August 2013 - security - Fedora Mailing-Lists

[Secure Coding] master: Makefile: Do not create subdirectories automatically (d7dedb4)

by fweimer＠fedoraproject.org

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit d7dedb452d6e8f79999801bf1f6aa8640f162617 Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Aug 26 15:23:48 2013 +0200 Makefile: Do not create subdirectories automatically This is not needed because we ship the files in the Git repository. >--------------------------------------------------------------- defensive-coding/Makefile | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/defensive-coding/Makefile b/defensive-coding/Makefile index 61f4ee5..08a95c1 100644 --- a/defensive-coding/Makefile +++ b/defensive-coding/Makefile @@ -7,7 +7,6 @@ include src/src.mk build: build-src build-manual build-snippets: - for p in en-US/* ; do test -d $$p && mkdir -p $$p/snippets; done python scripts/split-snippets.py . \ src/*.c src/*.cpp src/*.java src/*.py

10 years, 1 month

1
0
0 / 0

[Secure Coding] master: Java security manager example: Increase compatibility with OpenJDK 7 javac (aa79dc5)

by fweimer＠fedoraproject.org

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit aa79dc501587d6cc38ae3661ea5bb9d271792eb8 Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Aug 26 15:22:50 2013 +0200 Java security manager example: Increase compatibility with OpenJDK 7 javac >--------------------------------------------------------------- .../src/JavaSecurityManagerUnprivileged.java | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/defensive-coding/src/JavaSecurityManagerUnprivileged.java b/defensive-coding/src/JavaSecurityManagerUnprivileged.java index 61da297..ec0c2c7 100644 --- a/defensive-coding/src/JavaSecurityManagerUnprivileged.java +++ b/defensive-coding/src/JavaSecurityManagerUnprivileged.java @@ -49,7 +49,7 @@ public class JavaSecurityManagerUnprivileged { //- } - private static void withGrant(String path) throws Exception { + private static void withGrant(final String path) throws Exception { Permissions permissions = new Permissions(); //+ Java SecurityManager-CurrentDirectory permissions.add(new FilePermission(

10 years, 1 month

1
0
0 / 0

[Secure Coding] master: Correct advice on array allocatoin (#995595) (876a1bc)

by fweimer＠fedoraproject.org

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 876a1bcbd0b2687867aded985d142df5030988ae Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Aug 26 11:43:10 2013 +0200 Correct advice on array allocatoin (#995595) >--------------------------------------------------------------- defensive-coding/en-US/C/Allocators.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defensive-coding/en-US/C/Allocators.xml b/defensive-coding/en-US/C/Allocators.xml index e86b37f..1bff610 100644 --- a/defensive-coding/en-US/C/Allocators.xml +++ b/defensive-coding/en-US/C/Allocators.xml @@ -135,8 +135,8 @@ is used, the size check must be written manually. For instance, to allocate an array of <literal>n</literal> elements of type <literal>T</literal>, check that the requested size is not - greater than <literal>n / sizeof(T)</literal>. See <xref - linkend="sect-Defensive_Coding-C-Arithmetic"/>. + greater than <literal>((size_t) -1) / sizeof(T)</literal>. See + <xref linkend="sect-Defensive_Coding-C-Arithmetic"/>. </para> </section>

10 years, 1 month

1
0
0 / 0

Review Swap

by Christopher Meng

Hi, Zmap is a nice tool revealed in recent USENIX, really like nmap, but it can scan whole Internet in shorter time. Can't find security lab mailing list, so I post here and look for reviewer to review. https://bugzilla.redhat.com/show_bug.cgi?id=999959 Thanks in advance. Yours sincerely, Christopher Meng Always playing in Fedora Project http://cicku.me

10 years, 1 month

1
0
0 / 0

Help me fill out a list of flaw types

by Josh Bressers

Hi all, I'm working to fill out a list of types of security flaws. I'm happy to include obscure items on the list. I plan to use the list to document these issues in some meaningful way in the future. My brain seems to be stuck today, I'm not coming up with as many as I know I should. Feel free to lend an old man a hand: http://etherpad-security.rhcloud.com/p/flaw-types Thanks. -- Josh Bressers / Red Hat Product Security Team

