Based on: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857 and: [2] http://www.erlang.org/download/otp_src_R14B.readme [3] http://www.erlang.org/download/otp_src_R14B01.readme [4] http://www.erlang.org/download/otp_src_R14B02.readme there were multiple security fixes in Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 versions. The exact number of security flaws and their particular CVE identifiers will be specified later (currently ongoing communication with upstream). References: [5] http://www.openwall.com/lists/oss-security/2011/03/30/2 [6] http://www.openwall.com/lists/oss-security/2011/03/30/3
Some initial review (see [5] and [6] for follow-up / real count of CVEs): ========================================================================= crypto: - 1), multiple memory leaks OTP-8810 Patch: https://github.com/erlang/otp/commit /d834040eeb1383157320a650984a47bb02bbb2d1 Note: Hard to tell if has security implications, but from the patch looks certain memory content leaks were possible - 2), rc4 not working correctly (silent data corruption) OTP-8781 Patch: https://github.com/erlang/otp/commit /0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0 Note: Seems to be just bugfix From the patch log: RC4 stream cipher didn't work. erl_interface: - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814 Patch: https://github.com/erlang/otp/commit /6e66a59544a4816c49d2d4ae4bfa4f408403a1ab Note: security, stack based buffer overflow possible - 4), erl_call: fix multiple buffer overflows OTP-8827 Patch: https://github.com/erlang/otp/commit /f4843545086e6e79642e86f84aba0cff789d575b Note: security, multiple heap overflows possible - 5), Check the length of the node name to prevent an overflow OTP-8943 Patch: https://github.com/erlang/otp/commit /29b572dbd1546796a0a94066548edfa3da6b4b9d Note: security - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945 Patch: https://github.com/erlang/otp/commit /c7fa778ae11c33f4568fbfd91d58550c781b54d6 Note: Hard to tell if has security implications erts: - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178 Patch: https://github.com/erlang/otp/commit /1297a3ade2851be787a4c6a64d5f57d81761c8f5 Note: ignore underflow in list_to_float and return 0.0 - 8), Fix faulty 64-bit integer term output from drivers (crash or silent data corruption) OTP-8716 Patch: https://github.com/erlang/otp/commit /d2f1c68969d2c32a1310aa52b66209ef4c3aed97 Note: security - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729 Patch: https://github.com/erlang/otp/commit /2a6db0111898f25f5c615ce9b7f4e6ef84381a03 Note: seems to be just bugfix - 10), Removed some potential vulnerabilities from epmd OTP-8780 Patch: https://github.com/erlang/otp/commit /bbf3ab21b404aedbf9c7b7062b1e96062133fe44 Note: security From patch log: Remove two buffer overflow vulnerabilities in EPMD - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831 Patch: https://github.com/erlang/otp/commit /c2d085e76f38467ea530b294edd3767ade88332c Note: seems to be just bugfix - 12), Multiple Buffer overflows have been prevented OTP-8892 Patch: https://github.com/erlang/otp/commit /c7f811b03aca427fbea0cac5307b81fa19bddbc1 Note: security From patch log: * ms/security-fixes: erlc: remove unused variable, typer: prevent buffer overflows, run_test: prevent buffer overflow, heart: prevent buffer overflow, escript: prevent buffer overflows, erlexec: prevent buffer overflows, erlc: prevent buffer overflows, dialyzer: prevent buffer overflows - 13), The ERTS internal rwlock implementation could get into an inconsistent state OTP-8925 Patch: https://github.com/erlang/otp/commit /f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1 Note: Assertion failure, but not sure if exploitable for DoS - 14), Some malformed distribution messages could cause VM to crash OTP-8993 Patch: https://github.com/erlang/otp/commit /663a15d616647d0019bc834d20de517fd9aeadd7 Note: security From patch log: Teach VM not to dump core on bad dist message structure - 15), A bug in the exit/2 BIF could potentially cause an emulator crash OTP-9005 Patch: https://github.com/erlang/otp/commit /962a313807f96f38f3bf40a5e8cd855ad09deccb Note: Not sure if has security implications - 16), Potentially emulator crash when deleting an ETS-table OTP-8999 Patch: https://github.com/erlang/otp/commit /f4f3beb158352b23959c09f8b0dfc83013d5fdf2 Note: Not sure if has security implications - 17), Attempting to create binaries exceeding 2Gb (using for example term_to_binary/1) would crash the emulator OTP-9117 Patch: https://github.com/erlang/otp/commit /1f07334d042e478d385caa0d7634ebfa6703f27a Note: Hard to tell if has security implications hipe: - 18), Fix bug in the simplification of inexact comparisons OTP-9101 Patch: https://github.com/erlang/otp/commit /e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7 Note: Seems to be just bugfix kernel: - 19), inet:getsockopt for SCTP sctp_default_send_param, random answers OTP-8795 Patch: https://github.com/erlang/otp/commit /9ea58dff408c0c72f5a6ad0e11b521a80292b024 Note: Seems to be just bugfix stdlib: - 20), race condition/silent data corruption in dets OTP-8898 Patch: https://github.com/erlang/otp/commit /4e79fa3b1b6797f2583848d307d6b85cec94a920 Note: Hard to tell if has security implications Note: It is possible there are more of them, those I just missed. ===== The best way how to address these seems to rebase particular erlang version.
These issues affect the versions of the erlang package, as present within EPEL-4, EPEL-5 and EPEL-6 repositories. Please schedule an update / rebase. -- This issues do NOT affect the versions of the erlang package, as shipped with Fedora release of 13 and 14 (they were rebased to latest upstream version already and will appear in public repositories soon).
Created erlang tracking bugs for this issue Affects: epel-4 [bug 692216] Affects: epel-5 [bug 692217] Affects: epel-6 [bug 692218]
(In reply to comment #3) > Created erlang tracking bugs for this issue > > Affects: epel-4 [bug 692216] ^^^ This one is bogus and should be closed. We won't ship Erlang/OTP R14 for EL-4. > Affects: epel-5 [bug 692217] ^^^ Same here. We still ship R12B in EL-5. I personally would like to upgrade, but I'm afraid that we may break compatibility while pushing R14B as an update for R12B. However I've heard multiple requests for such upgrade from different people. > Affects: epel-6 [bug 692218] I'll take care of it.
Hi Peter, thanks for you reaction. (In reply to comment #4) > (In reply to comment #3) > > Created erlang tracking bugs for this issue > > > > Affects: epel-4 [bug 692216] > > ^^^ This one is bogus and should be closed. We won't ship Erlang/OTP R14 for > EL-4. Closed that one, reasonable. > > > Affects: epel-5 [bug 692217] > > ^^^ Same here. We still ship R12B in EL-5. > > I personally would like to upgrade, but I'm afraid that we may break > compatibility while pushing R14B as an update for R12B. However I've heard > multiple requests for such upgrade from different people. Who should decide if it's safe to rebase or not? > > > Affects: epel-6 [bug 692218] > > I'll take care of it. Brilliant, thank you. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
AFAICT, we would be fine if we had R14B02 everywhere we formerly had some other R14xxxxx. Correct? Is it urgent to update rawhide as well? The rawhide R14B02 build is currently waiting on a fop fix for the doc build. As a workaround, we could activate the tarballed prebuilt docs for rawhide.
I have just built a new rawhide package erlang-R14B-02.2.fc16 (updating from erlang-R14B-01.something) using tarballed docs.