June 14, 2021

Google expands its patch reward program

google logoIn early October Google launched its patch reward program that awards members of the open source community for making security improvements to open source projects. The program was designed to more than just a open source bug hunting exhibition but rather a way to provide financial incentives for proactive security enhancements that go beyond fixing a known security vulnerability.

The project started out quite small in scope with Google only considering patches for projects like OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib and OpenSSL. To qualify patches need to be submitted to the maintainers of the individual projects and then Google need to be notified about the improvements. If Google considers the submission has a positive impact on security then the coder qualifies for a reward ranging from $500 to $3,133.7.

Now after almost six weeks of running the initial program Google has announced that it is ready to expand the program to include more open source projects including Android. The full list of new projects now eligible for rewards are:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

The inclusion of Android is interesting as it shows that Google is keen to continue making security improvements to its very popular mobile operating system. Recently Google has added SELinux and nosuid protection to Android as well as creating a free built-in service called Verify Apps. Available for all versions of Android from 2.3 onwards, Verify Apps behaves very much like an antivirus scanner and blocks the installation of malicious software, regardless of the source.

In the past Android has been seen as less secure than Apple’s iOS primarily because Android allows users to install apps from anywhere not just from Google’s Play Store. Since Apple maintains a walled garden and only allows apps into its store after rigorous testing it means that malware scares have been less prominent on iOS. Vendors of Android security software suites seem to constantly write sensational headlines about how many new variants of Android malware are being created each month. Although technically they are right, users who stick to Google’s Play Store shouldn’t be in any danger.

In brief: New version of popular Exim mail server plugs remote code execution flaw

(LiveHacking.Com) – A new version of the popular Exim mail server has been released to plug a critical  remote code execution flaw exposed when built with DKIM support, which is the default. Exim 4.80.2 is identical to 4.80 except for the fixes required to plug the security hole.

According to a posting made on the exim-announce mailing list, the issue (CVE-2012-5671) was found during an internal code review of an area of the Exim codebase relevant to another issue, namely DKIM signing and verification, which has been the subject of US-CERT VU#268267 and Common Weakness identifiers CWE-347 and CWE-326.

The security vulnerability can be exploited by anyone who can send email from a domain for which they control the DNS. The class of attack is known as a “heap-based buffer overflow”.

Builds of Exim which used the DISABLE_DKIM option are not vulnerable. The Exim team are confident that the next release of Exim will, eventually, be 4.82, and should include the various improvements made since 4.80. However that release will use the normal release candidate baking process.

The release is now available from the primary ftp sites:

Exim, CouchDB and PostgreSQL All Updated To Close Security Holes

Three major open source server components have been updated to fix unrelated vulnerabilities. With Microsoft’s recent announcement of problems with the MHTML handler in all versions of Windows since XP, now it is the turn of some of the major open source projects to patch their software.

The Exim email server project has announced the release of Exim 4.74 which is primarily a security and bug fix release with the top security fix being for CVE-2011-0017. Errors in the open_log function in log.c in Exim 4.72 and earlier means the function does not check the return value from setuid or setgid system calls. This in turn could allow local users to append log data to arbitrary files via a symlink attack.

The NoSQL document-oriented database Apache CouchDB Project has released version 1.0.2 with over 30 changes and fixes. Amongst the bugs squashed are cross site scripting issues as detailed in CVE-2010-3854. Due to inadequate validation of request parameters and cookie data in Futon, CouchDB’s web-based administration UI, a malicious site can execute arbitrary code in the context of a user’s browsing session.

Apache are recommending that all users upgrade to V1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes

And another popular open source database has also been updated, this time PostgreSQL. The project has released security updates for all active branches of PostgreSQL including versions 9.0.3, 8.4.7, 8.3.14 and 8.2.20.

This security release tackles 63 bugs with the most important being a buffer overrun problem as described in CVE-2010-4015. This buffer overflow bug (present in all branches before 9.0.3, 8.4.7, 8.3.14, and 8.2.20) allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.

Debian and Red Hat close Exim hole

Four days after a security hole was discovered in the free Exim mail server, the developers of Debian and Red Hat have released corrected versions for their Linux distributions. While the Exim version provided by Red Hat blocks root access, Debian’s new Exim contains fixes for a memory flaw that allows code to be executed with Exim user rights.

Read the full story here.


Possible Remote Root Vulnerability in Exim Internet Mailer

According to a post by Sergey Kononenko at Exim developer mailing list, there is a possibility of remote root attack against Exim Internet Mailer in Debian package.

The possible vulnerability was in Exim from Debian Lenny (exim4-daemon-light 4.69-9) but other versions might be vulnerable. An attacker could exploit this vulnerability to gain control of a mail server.

More information is available here.