Bug 1006752 - (CVE-2013-4256, CVE-2013-4258) CVE-2013-4256 CVE-2013-4258 nas: multiple vulnerabilities
CVE-2013-4256 CVE-2013-4258 nas: multiple vulnerabilities
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130909,repor...
: Security
Depends On: 1006754 1006753
Blocks: 1006756
  Show dependency treegraph
 
Reported: 2013-09-11 04:54 EDT by Ratul Gupta
Modified: 2014-01-27 03:36 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-09-11 04:54:03 EDT
recently someone reported some vulnerabilities in Network Audio System (NAS) -
v1.9.3

These vulnerabilities reported at :

http://radscan.com/pipermail/nas/2013-August/001270.html

and 3 fix on upstream :

https://sourceforge.net/p/nas/code/288/
https://sourceforge.net/p/nas/code/287/
https://sourceforge.net/p/nas/code/289/
Comment 1 Ratul Gupta 2013-09-11 04:58:25 EDT
Created nas tracking bugs for this issue:

Affects: fedora-all [bug 1006753]
Affects: epel-all [bug 1006754]
Comment 2 Ratul Gupta 2013-09-11 23:47:28 EDT
Further description about the flaw is:

* buffer overflow can happen at wrong display command argument
* buffer overflow can happen when using getenv and not checking its size
* heap overflow can happen when using getenv and not checking its size
* possible buffer overflows may occur when the size of a buffer is not checked
* format string vulnerability may occur in syslog() calls
* possible race condition and symlink attack
Comment 3 Agostino Sarubbo 2013-09-14 03:07:40 EDT
Buffer Overflows please use CVE-2013-4256
Heap Overflow please use CVE-2013-4257
Format String please use CVE-2013-4258

http://www.openwall.com/lists/oss-security/2013/08/19/3
Comment 4 Petr Pisar 2013-09-16 09:27:24 EDT
Each issue fixed with following upstream commits (in order of original upstream report):

- buffer overflow can happend at wrong display command argument
    (server/os/utils.c: ProcessCommandLine())
    Upstream fix: r287

- buffer overflow can happend at wrong display command argument
    (server/os/access.c: ResetHosts())
    Upstream fix: r288

- buffer overflow can happend at wrong display command argument
    (server/os/connection.c: open_unix_socket())
    Upstream fix: r288

- buffer overflow can happend at wrong display command argument
    (server/os/connection.c: open_isc_local())
    Upstream fix: r288

- buffer overflow can happend at wrong display command argument
    (server/os/connection.c: open_xsight_local())
    Upstream fix: r288

- buffer overflow can happend at wrong display command argument
    (server/os/connection.c: open_att_local())
    Upstream fix: r288

- buffer overflow can happend at wrong display command argument
    (server/os/connection.c: open_att_svr4_local())
    Upstream fix: r288

- buffer overflow can happen when using getenv and not checking its size
    (server/os/connection.c: CreateWellKnownSockets())
    Upstream fix: r288

- buffer overflow can happen when using getenv and not checking its size
    (server/os/connection.c: AmoebaTCPConnectorThread())
    Upstream fix: r288

- heap overflow can happen when using getenv and not checking its size
    (server/os/connection.c: AmoebaConnectorThread())
    Upstream fix: r288

- format string vulnerability may occur in syslog() calls
    (server/os/aulog.c:40 osLogMsg())
    Upstream fix: r285

- possible buffer overflows may occur when the size of a buffer is not checked
    (server/os/aulog.c:27 osLogMsg())
    Upstream fix: r288

- possible race condition and symlink attack
    (server/os/connection.c: MNX_open_tcp_socket())
    Upstream fix: r289

I raised some questions <http://radscan.com/pipermail/nas/2013-September/001316.html> regarding completeness of the fixes (possibility to read or unlink random-named file), and upstream does not rate it as a security issue. I agree with him and I consider upstream commits r285, r287, r288, and r289 as sufficient.
Comment 5 Fedora Update System 2013-09-26 02:24:07 EDT
nas-1.9.3-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-09-26 20:32:47 EDT
nas-1.9.3-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-09-26 20:40:06 EDT
nas-1.9.3-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Vincent Danen 2013-10-09 12:44:15 EDT
CVE-2013-4257 was rejected and merged with CVE-2013-4256:


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4257 to
the following vulnerability:

Name: CVE-2013-4257
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4257
Assigned: 20130612

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2013-4256.  Reason:
This issue was MERGED into CVE-2013-4256 because it is the same type
of vulnerability.  Notes: All CVE users should reference CVE-2013-4256
instead of this candidate.  All references and descriptions in this
candidate have been removed to prevent accidental usage.

Note You need to log in before you can comment on or make changes to this bug.