oss-sec mailing list archives
CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 30 Mar 2011 19:13:37 +0200
Hello Steve, vendors, based on: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857 and: [2] http://www.erlang.org/download/otp_src_R14B.readme [3] http://www.erlang.org/download/otp_src_R14B01.readme [4] http://www.erlang.org/download/otp_src_R14B02.readme performed some initial issues review -- erlang-CVE-request.txt attached. But since not sure, which of those are real security flaws and how many CVE ids will be needed for those, Cc-ing also Erlang upstream developers to shed more light into this. The distribution of OTPs is as follows: ======================================= Rickard Green: OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999 Bjorn-Egil Dahlberg: OTP-8814, OTP-8827, OTP-8943 Sverker Eriksson: OTP-8945, OTP-8716 Patrik Nyblom: OTP-7178, OTP-8780, OTP-8993 Raimo Niskanen: OTP-8729, OTP-8795 Bjorn Gustavsson: OTP-8831, OTP-8892, OTP-9117 Niclas Axelsson: OTP-9101 Hans Bolinder: OTP-8898 Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans, could you please have a look at the attached review file and reply which of the #20 OTPs in the list are security flaws (so we would know the count of CVE identifiers needed) and which are just bugs? (since you know the Erlang code better than me) Help / guidance from your side is really appreciated to resolve this one. Thank you in advance for your time and cooperation. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
crypto: - 1), multiple memory leaks OTP-8810 Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1 Note: Hard to tell if has security implications, but from the patch looks certain memory content leaks were possible - 2), rc4 not working correctly (silent data corruption) OTP-8781 Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0 Note: Seems to be just bugfix From the patch log: RC4 stream cipher didn't work. erl_interface: - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814 Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab Note: security, stack based buffer overflow possible - 4), erl_call: fix multiple buffer overflows OTP-8827 Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b Note: security, multiple heap overflows possible - 5), Check the length of the node name to prevent an overflow OTP-8943 Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d Note: security - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945 Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6 Note: Hard to tell if has security implications erts: - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178 Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5 Note: ignore underflow in list_to_float and return 0.0 - 8), Fix faulty 64-bit integer term output from drivers (crash or silent data corruption) OTP-8716 Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97 Note: security - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729 Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03 Note: seems to be just bugfix - 10), Removed some potential vulnerabilities from epmd OTP-8780 Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44 Note: security From patch log: Remove two buffer overflow vulnerabilities in EPMD - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831 Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c Note: seems to be just bugfix - 12), Multiple Buffer overflows have been prevented OTP-8892 Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1 Note: security From patch log: * ms/security-fixes: erlc: remove unused variable, typer: prevent buffer overflows, run_test: prevent buffer overflow, heart: prevent buffer overflow, escript: prevent buffer overflows, erlexec: prevent buffer overflows, erlc: prevent buffer overflows, dialyzer: prevent buffer overflows - 13), The ERTS internal rwlock implementation could get into an inconsistent state OTP-8925 Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1 Note: Assertion failure, but not sure if exploitable for DoS - 14), Some malformed distribution messages could cause VM to crash OTP-8993 Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7 Note: security From patch log: Teach VM not to dump core on bad dist message structure - 15), A bug in the exit/2 BIF could potentially cause an emulator crash OTP-9005 Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb Note: Not sure if has security implications - 16), Potentially emulator crash when deleting an ETS-table OTP-8999 Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2 Note: Not sure if has security implications - 17), Attempting to create binaries exceeding 2Gb (using for example term_to_binary/1) would crash the emulator OTP-9117 Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a Note: Hard to tell if has security implications hipe: - 18), Fix bug in the simplification of inexact comparisons OTP-9101 Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7 Note: Seems to be just bugfix kernel: - 19), inet:getsockopt for SCTP sctp_default_send_param, random answers OTP-8795 Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024 Note: Seems to be just bugfix stdlib: - 20), race condition/silent data corruption in dets OTP-8898 Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920 Note: Hard to tell if has security implications Note: Are there potentially more ones, I missed? =====
Current thread:
- CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Jan Lieskovsky (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Steven M. Christey (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes pan (Mar 30)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Raimo Niskanen (Mar 31)
- Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes Sverker Eriksson (Mar 31)
- Message not available