10 years, 1 month

3
5
0 / 0

[Secure Coding] master: Updated TX config (3e72831)

by Eric Christensen

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 3e72831c3fdf0d507b80716b260e076aa32bc223 Author: Eric Christensen <sparks(a)fedoraproject.org> Date: Mon Aug 12 23:12:55 2013 -0400 Updated TX config >--------------------------------------------------------------- defensive-coding/.tx/config | 122 ++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 120 insertions(+), 2 deletions(-) diff --git a/defensive-coding/.tx/config b/defensive-coding/.tx/config index 97f212c..a6ca10c 100644 --- a/defensive-coding/.tx/config +++ b/defensive-coding/.tx/config @@ -1,5 +1,5 @@ [main] -host = https://www.transifex.net +host = https://www.transifex.com lang_map = aln:aln-AL, ar:ar-SA, ast:ast-ES, as:as-IN, bal:bal-PK, bg:bg-BG, bn:bn-BD, bn_IN:bn-IN, bs:bs-BA, ca:ca-ES, cs:cs-CZ, da:da-DK, de_CH:de-CH, de:de-DE, el:el-GR, en_GB:en-GB, es:es-ES, et:et-EE, eu:eu-ES, fa:fa-IR, fi:fi-FI, fr:fr-FR, gl:gl-ES, gu:gu-IN, he:he-IL, hi:hi-IN, hr:hr-HR, hu:hu-HU, id:id-ID, is:is-IS, it:it-IT, ja:ja-JP, kn:kn-IN, ko:ko-KR, lt:lt-LT, lv:lv-LV, mai:mai-IN, ml:ml-IN, mr:mr-IN, ms:ms-MY, nb:nb-NO, nds:nds-DE, nl:nl-NL, nn:nn-NO, or:or-IN, pa:pa-IN, pl:pl-PL, pt_BR:pt-BR, pt:pt-PT, ro:ro-RO, ru:ru-RU, si:si-LK, sk:sk-SK, sl:sl-SI, sq:sq-AL, sr:sr-RS, sr@latin:sr-Latn-RS, sv:sv-SE, ta:ta-IN, te:te-IN, tg:tg-TJ, tr:tr-TR, uk:uk-UA, ur:ur-PK, vi:vi-VN, zh_CN:zh-CN, zh_HK:zh-HK, zh_TW:zh-TW [defensive-coding-guide.Book_Info] @@ -26,6 +26,12 @@ source_file = pot/Defensive_Coding.pot source_lang = en type = PO +[defensive-coding-guide.Other] +file_filter = <lang>/C/Other.po +source_file = pot/C/Other.pot +source_lang = en +type = PO + [defensive-coding-guide.Allocators] file_filter = <lang>/C/Allocators.po source_file = pot/C/Allocators.pot @@ -56,18 +62,36 @@ source_file = pot/C/snippets/String-Functions-snprintf.pot source_lang = en type = PO +[defensive-coding-guide.String-Functions-strncat-merged] +file_filter = <lang>/C/snippets/String-Functions-strncat-merged.po +source_file = pot/C/snippets/String-Functions-strncat-merged.pot +source_lang = en +type = PO + [defensive-coding-guide.Arithmetic-add] file_filter = <lang>/C/snippets/Arithmetic-add.po source_file = pot/C/snippets/Arithmetic-add.pot source_lang = en type = PO +[defensive-coding-guide.String-Functions-strncat-emulation] +file_filter = <lang>/C/snippets/String-Functions-strncat-emulation.po +source_file = pot/C/snippets/String-Functions-strncat-emulation.pot +source_lang = en +type = PO + [defensive-coding-guide.String-Functions-strncpy] file_filter = <lang>/C/snippets/String-Functions-strncpy.po source_file = pot/C/snippets/String-Functions-strncpy.pot source_lang = en type = PO +[defensive-coding-guide.String-Functions-snprintf-incremental] +file_filter = <lang>/C/snippets/String-Functions-snprintf-incremental.po +source_file = pot/C/snippets/String-Functions-snprintf-incremental.pot +source_lang = en +type = PO + [defensive-coding-guide.String-Functions-format] file_filter = <lang>/C/snippets/String-Functions-format.po source_file = pot/C/snippets/String-Functions-format.pot @@ -80,6 +104,12 @@ source_file = pot/C/snippets/Pointers-remaining.pot source_lang = en type = PO +[defensive-coding-guide.String-Functions-strncat-as-strncpy] +file_filter = <lang>/C/snippets/String-Functions-strncat-as-strncpy.po +source_file = pot/C/snippets/String-Functions-strncat-as-strncpy.pot +source_lang = en +type = PO + [defensive-coding-guide.Arithmetic-mult] file_filter = <lang>/C/snippets/Arithmetic-mult.po source_file = pot/C/snippets/Arithmetic-mult.pot @@ -92,7 +122,6 @@ source_file = pot/Python/Language.pot source_lang = en type = PO - [defensive-coding-guide.CXX] file_filter = <lang>/CXX/CXX.po source_file = pot/CXX/CXX.pot @@ -111,6 +140,77 @@ source_file = pot/CXX/Std.pot source_lang = en type = PO +[defensive-coding-guide.Java] +file_filter = <lang>/Java/Java.po +source_file = pot/Java/Java.pot +source_lang = en +type = PO + +[defensive-coding-guide.Language] +file_filter = <lang>/Java/Language.po +source_file = pot/Java/Language.pot +source_lang = en +type = PO + +[defensive-coding-guide.LowLevel] +file_filter = <lang>/Java/LowLevel.po +source_file = pot/Java/LowLevel.pot +source_lang = en +type = PO + +[defensive-coding-guide.SecurityManager] +file_filter = <lang>/Java/SecurityManager.po +source_file = pot/Java/SecurityManager.pot +source_lang = en +type = PO + +[defensive-coding-guide.TryWithResource] +file_filter = <lang>/Java/snippets/TryWithResource.po +source_file = pot/Java/snippets/TryWithResource.pot +source_lang = en +type = PO + +[defensive-coding-guide.SecurityManager-Privileged] +file_filter = <lang>/Java/snippets/SecurityManager-Privileged.po +source_file = pot/Java/snippets/SecurityManager-Privileged.pot +source_lang = en +type = PO + +[defensive-coding-guide.SecurityManager-CurrentDirectory] +file_filter = <lang>/Java/snippets/SecurityManager-CurrentDirectory.po +source_file = pot/Java/snippets/SecurityManager-CurrentDirectory.pot +source_lang = en +type = PO + +[defensive-coding-guide.JNI-Pointers] +file_filter = <lang>/Java/snippets/JNI-Pointers.po +source_file = pot/Java/snippets/JNI-Pointers.pot +source_lang = en +type = PO + +[defensive-coding-guide.SecurityManager-Unprivileged] +file_filter = <lang>/Java/snippets/SecurityManager-Unprivileged.po +source_file = pot/Java/snippets/SecurityManager-Unprivileged.pot +source_lang = en +type = PO + +[defensive-coding-guide.Language-ReadArray] +file_filter = <lang>/Java/snippets/Language-ReadArray.po +source_file = pot/Java/snippets/Language-ReadArray.pot +source_lang = en +type = PO + +[defensive-coding-guide.SecurityManager-Callback] +file_filter = <lang>/Java/snippets/SecurityManager-Callback.po +source_file = pot/Java/snippets/SecurityManager-Callback.pot +source_lang = en +type = PO + +[defensive-coding-guide.Finally] +file_filter = <lang>/Java/snippets/Finally.po +source_file = pot/Java/snippets/Finally.pot +source_lang = en +type = PO [defensive-coding-guide.File_System] file_filter = <lang>/Tasks/File_System.po @@ -154,12 +254,24 @@ source_file = pot/Tasks/Cryptography.pot source_lang = en type = PO +[defensive-coding-guide.Serialization-XML-Qt-NoEntityHandler] +file_filter = <lang>/Tasks/snippets/Serialization-XML-Qt-NoEntityHandler.po +source_file = pot/Tasks/snippets/Serialization-XML-Qt-NoEntityHandler.pot +source_lang = en +type = PO + [defensive-coding-guide.Serialization-XML-OpenJDK_Parse-XMLSchema_SAX] file_filter = <lang>/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po source_file = pot/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.pot source_lang = en type = PO +[defensive-coding-guide.Serialization-XML-Qt-NoEntityReader] +file_filter = <lang>/Tasks/snippets/Serialization-XML-Qt-NoEntityReader.po +source_file = pot/Tasks/snippets/Serialization-XML-Qt-NoEntityReader.pot +source_lang = en +type = PO + [defensive-coding-guide.Serialization-XML-Expat-EntityDeclHandler] file_filter = <lang>/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po source_file = pot/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.pot @@ -196,6 +308,12 @@ source_file = pot/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po source_lang = en type = PO +[defensive-coding-guide.Serialization-XML-Qt-QDomDocument] +file_filter = <lang>/Tasks/snippets/Serialization-XML-Qt-QDomDocument.po +source_file = pot/Tasks/snippets/Serialization-XML-Qt-QDomDocument.pot +source_lang = en +type = PO + [defensive-coding-guide.Serialization-XML-OpenJDK_Parse-XMLSchema_DOM] file_filter = <lang>/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po source_file = pot/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.pot

10 years, 1 month

1
0
0 / 0

[Secure Coding] master: Updated POT files (93f8929)

by Eric Christensen

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 93f892956142d929f3fd9a70ac35e04b7e6232f4 Author: Eric Christensen <sparks(a)fedoraproject.org> Date: Mon Aug 12 23:12:14 2013 -0400 Updated POT files >--------------------------------------------------------------- Diff suppressed because of size. To see it, use: git diff --patch-with-stat --no-color --find-copies-harder --ignore-space-at-eol ^93f892956142d929f3fd9a70ac35e04b7e6232f4~1 93f892956142d929f3fd9a70ac35e04b7e6232f4

10 years, 1 month

1
0
0 / 0

[Secure Coding] master: Deserialization: Warn about Java's java.beans.XMLDecoder (973d0c6)

by fweimer＠fedoraproject.org

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 973d0c68891d6943374c06f10bdccf82c12be549 Author: Florian Weimer <fweimer(a)redhat.com> Date: Thu Aug 8 15:13:11 2013 +0200 Deserialization: Warn about Java's java.beans.XMLDecoder >--------------------------------------------------------------- defensive-coding/en-US/Tasks/Serialization.xml | 31 ++++++++++++++++++++---- 1 files changed, 26 insertions(+), 5 deletions(-) diff --git a/defensive-coding/en-US/Tasks/Serialization.xml b/defensive-coding/en-US/Tasks/Serialization.xml index 3d4abb1..792ea94 100644 --- a/defensive-coding/en-US/Tasks/Serialization.xml +++ b/defensive-coding/en-US/Tasks/Serialization.xml @@ -70,7 +70,9 @@ Perl's <package>Storable</package> package </para></listitem> <listitem><para> - Java serialization (<type>java.io.ObjectInputStream</type>) + Java serialization (<type>java.io.ObjectInputStream</type>), + even if encoded in other formats (as with + <type>java.beans.XMLDecoder</type>) </para></listitem> <listitem><para> PHP serialization (<function>unserialize</function>) @@ -87,10 +89,13 @@ even when the data members have been manipulated. </para> <para> - JSON decoders do not suffer from this problem. But you must not - use the <function>eval</function> function to parse JSON objects - in Javascript; even with the regular expression filter from RFC - 4627, there are still information leaks remaining. + In general, JSON decoders do not suffer from this problem. But + you must not use the <function>eval</function> function to parse + JSON objects in Javascript; even with the regular expression + filter from RFC 4627, there are still information leaks + remaining. JSON-based formats can still turn out risky if they + serve as an encoding form for any if the serialization + frameworks listed above. </para> </section> @@ -420,6 +425,22 @@ xmlns:xi="http://www.w3.org/2001/XInclude" /> </example> </section> + <section id="sect-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-Other"> + <title>Other XML parsers in OpenJDK</title> + <para> + OpenJDK contains additional XML parsing and processing + facilities. Some of them are insecure. + </para> + <para> + The class <type>java.beans.XMLDecoder</type> acts as a + bridge between the Java object serialization format and XML. + It is close to impossible to securely deserialize Java + objects in this format from untrusted inputs, so its use is + not recommended, as with the Java object serialization + format itself. See <xref + linkend="sect-Defensive_Coding-Tasks-Serialization-Library"/>. + </para> + </section> </section> </section>

10 years, 1 month

1
0
0 / 0

[Secure Coding] master: Descriptors: Note explicitly that replacing select is the recommended approach (1207f12)

by fweimer＠fedoraproject.org

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 1207f12b39206cd3b5f2f1181c5fdcda2b265d3c Author: Florian Weimer <fweimer(a)redhat.com> Date: Wed Aug 7 13:40:34 2013 +0200 Descriptors: Note explicitly that replacing select is the recommended approach >--------------------------------------------------------------- defensive-coding/en-US/Tasks/Descriptors.xml | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/defensive-coding/en-US/Tasks/Descriptors.xml b/defensive-coding/en-US/Tasks/Descriptors.xml index bdf1fb2..7b92ab9 100644 --- a/defensive-coding/en-US/Tasks/Descriptors.xml +++ b/defensive-coding/en-US/Tasks/Descriptors.xml @@ -217,7 +217,8 @@ be changed.  Calls to <function>select</function> can be replaced with calls to <function>poll</function> or another event handling - mechanism. + mechanism. Replacing the <function>select</function> function + is the recommended approach. </para> <para> Alternatively, the library with high descriptor usage can

10 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security August 2013