Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes

[Rickard Green <rickard () erlang org>]

Hi,

I don't know how you would like to classify an emulator crash (DOS?). If 
an emulator crash is considered a security issue, then OTP-8999 and 
OTP-9005 are security fixes due to this.

I also don't know how you want to classify memory leaks (which in the 
long run can cause an emulator crash). If a memory leak is considered a 
security issue, then OTP-8810 and OTP-8999 are security fixes due to this.

OTP-8925 and OTP-9105 (OTP-9105 isn't part of your list) affect the 
application's control flow, and should therefore according to Steven's 
mail be considered security fixes. (The rickard/rwmutex-bug/OTP-8925 
branch has been merged to the dev branch multiple times. The commit 
pointed to below fixes a harmless assertion bug, but the fix contains 
more code.)

I don't consider OTP-8781 a security fix. The functionality wasn't 
working at all which was fixed.

Regards,
Rickard Green

Jan Lieskovsky wrote:
> Hello Steve, vendors,
>
>  based on:
>  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
>
>  and:
>  [2] http://www.erlang.org/download/otp_src_R14B.readme
>  [3] http://www.erlang.org/download/otp_src_R14B01.readme
>  [4] http://www.erlang.org/download/otp_src_R14B02.readme
>
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
>
> The distribution of OTPs is as follows:
> =======================================
> Rickard Green:          OTP-8810, OTP-8781, OTP-8925, OTP-9005, OTP-8999
> Bjorn-Egil Dahlberg:    OTP-8814, OTP-8827, OTP-8943
> Sverker Eriksson:       OTP-8945, OTP-8716
> Patrik Nyblom:          OTP-7178, OTP-8780, OTP-8993
> Raimo Niskanen:         OTP-8729, OTP-8795
> Bjorn Gustavsson:       OTP-8831, OTP-8892, OTP-9117
> Niclas Axelsson:        OTP-9101
> Hans Bolinder:          OTP-8898
>
> Rickard, Bjorn-Egil, Sverker, Patrik, Raimo, Bjorn, Niclas, Hans,
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)
>
> Help / guidance from your side is really appreciated to resolve
> this one.
>
> Thank you in advance for your time and cooperation.
>
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> crypto:
>   - 1), multiple memory leaks OTP-8810
>     Patch: https://github.com/erlang/otp/commit/d834040eeb1383157320a650984a47bb02bbb2d1
>     Note: Hard to tell if has security implications, but from the
> patch looks certain
>           memory content leaks were possible
>
>   - 2), rc4 not working correctly (silent data corruption) OTP-8781
>     Patch: https://github.com/erlang/otp/commit/0bcb7009fe4f3bbdf630c226d7e7335f9c005cf0
>     Note: Seems to be just bugfix
>     From the patch log: RC4 stream cipher didn't work.
>
> erl_interface:
>   - 3), ei: prevent overflow in ei_connect_init and ei_xconnect OTP-8814
>     Patch: https://github.com/erlang/otp/commit/6e66a59544a4816c49d2d4ae4bfa4f408403a1ab
>     Note: security, stack based buffer overflow possible
>
>   - 4), erl_call: fix multiple buffer overflows OTP-8827
>     Patch: https://github.com/erlang/otp/commit/f4843545086e6e79642e86f84aba0cff789d575b
>     Note: security, multiple heap overflows possible
>
>   - 5), Check the length of the node name to prevent an overflow OTP-8943
>     Patch: https://github.com/erlang/otp/commit/29b572dbd1546796a0a94066548edfa3da6b4b9d
>     Note: security
>
>   - 6), erl_term_len() in erl_interface could returned wrong length OTP-8945
>     Patch: https://github.com/erlang/otp/commit/c7fa778ae11c33f4568fbfd91d58550c781b54d6
>     Note: Hard to tell if has security implications
> erts:
