MOSS/Secure Open Source/Completed: Difference between revisions
(Typo) |
(Add curl) |
||
| Line 7: | Line 7: | ||
[http://www.pcre.org/ PCRE] (Perl-Compatible Regular Expressions) is a C library for implementing [https://en.wikipedia.org/wiki/Regular_expression regular expressions] in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.pcre.org/ PCRE] (Perl-Compatible Regular Expressions) is a C library for implementing [https://en.wikipedia.org/wiki/Regular_expression regular expressions] in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 Critical | * 1 Critical | ||
| Line 25: | Line 25: | ||
[http://www.libjpeg-turbo.org/ libjpeg-turbo] is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.libjpeg-turbo.org/ libjpeg-turbo] is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 High | * 1 High | ||
| Line 43: | Line 43: | ||
[https://www.phpmyadmin.net/ phpMyAdmin] is a web-based administration tool for MySQL databases. The audit was performed by [https://www.nccgroup.trust/ NCC Group]. | [https://www.phpmyadmin.net/ phpMyAdmin] is a web-based administration tool for MySQL databases. The audit was performed by [https://www.nccgroup.trust/ NCC Group]. | ||
The team found the following | The team found the following problems: | ||
* 3 Medium | * 3 Medium | ||
| Line 60: | Line 60: | ||
[http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq] is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq] is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 Medium | * 1 Medium | ||
| Line 74: | Line 74: | ||
[http://www.zlib.net/ zlib] is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by [https://www.trailofbits.com/ Trail of Bits]. | [http://www.zlib.net/ zlib] is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by [https://www.trailofbits.com/ Trail of Bits]. | ||
The team found the following | The team found the following problems: | ||
* 1 Medium | * 1 Medium | ||
| Line 83: | Line 83: | ||
One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation. | One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation. | ||
==curl== | |||
Dates: July - November 2016 | |||
[https://curl.haxx.se/ curl] is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by [https://cure53.de/ Cure53]. | |||
The team found the following problems: | |||
* 4 High | |||
* 5 Medium | |||
* 9 Low | |||
* 5 Informational | |||
8 of the vulnerabilities resulted in [https://curl.haxx.se/docs/security.html security advisories] being produced by the curl team on November 2nd, 2016. | |||
* [[Media:Curl-report.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/17EvPM_LHJiOQPGC8cZ7nd2_7Hs7PIhrQqa7s9-pylm0/edit Fix and validation log] | |||
Revision as of 09:48, 23 November 2016
Secure Open Source has completed the following audits.
PCRE
Dates: October 2015 - June 2016
PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by Cure53.
The team found the following problems:
- 1 Critical
- 5 Medium
- 20 Low
- 3 Informational
The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions.
libjpeg-turbo
Dates: November 2015 - June 2016
libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by Cure53.
The team found the following problems:
- 1 High
- 2 Medium
- 2 Low
The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code.
phpMyAdmin
Dates: May - June 2016
phpMyAdmin is a web-based administration tool for MySQL databases. The audit was performed by NCC Group.
The team found the following problems:
- 3 Medium
- 5 Low
- 1 Informational
NCC Group found no serious issues in this codebase.
dnsmasq
Dates: May - August 2016
dnsmasq is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by Cure53.
The team found the following problems:
- 1 Medium
- 5 Low
zlib
Dates: July - September 2016
zlib is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by Trail of Bits.
The team found the following problems:
- 1 Medium
- 4 Low
One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation.
curl
Dates: July - November 2016
curl is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by Cure53.
The team found the following problems:
- 4 High
- 5 Medium
- 9 Low
- 5 Informational
8 of the vulnerabilities resulted in security advisories being produced by the curl team on November 2nd, 2016.