Re: Multiple vulnerabilities in BOINC

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2013 09:58 AM, Alyssa Milburn wrote:
> Hi all,
>
> There have been various recent(-ish) vulnerabilities found in the
> BOINC software for desktop grid computing. The major projects have
> (hopefully) fixed all of these by now, and the clients should only
> be vulnerable if they're connected to a hostile server.
>
> The commit ids below are all from the boinc-v2 repository, see 
> http://boinc.berkeley.edu/trac/browser/boinc-v2 for a web view.
>
> These are the ones I consider to be obviously important:
>
> * CVE-2013-2298: various stack overflow vulnerabilities in the XML
> parser used by both the client and server software. I think that
> any 7.x version is vulnerable, but possibly not the 6.12 branch or
> earlier. No promises.
>
> (Found/reported by me. I notified all public projects I could find
> who were running obviously-vulnerable copies of the code, in early
> March.)
>
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3741 
> 2fea03824925cbcb976f4191f4d8321e41a4d95b
>
> * Stack overflow in the client code by providing multiple
> file_signature elements. 6.10.58 and 6.12.34 are vulnerable. 7.x
> isn't.
>
> (This was fixed back in 2011, possibly accidentally.)
>
> 9a4140ae30a72e5175f3f31646d91f2d58df7156

Please use CVE-2013-2019 for this issue.


> * SQL injections in the server-side scheduler code:
>
> (Found/reported by me. I warned projects about this at the same
> time as the the above notifications, hopefully they've mostly
> patched it..)
>
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3776 
> 3ced18ddaaea5e03d2cc70f8cce5ab214b4d5635
>
> * SQL injections in the user-facing web scripts: (These were
> possibly found by Michael Voß, see 
> http://www.mdr.de/mdr-info/hacker-boinc100.html )
>
> http://thread.gmane.org/gmane.comp.distributed.boinc.user/3658 
> e8d6c33fe158129a5616e18eb84a7a9d44aca15f 
> 6e205de096da83b12ffb2f0183b43e51261eb0c4 
> ce3110489bc139b8218252ba1cb0862d69f72ae3

MERGING these two issues for now. Please use CVE-2013-2018 for this issue.

And ignoring the rest unless someone says otherwise (like was this
code really used/etc.).

> And some issues I'm not sure are quite so important:
>
> * Stack overflows in the trickle code on server and client side:
>
> (Fixed back in 2011, and these were only present in experimental
> 6.13.x releases, as far as I know.)
>
> 5b04b249db166ec38c1ee99a9eadcaa300c0f454 
> ae04b50a71f3e96ee1bc59b76fca97cf0fe976f7
>
> * From a few days ago, a possible format string issue(?) in the
> client code:
>
> (Noticed by Gianfranco Costamagna/Nicolás Alvarez judging by the
> thread)
>
> http://thread.gmane.org/gmane.comp.distributed.boinc.devel/6416 
> 99258dcecba8ef36e1ce0fd6e0dacffe53613ac9
>
> * An SQL injection vulnerability in the locality code (apparently
> only used by one known project), so I mention this just for
> completeness just in case anyone happens to be using it:
>
> 2dbfdc55057b2c1f0508b56244044b1ad34e7cdb
>
> - Alyssa


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfskMAAoJEBYNRVNeJnmTdCgP/0mx6djzHz5ZUPaFN42t1zRb
sJZYWUWrLlxAgdvx4G5I0kKK6GGehwt7ra2r9Z4/RdM9aTvPyrTPSHkE/ST5yAi8
G+pWi9L1wO1/N/sm0+H9cjPoUTm4xbQ5e1FyDMeoyK1AXkfR4/WUkYICrtsEz0Hu
Qk6ZQg8N23vGHx7NLzi05rsOlRivuAAQmRRpNBB41gzk6LeeyOQeMppxo0YPFKw4
O16+UjOmIUxwEBaCOEoUQu0sSy8W3ynr+7wAB+KVtp9u07bR9Q8JJ/WrBGu6Xj5m
49K+NUilyJSDXI9MmMgRUJ+LeSu9Oh9ACcMncSJsPpH8Im13ntFOcMlg+7kc8pMd
AHNBCSRmQVMafwv8Ib/nJKGiX1eX5nogMXR1HM2ARxC65OdNyZ4wjU3mIdRqkLFH
2U2OLwn+Hikl519th3qzo7yHx/DkkNvW2gMEjQMt+uYQzCJ+7AQA+RHA2HSptg00
nbXzVoNhZfGnzdUoJVC8mixHnBbhEffZ0NXGFS59z3cOpwElxidl40vRp9RhKd6D
cRzYYxrnaXhJht2E3BClwAeI1wMp7qxTx1bGShpxmDg+XVPIfgUcBJ9V3NFdy67E
HN5rOJGAW2W+Ao4KTfvgnl/rNfnh6UkNjhfchMVJCK/MmYMBEkolJfq/NWaQQVPz
ukNnyMIQvwNx5S8hRQVo
=ETc4
-----END PGP SIGNATURE-----