Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130428155846.GF1315@li141-249.members.linode.com>
Date: Sun, 28 Apr 2013 17:58:46 +0200
From: Alyssa Milburn <amilburn@...l.org>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in BOINC

Hi all,

There have been various recent(-ish) vulnerabilities found in the BOINC
software for desktop grid computing. The major projects have (hopefully)
fixed all of these by now, and the clients should only be vulnerable if
they're connected to a hostile server.

The commit ids below are all from the boinc-v2 repository, see
http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view.

These are the ones I consider to be obviously important:

* CVE-2013-2298: various stack overflow vulnerabilities in the XML parser
  used by both the client and server software. I think that any 7.x version
  is vulnerable, but possibly not the 6.12 branch or earlier. No promises.

  (Found/reported by me. I notified all public projects I could find who
   were running obviously-vulnerable copies of the code, in early March.)

  http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741
  2fea03824925cbcb976f4191f4d8321e41a4d95b

* Stack overflow in the client code by providing multiple file_signature
  elements. 6.10.58 and 6.12.34 are vulnerable. 7.x isn't.

  (This was fixed back in 2011, possibly accidentally.)

  9a4140ae30a72e5175f3f31646d91f2d58df7156

* SQL injections in the server-side scheduler code:

  (Found/reported by me. I warned projects about this at the same time
   as the the above notifications, hopefully they've mostly patched it..)

  http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776
  3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635

* SQL injections in the user-facing web scripts:
  (These were possibly found by Michael Voß, see
   http://www.mdr.de/mdr-info/hacker-boinc100.html )

  http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658
  e8d6c33fe158129a5616e18eb84a7a9d44aca15f
  6e205de096da83b12ffb2f0183b43e51261eb0c4
  ce3110489bc139b8218252ba1cb0862d69f72ae3

And some issues I'm not sure are quite so important:

* Stack overflows in the trickle code on server and client side:

  (Fixed back in 2011, and these were only present in experimental 6.13.x
   releases, as far as I know.)

  5b04b249db166ec38c1ee99a9eadcaa300c0f454
  ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7

* From a few days ago, a possible format string issue(?) in the client
  code:

  (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the thread)

  http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416
  99258dcecba8ef36e1ce0fd6e0dacffe53613ac9

* An SQL injection vulnerability in the locality code (apparently only
  used by one known project), so I mention this just for completeness
  just in case anyone happens to be using it:

  2dbfdc55057b2c1f0508b56244044b1ad34e7cdb

- Alyssa

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.