【CESA-2017:1267】An update for rpcbind is now available for Red Hat Enterprise Linux 6

CESA-2017:1267

An update for rpcbind is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The rpcbind utility is a server that converts Remote Procedure Call (RPC)
program numbers into universal addresses. It must be running on the host to be
able to make RPC calls on a server on that machine.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)

Bugs Fixed

1448124 – CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays

【CESA-2017:1268】An update for libtirpc is now available for Red Hat Enterprise Linux 6

CESA-2017:1268

An update for libtirpc is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The libtirpc packages contain SunLib’s implementation of transport-independent
remote procedure call (TI-RPC) documentation, which includes a library required
by programs in the nfs-utils and rpcbind packages.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)

Bugs Fixed

1448124 – CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays

【CESA-2017:1263】An update for libtirpc is now available for Red Hat Enterprise Linux 7

CESA-2017:1263

An update for libtirpc is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The libtirpc packages contain SunLib’s implementation of transport-independent
remote procedure call (TI-RPC) documentation, which includes a library required
by programs in the nfs-utils and rpcbind packages.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)

Bugs Fixed

1448124 – CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays

【CESA-2017:1262】An update for rpcbind is now available for Red Hat Enterprise Linux 7

CESA-2017:1262

An update for rpcbind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The rpcbind utility is a server that converts Remote Procedure Call (RPC)
program numbers into universal addresses. It must be running on the host to be
able to make RPC calls on a server on that machine.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)

Bugs Fixed

1448124 – CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays

【CESA-2017:1264】An update for kdelibs is now available for Red Hat Enterprise Linux 7

CESA-2017:1264

An update for kdelibs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The K Desktop Environment (KDE) is a graphical desktop environment for the X
Window System. The kdelibs packages include core libraries for the K Desktop
Environment.

Security Fix(es):

* A privilege escalation flaw was found in the way kdelibs handled D-Bus
messages. A local user could potentially use this flaw to gain root privileges
by spoofing a callerID and leveraging a privileged helper application.
(CVE-2017-8422)

Red Hat would like to thank Sebastian Krahmer (SUSE) for reporting this issue.

Bugs Fixed

1449647 – CVE-2017-8422 kauth: service invoking dbus is not properly checked and allows local privilege escalation

【CESA-2017:1265】An update for samba is now available for Red Hat Enterprise Linux 7

CESA-2017:1265

An update for samba is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Samba is an open-source implementation of the Server Message Block (SMB)
protocol and the related Common Internet File System (CIFS) protocol, which
allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

* It was found that Samba always requested forwardable tickets when using
Kerberos authentication. A service to which Samba authenticated using Kerberos
could subsequently use the ticket to impersonate Samba to other services or
domain users. (CVE-2016-2125)

* A flaw was found in the way Samba handled PAC (Privilege Attribute
Certificate) checksums. A remote, authenticated attacker could use this flaw to
crash the winbindd process. (CVE-2016-2126)

* A race condition was found in samba server. A malicious samba client could use
this flaw to access files and directories, in areas of the server file system
not exported under the share definitions. (CVE-2017-2619)

Red Hat would like to thank the Samba project for reporting CVE-2017-2619.
Upstream acknowledges Jann Horn (Google) as the original reporter of
CVE-2017-2619.

Bugs Fixed

1403114 – CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
1403115 – CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege elevation
1429472 – CVE-2017-2619 samba: symlink race permits opening files outside share directory

【CESA-2017:1230】An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1230

An update for ghostscript is now available for Red Hat Enterprise Linux 6 and
Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Ghostscript suite contains utilities for rendering PostScript and PDF
documents. Ghostscript translates PostScript code to common bitmap formats so
that the code can be displayed or printed.

Security Fix(es):

* It was found that ghostscript did not properly validate the parameters passed
to the .rsdparams and .eqproc functions. During its execution, a specially
crafted PostScript document could execute code in the context of the ghostscript
process, bypassing the -dSAFER protection. (CVE-2017-8291)

Bugs Fixed

1446063 – CVE-2017-8291 ghostscript: corruption of operand stack

【CESA-2017:1208】An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1208

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression
standard.

Security Fix(es):

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A
specially crafted file could cause an application using JasPer to crash or,
possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249,
CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693,
CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A
specially crafted file could cause an application using JasPer to crash.
(CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692,
CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390,
CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583,
CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654,
CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting
CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Bugs Fixed

1254242 – CVE-2015-5203 jasper: integer overflow in jas_image_cmpt_create()
1255710 – CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
1298135 – CVE-2016-1867 jasper: out-of-bounds read in jpc_pi_nextcprl()
1302636 – CVE-2016-2089 jasper: matrix rows_ NULL pointer dereference in jas_matrix_clip()
1314466 – CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
1314472 – CVE-2016-2116 jasper: memory leak in jas_iccprof_createfrombuf()
1385499 – CVE-2016-8690 CVE-2016-8884 CVE-2016-8885 jasper: missing jas_matrix_create() parameter checks
1385502 – CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsiz fields range check
1385507 – CVE-2016-8693 jasper: incorrect handling of bufsize 0 in mem_resize()
1388840 – CVE-2016-10249 jasper: integer overflow in jas_matrix_create()
1388870 – CVE-2016-8883 jasper: reachable asserts in jpc_dec_tiledecode()
1393882 – CVE-2016-9262 jasper: integer truncation in jas_image_cmpt_create()
1396959 – CVE-2016-9387 jasper: integer overflow in jpc_dec_process_siz()
1396962 – CVE-2016-9388 jasper: reachable assertions in RAS encoder/decoder
1396963 – CVE-2016-9389 jasper: reachable assertions caused by insufficient component domains checks in ICT/RCT in JPC codec
1396965 – CVE-2016-9390 jasper: insufficient SIZ marker tilexoff and tileyoff checks
1396967 – CVE-2016-9391 jasper: reachable assertions in the JPC bitstream code
1396971 – CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 jasper: insufficient SIZ marker segment data sanity checks
1398256 – CVE-2016-9560 jasper: stack-based buffer overflow in jpc_dec_tileinit()
1399167 – CVE-2016-8654 jasper: heap-based buffer overflow in QMFB code in JPC codec
1405148 – CVE-2016-9583 jasper: integer overflows leading to out of bounds read in packet iterators in JPC decoder
1406405 – CVE-2016-9591 jasper: use-after-free / double-free in JPC encoder
1410026 – CVE-2016-9600 jasper: JP2 encoder NULL pointer dereference due to uninitialized cmprof_
1434447 – CVE-2016-10248 jasper: NULL pointer dereference in jpc_tsfb_synthesize()
1434461 – CVE-2016-10251 jasper: integer overflow in jpc_pi_nextcprl(), leading to out-of-bounds read

【CESA-2017:1204】An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1204

An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment
and the OpenJDK 7 Java Software Development Kit.

Security Fix(es):

* An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence escalate
their privileges. (CVE-2017-3511)

* It was found that the JAXP component of OpenJDK failed to correctly enforce
parse tree size limits when parsing XML document. An attacker able to make a
Java application parse a specially crafted XML document could use this flaw to
make it consume an excessive amount of CPU and memory. (CVE-2017-3526)

* It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated connection in
a different security context. A remote attacker could possibly use this flaw to
make a Java application perform HTTP requests authenticated with credentials of
a different user. (CVE-2017-3509)

Note: This update adds support for the “jdk.ntlm.cache” system property which,
when set to false, prevents caching of NTLM connections and authentications and
hence prevents this issue. However, caching remains enabled by default.

* It was discovered that the Security component of OpenJDK did not allow users
to restrict the set of algorithms allowed for Jar integrity verification. This
flaw could allow an attacker to modify content of the Jar file that used weak
signing key or hash algorithm. (CVE-2017-3539)

Note: This updates extends the fix for CVE-2016-5542 released as part of the
RHSA-2016:2658 erratum to no longer allow the MD5 hash algorithm during the Jar
integrity verification by adding it to the jdk.jar.disabledAlgorithms security
property.

* Newline injection flaws were discovered in FTP and SMTP client implementations
in the Networking component in OpenJDK. A remote attacker could possibly use
these flaws to manipulate FTP or SMTP connections established by a Java
application. (CVE-2017-3533, CVE-2017-3544)

Bugs Fixed

1443007 – CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528)
1443052 – CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
1443068 – CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533)
1443083 – CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222)
1443097 – CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
1443252 – CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)

【CESA-2017:1204】An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1204

An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment
and the OpenJDK 7 Java Software Development Kit.

Security Fix(es):

* An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence escalate
their privileges. (CVE-2017-3511)

* It was found that the JAXP component of OpenJDK failed to correctly enforce
parse tree size limits when parsing XML document. An attacker able to make a
Java application parse a specially crafted XML document could use this flaw to
make it consume an excessive amount of CPU and memory. (CVE-2017-3526)

* It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated connection in
a different security context. A remote attacker could possibly use this flaw to
make a Java application perform HTTP requests authenticated with credentials of
a different user. (CVE-2017-3509)

Note: This update adds support for the “jdk.ntlm.cache” system property which,
when set to false, prevents caching of NTLM connections and authentications and
hence prevents this issue. However, caching remains enabled by default.

* It was discovered that the Security component of OpenJDK did not allow users
to restrict the set of algorithms allowed for Jar integrity verification. This
flaw could allow an attacker to modify content of the Jar file that used weak
signing key or hash algorithm. (CVE-2017-3539)

Note: This updates extends the fix for CVE-2016-5542 released as part of the
RHSA-2016:2658 erratum to no longer allow the MD5 hash algorithm during the Jar
integrity verification by adding it to the jdk.jar.disabledAlgorithms security
property.

* Newline injection flaws were discovered in FTP and SMTP client implementations
in the Networking component in OpenJDK. A remote attacker could possibly use
these flaws to manipulate FTP or SMTP connections established by a Java
application. (CVE-2017-3533, CVE-2017-3544)

Bugs Fixed

1443007 – CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528)
1443052 – CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
1443068 – CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533)
1443083 – CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222)
1443097 – CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
1443252 – CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)