[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP
From: Rickard Green <rickard () erlang ! org>
Date: 2011-03-31 20:41:20
Message-ID: 4D94E6F0.7080506 () erlang ! org
[Download RAW message or body]
Hi,
I don't know how you would like to classify an emulator crash (DOS?). If
an emulator crash is considered a security issue, then OTP-8999 and
OTP-9005 are security fixes due to this.
I also don't know how you want to classify memory leaks (which in the
long run can cause an emulator crash). If a memory leak is considered a
security issue, then OTP-8810 and OTP-8999 are security fixes due to this.
OTP-8925 and OTP-9105 (OTP-9105 isn't part of your list) affect the
application's control flow, and should therefore according to Steven's
mail be considered security fixes. (The rickard/rwmutex-bug/OTP-8925
branch has been merged to the dev branch multiple times. The commit
pointed to below fixes a harmless assertion bug, but the fix contains
more code.)
I don't consider OTP-8781 a security fix. The functionality wasn't
working at all which was fixed.
Regards,
Rickard Green
Jan Lieskovsky wrote:
> Hello Steve, vendors,
>
> based on:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
>
> and:
> [2] http://www.erlang.org/download/otp_src_R14B.readme
> [3] http://www.erlang.org/download/otp_src_R14B01.readme
> [4] http://www.erlang.org/download/otp_src_R14B02.readme
>
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
>
> The distribution of OTPs is as follows:
> =======================================
> Rickard Green: OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
> Bjorn-Egil Dahlberg: OTP-8814, OTP-8827, OTP-8943
> Sverker Eriksson: OTP-8945, OTP-8716
> Patrik Nyblom: OTP-7178, OTP-8780, OTP-8993
> Raimo Niskanen: OTP-8729, OTP-8795
> Bjorn Gustavsson: OTP-8831, OTP-8892, OTP-9117
> Niclas Axelsson: OTP-9101
> Hans Bolinder: OTP-8898
>
> Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)
>
> Help / guidance from your side is really appreciated to resolve
> this one.
>
> Thank you in advance for your time and cooperation.
>
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> crypto:
> - 1), multiple memory leaks OTP-8810
> Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1
> Note: Hard to tell if has security implications, but from the
> patch looks certain
> memory content leaks were possible
>
> - 2), rc4 not working correctly (silent data corruption) OTP-8781
> Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
> Note: Seems to be just bugfix
> From the patch log: RC4 stream cipher didn't work.
>
> erl_interface:
> - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
> Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
> Note: security, stack based buffer overflow possible
>
> - 4), erl_call: fix multiple buffer overflows OTP-8827
> Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b
> Note: security, multiple heap overflows possible
>
> - 5), Check the length of the node name to prevent an overflow OTP-8943
> Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d
> Note: security
>
> - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
> Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6
> Note: Hard to tell if has security implications
> erts:
> - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178
> Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5
> Note: ignore underflow in list_to_float and return 0.0
>
> - 8), Fix faulty 64-bit integer term output from drivers (crash or
> silent data corruption) OTP-8716
> Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97
> Note: security
>
> - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
> Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03
> Note: seems to be just bugfix
>
> - 10), Removed some potential vulnerabilities from epmd OTP-8780
> Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44
> Note: security
> From patch log: Remove two buffer overflow vulnerabilities in EPMD
>
> - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
> Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c
> Note: seems to be just bugfix
>
> - 12), Multiple Buffer overflows have been prevented OTP-8892
> Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1
> Note: security
> From patch log:
> * ms/security-fixes: erlc: remove unused variable, typer:
> prevent buffer overflows,
> run_test: prevent buffer overflow, heart: prevent buffer overflow,
> escript: prevent buffer overflows, erlexec: prevent buffer overflows,
> erlc: prevent buffer overflows, dialyzer: prevent buffer overflows
>
> - 13), The ERTS internal rwlock implementation could get into an
> inconsistent state OTP-8925
> Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
> Note: Assertion failure, but not sure if exploitable for DoS
>
> - 14), Some malformed distribution messages could cause VM to crash OTP-8993
> Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7
> Note: security
> From patch log: Teach VM not to dump core on bad dist message structure
>
> - 15), A bug in the exit/2 BIF could potentially cause an emulator
> crash OTP-9005
> Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb
> Note: Not sure if has security implications
>
> - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
> Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2
> Note: Not sure if has security implications
>
> - 17), Attempting to create binaries exceeding 2Gb (using for
> example term_to_binary/1) would crash the emulator OTP-9117
> Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a
> Note: Hard to tell if has security implications
>
> hipe:
> - 18), Fix bug in the simplification of inexact comparisons OTP-9101
> Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
> Note: Seems to be just bugfix
>
> kernel:
> - 19), inet:getsockopt for SCTP sctp_default_send_param, random
> answers OTP-8795
> Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024
> Note: Seems to be just bugfix
>
> stdlib:
> - 20), race condition/silent data corruption in dets OTP-8898
> Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
> Note: Hard to tell if has security implications
>
> Note: Are there potentially more ones, I missed?
> =====
>
--
Rickard Green, Erlang/OTP, Ericsson AB.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic