Bug 692213

Summary: Erlang: Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gemi, lemenkov, rhbugs, uwe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 692216, 692217, 692218    
Bug Blocks:    

Description Jan Lieskovsky 2011-03-30 17:38:50 UTC 
Based on:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857

and:
[2] http://www.erlang.org/download/otp_src_R14B.readme
[3] http://www.erlang.org/download/otp_src_R14B01.readme
[4] http://www.erlang.org/download/otp_src_R14B02.readme

there were multiple security fixes in Erlang/OTP R14, 
Erlang/OTP R14B01, Erlang/OTP R14B02 versions.

The exact number of security flaws and their particular
CVE identifiers will be specified later (currently ongoing
communication with upstream).

References:
[5] http://www.openwall.com/lists/oss-security/2011/03/30/2
[6] http://www.openwall.com/lists/oss-security/2011/03/30/3
Comment 1 Jan Lieskovsky 2011-03-30 17:47:20 UTC 
Some initial review (see [5] and [6] for follow-up / real count of CVEs):
=========================================================================

crypto:
   - 1), multiple memory leaks OTP-8810
     Patch: https://github.com/erlang/otp/commit
            /d834040eeb1383157320a650984a47bb02bbb2d1
     Note: Hard to tell if has security implications, but
           from the patch looks certain memory content leaks were possible

   - 2), rc4 not working correctly (silent data corruption) OTP-8781
     Patch: https://github.com/erlang/otp/commit
            /0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
     Note: Seems to be just bugfix
     From the patch log: RC4 stream cipher didn't work.

erl_interface:
   - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
     Patch: https://github.com/erlang/otp/commit
            /6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
     Note: security, stack based buffer overflow possible

   - 4), erl_call: fix multiple buffer overflows OTP-8827
     Patch: https://github.com/erlang/otp/commit
            /f4843545086e6e79642e86f84aba0cff789d575b
     Note: security, multiple heap overflows possible

   - 5), Check the length of the node name to prevent an overflow OTP-8943
     Patch: https://github.com/erlang/otp/commit
            /29b572dbd1546796a0a94066548edfa3da6b4b9d
     Note: security

   - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
     Patch: https://github.com/erlang/otp/commit
            /c7fa778ae11c33f4568fbfd91d58550c781b54d6
     Note: Hard to tell if has security implications

erts:
   - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178
     Patch: https://github.com/erlang/otp/commit
            /1297a3ade2851be787a4c6a64d5f57d81761c8f5
     Note: ignore underflow in list_to_float and return 0.0

   - 8), Fix faulty 64-bit integer term output from drivers (crash or silent
         data corruption) OTP-8716
     Patch: https://github.com/erlang/otp/commit
            /d2f1c68969d2c32a1310aa52b66209ef4c3aed97
     Note: security

   - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
     Patch: https://github.com/erlang/otp/commit
            /2a6db0111898f25f5c615ce9b7f4e6ef84381a03
     Note: seems to be just bugfix

   - 10), Removed some potential vulnerabilities from epmd OTP-8780
     Patch: https://github.com/erlang/otp/commit
            /bbf3ab21b404aedbf9c7b7062b1e96062133fe44
     Note: security
     From patch log: Remove two buffer overflow vulnerabilities in EPMD

   - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
     Patch: https://github.com/erlang/otp/commit
            /c2d085e76f38467ea530b294edd3767ade88332c
     Note: seems to be just bugfix

   - 12), Multiple Buffer overflows have been prevented OTP-8892
     Patch: https://github.com/erlang/otp/commit
            /c7f811b03aca427fbea0cac5307b81fa19bddbc1
     Note: security
     From patch log:
       * ms/security-fixes: erlc: remove unused variable,
         typer: prevent buffer overflows, run_test: prevent buffer overflow,
         heart: prevent buffer overflow, escript: prevent buffer overflows,
         erlexec: prevent buffer overflows, erlc: prevent buffer overflows,
         dialyzer: prevent buffer overflows

   - 13), The ERTS internal rwlock implementation could get into an
          inconsistent state OTP-8925
     Patch: https://github.com/erlang/otp/commit
            /f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
     Note: Assertion failure, but not sure if exploitable for DoS

   - 14), Some malformed distribution messages could cause VM to crash OTP-8993
     Patch: https://github.com/erlang/otp/commit
            /663a15d616647d0019bc834d20de517fd9aeadd7
     Note: security
     From patch log: Teach VM not to dump core on bad dist message structure