>   - 7), error with list_to_float("1.0e-324") in some VMs OTP-7178
>     Patch: https://github.com/erlang/otp/commit/1297a3ade2851be787a4c6a64d5f57d81761c8f5
>     Note: ignore underflow in list_to_float and return 0.0
>
>   - 8), Fix faulty 64-bit integer term output from drivers (crash or
> silent data corruption) OTP-8716
>     Patch: https://github.com/erlang/otp/commit/d2f1c68969d2c32a1310aa52b66209ef4c3aed97
>     Note: security
>
>   - 9), gen_udp:connect/3 was broken for SCTP enabled builds. OTP-8729
>     Patch: https://github.com/erlang/otp/commit/2a6db0111898f25f5c615ce9b7f4e6ef84381a03
>     Note: seems to be just bugfix
>
>   - 10), Removed some potential vulnerabilities from epmd OTP-8780
>     Patch: https://github.com/erlang/otp/commit/bbf3ab21b404aedbf9c7b7062b1e96062133fe44
>     Note: security
>     From patch log: Remove two buffer overflow vulnerabilities in EPMD
>
>   - 11), wrong return code for http sockets {ok,{http_error,String}} OTP-8831
>     Patch: https://github.com/erlang/otp/commit/c2d085e76f38467ea530b294edd3767ade88332c
>     Note: seems to be just bugfix
>
>   - 12), Multiple Buffer overflows have been prevented OTP-8892
>     Patch: https://github.com/erlang/otp/commit/c7f811b03aca427fbea0cac5307b81fa19bddbc1
>     Note: security
>     From patch log:
>       * ms/security-fixes: erlc: remove unused variable, typer:
> prevent buffer overflows,
>         run_test: prevent buffer overflow, heart: prevent buffer overflow,
>         escript: prevent buffer overflows, erlexec: prevent buffer overflows,
>         erlc: prevent buffer overflows, dialyzer: prevent buffer overflows
>
>   - 13), The ERTS internal rwlock implementation could get into an
> inconsistent state OTP-8925
>     Patch: https://github.com/erlang/otp/commit/f1c8231c16ca4cc8ef39318364ac8a1c8d7d56e1
>     Note: Assertion failure, but not sure if exploitable for DoS
>
>   - 14), Some malformed distribution messages could cause VM to crash OTP-8993
>     Patch: https://github.com/erlang/otp/commit/663a15d616647d0019bc834d20de517fd9aeadd7
>     Note: security
>     From patch log: Teach VM not to dump core on bad dist message structure
>
>   - 15), A bug in the exit/2 BIF could potentially cause an emulator
> crash OTP-9005
>     Patch: https://github.com/erlang/otp/commit/962a313807f96f38f3bf40a5e8cd855ad09deccb
>     Note: Not sure if has security implications
>
>   - 16), Potentially emulator crash when deleting an ETS-table OTP-8999
>     Patch: https://github.com/erlang/otp/commit/f4f3beb158352b23959c09f8b0dfc83013d5fdf2
>     Note: Not sure if has security implications
>
>   - 17), Attempting to create binaries exceeding 2Gb (using for
>     example term_to_binary/1) would crash the emulator OTP-9117
>     Patch: https://github.com/erlang/otp/commit/1f07334d042e478d385caa0d7634ebfa6703f27a
>     Note: Hard to tell if has security implications
>
> hipe:
>   - 18), Fix bug in the simplification of inexact comparisons OTP-9101
>     Patch: https://github.com/erlang/otp/commit/e454e0f3d45c30fcb24f6e06a9e1f7408a8db5d7
>     Note: Seems to be just bugfix
>
> kernel:
>   - 19), inet:getsockopt for SCTP sctp_default_send_param, random
> answers OTP-8795
>     Patch: https://github.com/erlang/otp/commit/9ea58dff408c0c72f5a6ad0e11b521a80292b024
>     Note: Seems to be just bugfix
>
> stdlib:
>   - 20), race condition/silent data corruption in dets OTP-8898
>     Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
>     Note: Hard to tell if has security implications
>
> Note: Are there potentially more ones, I missed?
> =====


--
Rickard Green, Erlang/OTP, Ericsson AB.