Bug 13459

Summary: libcap-ng new security issue CVE-2014-3215
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/600797/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: libcap-ng-0.7.3-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-30 18:12:25 CEST 
OpenSuSE has issued an advisory today (May 30):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html

The issue is fixed upstream in 0.7.4 (which is in Cauldron).

Patched packages uploaded for Mageia 3 and Mageia 4.

Note that this is marked as critical for us based on RedHat's bug, rather than low as OpenSuSE did, because unlike OpenSuSE, our /sbin/seunshare binary in policycoreutils is SUID root.  Here's RedHat's bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3215

Advisory:
========================

Updated libcap-ng packages fix security vulnerability:

capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to
prevent regaining capabilities using setuid-root programs. This allows a user
to run setuid programs, such as seunshare from policycoreutils, as uid 0 but
without capabilities, which is potentially dangerous (CVE-2014-3215).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html
========================

Updated packages in core/updates_testing:
========================
libcap-ng0-0.7.3-2.1.mga3
libcap-ng-devel-0.7.3-2.1.mga3
python-libcap-ng-0.7.3-2.1.mga3
libcap-ng-utils-0.7.3-2.1.mga3
libcap-ng0-0.7.3-3.1.mga4
libcap-ng-devel-0.7.3-3.1.mga4
python-libcap-ng-0.7.3-3.1.mga4
libcap-ng-utils-0.7.3-3.1.mga4

from SRPMS:
libcap-ng-0.7.3-2.1.mga3.src.rpm
libcap-ng-0.7.3-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 18:12:31 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-05-30 18:13:55 CEST 
There was a tl;dr thread about this recently on oss-security:
http://openwall.com/lists/oss-security/2014/04/29/7
David Walser 2014-05-30 19:36:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/600797/

Comment 2 claire robinson 2014-06-02 20:00:02 CEST 
Testing with the PoC from the openwall link in comment 1

Saved as sesploit.c and compiled with
gcc -o sesploit sesploit.c

$ ./sesploit 
Dropped privs; real uid is 500 and effective uid is 500
Phew, safe.

$ /usr/sbin/seunshare -t . `realpath ./sesploit`
Dropped privs; real uid is 500 and effective uid is 500
Phew, safe.

Not showing vulnerable with this exploit but we can use it anyway with strace to show seunshare (from package policycoreutils-sandbox) using the updated libcap-ng

$ strace -o strace.out /usr/sbin/seunshare -t . `realpath ./sesploit`

$ grep cap strace.out 
open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3

Testing complete mga4 64

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 claire robinson 2014-06-03 10:50:17 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 4 claire robinson 2014-06-03 10:57:39 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 5 claire robinson 2014-06-03 11:10:04 CEST 
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-03 11:15:13 CEST 
Validating. Advisory uploaded. 

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-06-06 08:28:43 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0251.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED