Bug 372983 (CVE-2010-4254)

Summary:	<dev-lang/mono-2.10.2-r1: multiple vulnerabilities (CVE-2010-4254,CVE-2011-{0989,0990,0991,0992})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	dotnet
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-06-25 12:57:07 UTC

CVE-2011-0992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0992):
  Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x
  before 3.99.3 is used, allows remote attackers to cause a denial of service
  (plugin crash) or obtain sensitive information via vectors related to member
  data in a resurrected MonoThread instance.

CVE-2011-0991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0991):
  Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x
  before 3.99.3 is used, allows remote attackers to cause a denial of service
  or possibly have unspecified other impact via vectors related to finalizing
  and then resurrecting a DynamicMethod instance.

CVE-2011-0990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0990):
  Race condition in the FastCopy optimization in the Array.Copy method in
  metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before
  3.99.3 is used, allows remote attackers to trigger a buffer overflow and
  modify internal data structures, and cause a denial of service (plugin
  crash) or corrupt the internal state of the security manager, via a crafted
  media file in which a thread makes a change after a type check but before a
  copy action.

CVE-2011-0989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0989):
  The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, when
  Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not properly
  restrict data types, which allows remote attackers to modify internal
  read-only data structures, and cause a denial of service (plugin crash) or
  corrupt the internal state of the security manager, via a crafted media
  file, as demonstrated by modifying a C# struct.

CVE-2010-4254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4254):
  Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is used, does
  not properly validate arguments to generic methods, which allows remote
  attackers to bypass generic constraints, and possibly execute arbitrary
  code, via a crafted method call.

Comment 1 Pacho Ramos gentoo-dev

2011-06-25 14:53:25 UTC

www-plugins/moonlight is hardmasked

Comment 2 Pacho Ramos gentoo-dev

2011-06-25 14:54:46 UTC

Is mono-2.10.2 affected also?

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-07-03 20:48:19 UTC

(In reply to comment #2)
> Is mono-2.10.2 affected also?

I looked at the commits and believe 2.10.2 has these fixes:

https://github.com/mono/mono/commit/8eb1189099e02372fd45ca1c67230eccf1edddc0
https://github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5c
https://github.com/mono/mono/commit/035c8587c0d8d307e45f1b7171a0d337bb451f1e
https://github.com/mono/mono/commit/cf1ec146f7c6acdc6697032b3aaafc68ffacdcac

but not this fix:

https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91

Am I close? ;)

Comment 4 Pacho Ramos gentoo-dev

2011-07-04 11:27:32 UTC

Yes, last one is the needed:


+*mono-2.10.2-r1 (04 Jul 2011)
+
+  04 Jul 2011; Pacho Ramos <pacho@gentoo.org> -files/mono-2.2-libdir126.patch,
+  -files/mono-2.2-ppc-threading.patch, -files/mono-2.2-uselibdir.patch,
+  -files/mono-2.6.4-require-glib.patch, -mono-2.6.7.ebuild,
+  -files/mono-2.8.1-radegast-crash.patch, -mono-2.8.2-r1.ebuild,
+  -files/mono-2.8-libdir.patch, -mono-2.10.1-r1.ebuild,
+  -files/mono-2.10.1-libdir.patch, +mono-2.10.2-r1.ebuild,
+  +files/mono-2.10.2-threads-access.patch:
+  Fix security problem, bug #372983 by Tim Sammut. Remove old.
+

Feel free to add arches when you prefer, it looks to work ok for me

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-07-04 16:13:02 UTC

Arches, please test and mark stable:
=dev-lang/mono-2.10.2-r1
Target keywords : "amd64 ppc x86"

Comment 6 Agostino Sarubbo gentoo-dev

2011-07-04 19:37:13 UTC

amd64 ok

Comment 7 Thomas Kahle (RETIRED) gentoo-dev

2011-07-05 15:29:34 UTC

x86 stable. Thanks

Comment 8 Ian Delaney (RETIRED) gentoo-dev

2011-07-06 10:21:57 UTC

amd64 all ok

Comment 9 Markos Chandras (RETIRED) gentoo-dev

2011-07-06 17:47:37 UTC

amd64 done. Thanks Agostino and Ian

Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-07-14 08:29:30 UTC

ppc stable, last arch done

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-08-18 04:23:50 UTC

Thanks, everyone. GLSA request filed.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-06-21 20:53:49 UTC

This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).