational
NCC Group found no serious issues in this codebase.
- Audit report
- Fix and validation log
- Developer blog post
dnsmasq
Dates: May - August 2016
dnsmasq is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by Cure53.
The team found the following problems:
1 Medium
5 Low
Audit report
Fix and validation log
zlib
Dates: July - September 2016
zlib is a compression library implementing the ‘deflate’ compression algorithm, used in countless applications. The audit was performed by Trail of Bits.
The team found the following problems:
1 Medium
4 Low
Audit report
Fix and validation log
One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation.
curl
Dates: August - November 2016
curl is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by Cure53.
The team found the following problems:
- 4 High
- 5 Medium
- 9 Low
- 5 Informational
8 of the vulnerabilities resulted in security advisories being produced by the curl team on November 2nd, 2016.
- Audit report
- Fix and validation log
- Developer blog post
Related news
Ubuntu Security Notice 6736-1 - It was discovered that zlib, vendored in klibc, incorrectly handled pointer arithmetic. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled memory when performing certain deflating operations. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).