oss-sec mailing list archives
Re: Multiple vulnerabilities in BOINC
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 29 Apr 2013 13:25:00 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2013 09:58 AM, Alyssa Milburn wrote:
Hi all, There have been various recent(-ish) vulnerabilities found in the BOINC software for desktop grid computing. The major projects have (hopefully) fixed all of these by now, and the clients should only be vulnerable if they're connected to a hostile server. The commit ids below are all from the boinc-v2 repository, see http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view. These are the ones I consider to be obviously important: * CVE-2013-2298: various stack overflow vulnerabilities in the XML parser used by both the client and server software. I think that any 7.x version is vulnerable, but possibly not the 6.12 branch or earlier. No promises. (Found/reported by me. I notified all public projects I could find who were running obviously-vulnerable copies of the code, in early March.) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741 2fea03824925cbcb976f4191f4d8321e41a4d95b * Stack overflow in the client code by providing multiple file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x isn't. (This was fixed back in 2011, possibly accidentally.) 9a4140ae30a72e5175f3f31646d91f2d58df7156
Please use CVE-2013-2019 for this issue.
* SQL injections in the server-side scheduler code: (Found/reported by me. I warned projects about this at the same time as the the above notifications, hopefully they've mostly patched it..) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635 * SQL injections in the user-facing web scripts: (These were possibly found by Michael Voß, see http://www.mdr.de/mdr-info/hacker-boinc100.html ) http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658 e8d6c33fe158129a5616e18eb84a7a9d44aca15f 6e205de096da83b12ffb2f0183b43e51261eb0c4 ce3110489bc139b8218252ba1cb0862d69f72ae3
MERGING these two issues for now. Please use CVE-2013-2018 for this issue. And ignoring the rest unless someone says otherwise (like was this code really used/etc.).
And some issues I'm not sure are quite so important: * Stack overflows in the trickle code on server and client side: (Fixed back in 2011, and these were only present in experimental 6.13.x releases, as far as I know.) 5b04b249db166ec38c1ee99a9eadcaa300c0f454 ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7 * From a few days ago, a possible format string issue(?) in the client code: (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the thread) http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9 * An SQL injection vulnerability in the locality code (apparently only used by one known project), so I mention this just for completeness just in case anyone happens to be using it: 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb - Alyssa
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRfskMAAoJEBYNRVNeJnmTdCgP/0mx6djzHz5ZUPaFN42t1zRb sJZYWUWrLlxAgdvx4G5I0kKK6GGehwt7ra2r9Z4/RdM9aTvPyrTPSHkE/ST5yAi8 G+pWi9L1wO1/N/sm0+H9cjPoUTm4xbQ5e1FyDMeoyK1AXkfR4/WUkYICrtsEz0Hu Qk6ZQg8N23vGHx7NLzi05rsOlRivuAAQmRRpNBB41gzk6LeeyOQeMppxo0YPFKw4 O16+UjOmIUxwEBaCOEoUQu0sSy8W3ynr+7wAB+KVtp9u07bR9Q8JJ/WrBGu6Xj5m 49K+NUilyJSDXI9MmMgRUJ+LeSu9Oh9ACcMncSJsPpH8Im13ntFOcMlg+7kc8pMd AHNBCSRmQVMafwv8Ib/nJKGiX1eX5nogMXR1HM2ARxC65OdNyZ4wjU3mIdRqkLFH 2U2OLwn+Hikl519th3qzo7yHx/DkkNvW2gMEjQMt+uYQzCJ+7AQA+RHA2HSptg00 nbXzVoNhZfGnzdUoJVC8mixHnBbhEffZ0NXGFS59z3cOpwElxidl40vRp9RhKd6D cRzYYxrnaXhJht2E3BClwAeI1wMp7qxTx1bGShpxmDg+XVPIfgUcBJ9V3NFdy67E HN5rOJGAW2W+Ao4KTfvgnl/rNfnh6UkNjhfchMVJCK/MmYMBEkolJfq/NWaQQVPz ukNnyMIQvwNx5S8hRQVo =ETc4 -----END PGP SIGNATURE-----
Current thread:
- Multiple vulnerabilities in BOINC Alyssa Milburn (Apr 28)
- Re: Multiple vulnerabilities in BOINC Kurt Seifried (Apr 29)