yara: CVE-2018-19974, CVE-2018-19975, CVE-2018-19976

Debian Bug report logs - #916932
yara: CVE-2018-19974, CVE-2018-19975, CVE-2018-19976

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: submit@bugs.debian.org

Subject: yara: CVE-2018-19974, CVE-2018-19975, CVE-2018-19976

Date: Thu, 20 Dec 2018 17:17:47 +0100

[Message part 1 (text/plain, inline)]

Package: yara
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for yara.

CVE-2018-19974[0]:
| In YARA 3.8.1, bytecode in a specially crafted compiled rule can read
| uninitialized data from VM scratch memory in libyara/exec.c. This can
| allow attackers to discover addresses in the real stack (not the YARA
| virtual stack).

CVE-2018-19975[1]:
| In YARA 3.8.1, bytecode in a specially crafted compiled rule can read
| data from any arbitrary address in memory, in libyara/exec.c.
| Specifically, OP_COUNT can read a DWORD.

CVE-2018-19976[2]:
| In YARA 3.8.1, bytecode in a specially crafted compiled rule is
| exposed to information about its environment, in libyara/exec.c. This
| is a consequence of the design of the YARA virtual machine.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19974
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19974
[1] https://security-tracker.debian.org/tracker/CVE-2018-19975
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19975
[2] https://security-tracker.debian.org/tracker/CVE-2018-19976
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19976

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #14 received at 916932-submitter@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 916932-submitter@bugs.debian.org

Subject: Bug #916932 in yara marked as pending

Date: Fri, 21 Dec 2018 10:12:59 +0000

Control: tag -1 pending

Hello,

Bug #916932 in yara reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/yara/commit/8cb0cc596ecd20d0c31f21ea08b6064f1337e233

------------------------------------------------------------------------
Add upstream patch to fix information leaks from specially crafted bytecode (CVE-2018-19974, CVE-2018-19975, CVE-2018-19976; Closes: #916932)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/916932

Message #19 received at 916932-submitter@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 916932-submitter@bugs.debian.org

Subject: Bug #916932 in yara marked as pending

Date: Fri, 21 Dec 2018 10:27:22 +0000

Control: tag -1 pending

Hello,

Bug #916932 in yara reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/yara/commit/8cb0cc596ecd20d0c31f21ea08b6064f1337e233

------------------------------------------------------------------------
Add upstream patch to fix information leaks from specially crafted bytecode (CVE-2018-19974, CVE-2018-19975, CVE-2018-19976; Closes: #916932)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/916932

Message #24 received at 916932-close@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 916932-close@bugs.debian.org

Subject: Bug#916932: fixed in yara 3.8.1-2

Date: Fri, 21 Dec 2018 14:57:10 +0000

Source: yara
Source-Version: 3.8.1-2

We believe that the bug you reported is fixed in the latest version of
yara, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated yara package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Dec 2018 11:06:46 +0100
Source: yara
Binary: yara libyara3 libyara-dev yara-doc
Architecture: source
Version: 3.8.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
 libyara-dev - YARA development libraries and headers
 libyara3   - YARA shared library
 yara       - Pattern matching swiss knife for malware researchers
 yara-doc   - HTML documentation for YARA
Closes: 916932
Changes:
 yara (3.8.1-2) unstable; urgency=high
 .
   * Mark yara-doc Multi-Arch: foreign
   * Add upstream patch to fix information leaks from specially crafted bytecode
     (CVE-2018-19974, CVE-2018-19975, CVE-2018-19976; Closes: #916932)
   * Bump Standards-Version
Checksums-Sha1:
 b14e404652209d135b65026f513e19232671f7ba 2115 yara_3.8.1-2.dsc
 5a614640cd5799f9e51bc499eacc2a2b0ebd56a4 9012 yara_3.8.1-2.debian.tar.xz
 e004bf548a011a949f8c2bebebda5b9508f11b02 6395 yara_3.8.1-2_source.buildinfo
Checksums-Sha256:
 62bbce5d460add10ac1d1c331da4c2877c280b22c76fde1b27edbddf6da651f2 2115 yara_3.8.1-2.dsc
 b6db395e8d835fe9dc6713b0ab6d8635e5cde5ec4347dcc1a068ea4751dadd0a 9012 yara_3.8.1-2.debian.tar.xz
 5624deddcc9523c0cd77239d78dc50fbb0b083ea9e7438e43f05642b5b7cd638 6395 yara_3.8.1-2_source.buildinfo
Files:
 fe37a607e95ca3a92d77fb239135a923 2115 utils optional yara_3.8.1-2.dsc
 95dfc6ecfea42411b1f9a707b5a281d2 9012 utils optional yara_3.8.1-2.debian.tar.xz
 99db55f76da0cf70ca2a9243c20ff1fb 6395 utils optional yara_3.8.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlwc8qISHGJlbmdlbkBk
ZWJpYW4ub3JnAAoJEHW3EGNcITp+yBgP/RtCNKnJw8Tc/XX/qnHz0qI9GyG1+KVF
1k5FMMmZpzLs2jvZY688gs1UsGKnYyjfpvunTRPsQU3Exgfd8Kom/8Kel9jWtaef
6appe2xPS8mNfl/BMa/wu3/5cs/0IE4abut8yrP0P4aFZME9Hzo4+HSX/uChAbKP
nE+Cs8B6JwZcgzEAtbR0LHpzrQ9oDBHKyZPAQKDNE+Esyzdkz2Z7WtUmUSBjWorw
nJSto23HRhYCcsfrevTk8ONNCFDQuPdKohnVti8w570gwzJbG9OZ46Lpaa7W0aRE
8xBtbNQEE/lW7oMQLyCHxN7s1B6yTnMEo4yZr7YljQhibmBCaXB2S9sfG4uplkzo
tLjxWCc/RgG2PnYePfn+UTdKkJORUFOD1eOYax1X6JlMRONmX2Jk+LnM7hpuOvyI
fRBUXOcTPDagfenya3GzF3EgRibhtHfnxoDkGr/47XaWLBF1xQ6d4NnINqshJc/W
S4GXSnGbbsbaYQETVardevPScs4o8tcyvk+xEHe2Ewx+LuUdUgxVwmbGiszKVcHb
SqO6s2MFIG+b8w+B9ldWtkug4AL7AZLNAt0p0NXd3RNk47psFgRYdqTeAZ6G8/NQ
R+J5QdYnxNRQgiOjZOirGv9gNAcXNWd9uCIZKMUZ4EFk9crWUMNwuN3qe+EYFYhd
vPUYDdTSPqWD
=DZkw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.