   - 15), A bug in the exit/2 BIF could potentially cause an emulator crash
          OTP-9005
     Patch: https://github.com/erlang/otp/commit
            /962a313807f96f38f3bf40a5e8cd855ad09deccb
     Note: Not sure if has security implications

   - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
     Patch: https://github.com/erlang/otp/commit
            /f4f3beb158352b23959c09f8b0dfc83013d5fdf2
     Note: Not sure if has security implications

   - 17), Attempting to create binaries exceeding 2Gb (using for
          example term_to_binary/1) would crash the emulator OTP-9117
     Patch: https://github.com/erlang/otp/commit
            /1f07334d042e478d385caa0d7634ebfa6703f27a
     Note: Hard to tell if has security implications

hipe:
   - 18), Fix bug in the simplification of inexact comparisons OTP-9101
     Patch: https://github.com/erlang/otp/commit
            /e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
     Note: Seems to be just bugfix

kernel:
   - 19), inet:getsockopt for SCTP sctp_default_send_param, random answers
          OTP-8795
     Patch: https://github.com/erlang/otp/commit
            /9ea58dff408c0c72f5a6ad0e11b521a80292b024
     Note: Seems to be just bugfix

stdlib:
   - 20), race condition/silent data corruption in dets OTP-8898
     Patch: https://github.com/erlang/otp/commit
            /4e79fa3b1b6797f2583848d307d6b85cec94a920
     Note: Hard to tell if has security implications


Note: It is possible there are more of them, those I just missed.
===== The best way how to address these seems to rebase particular
      erlang version.
Comment 2 Jan Lieskovsky 2011-03-30 17:49:25 UTC 
These issues affect the versions of the erlang package, as present
within EPEL-4, EPEL-5 and EPEL-6 repositories. Please schedule an
update / rebase.

--

This issues do NOT affect the versions of the erlang package, as shipped
with Fedora release of 13 and 14 (they were rebased to latest upstream
version already and will appear in public repositories soon).
Comment 3 Jan Lieskovsky 2011-03-30 17:51:09 UTC 
Created erlang tracking bugs for this issue

Affects: epel-4 [bug 692216]
Affects: epel-5 [bug 692217]
Affects: epel-6 [bug 692218]
Comment 4 Peter Lemenkov 2011-03-30 18:02:00 UTC 
(In reply to comment #3)
> Created erlang tracking bugs for this issue
> 
> Affects: epel-4 [bug 692216]

^^^ This one is bogus and should be closed. We won't ship Erlang/OTP R14 for EL-4.

> Affects: epel-5 [bug 692217]

^^^ Same here. We still ship R12B in EL-5.

I personally would like to upgrade, but I'm afraid that we may break compatibility while pushing R14B as an update for R12B. However I've heard multiple requests for such upgrade from different people.

> Affects: epel-6 [bug 692218]

I'll take care of it.
Comment 5 Jan Lieskovsky 2011-03-30 18:31:39 UTC 
Hi Peter,

  thanks for you reaction.

(In reply to comment #4)
> (In reply to comment #3)
> > Created erlang tracking bugs for this issue
> > 
> > Affects: epel-4 [bug 692216]
> 
> ^^^ This one is bogus and should be closed. We won't ship Erlang/OTP R14 for
> EL-4.

Closed that one, reasonable.

> 
> > Affects: epel-5 [bug 692217]
> 
> ^^^ Same here. We still ship R12B in EL-5.
> 
> I personally would like to upgrade, but I'm afraid that we may break
> compatibility while pushing R14B as an update for R12B. However I've heard
> multiple requests for such upgrade from different people.

Who should decide if it's safe to rebase or not?

> 
> > Affects: epel-6 [bug 692218]
> 
> I'll take care of it.

Brilliant, thank you.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 6 Hans Ulrich Niedermann 2011-03-31 22:35:25 UTC 
AFAICT, we would be fine if we had R14B02 everywhere we formerly had some other R14xxxxx. Correct?

Is it urgent to update rawhide as well? The rawhide R14B02 build is currently waiting on a fop fix for the doc build. As a workaround, we could activate the tarballed prebuilt docs for rawhide.
Comment 7 Hans Ulrich Niedermann 2011-04-01 00:08:19 UTC 
I have just built a new rawhide package erlang-R14B-02.2.fc16 (updating from erlang-R14B-01.something) using tarballed docs.