| Summary: | c-icap new security issues CVE-2013-7401 and CVE-2013-7402 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | luis.daniel.lucio, olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/612810/ | ||
| Whiteboard: | MGA4-64-OK MGA4-32-OK advisory | ||
| Source RPM: | c-icap-0.2.5-4.2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-23 18:38:00 CEST
According to the Gentoo bug, it actually wasn't yet fixed upstream in 0.2.6, they had backported an additional patch: https://bugs.gentoo.org/show_bug.cgi?id=455324 So Mageia 4 would also be affected. Version:
3 =>
4 The patch Gentoo added only fixes CVE-2013-7401: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-proxy/c-icap/files/c-icap-0.2.6-fix-icap-parsing.patch?revision=1.1&view=markup CVE-2013-7402 is only fixed in 0.3.x, in these commits: http://sourceforge.net/p/c-icap/code/1018/ http://sourceforge.net/p/c-icap/code/1021/ see this bug report for CVE-2013-7402: http://sourceforge.net/p/c-icap/bugs/59/ I guess it could be updated to 0.3.x in Mageia 3 and Mageia 4 (and c-icap-modules-extra would need to be as well I would imagine). If so, even Cauldron should be updated to the newest 0.3.4, as it contains a crasher fix: http://sourceforge.net/p/c-icap/news/ Here's an osvdb advisory for CVE-2013-7401 and more info including a PoC: http://www.osvdb.org/show/osvdb/89304 http://osvdb.org/ref/89/c-icap.txt Debian has issued an advisory for this on December 13: https://www.debian.org/security/2014/dsa-3101 Now I see that the two upstream commits that I linked in Comment 2 apply cleanly to 0.2.6 and fix both CVEs. I guess I should have figured that out earlier... Patched package uploaded for Mageia 4. Removing Mageia 3 from the whiteboard due to EOL. This package has been removed from Cauldron due to lack of response from the maintainer. Advisory: ======================== Updated c-icap packages fix security vulnerabilities: Several vulnerabilities were found in c-icap, which could allow a remote attacker to cause c-icap to crash, or have other, unspecified impacts (CVE-2013-7401, CVE-2013-7402). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7402 http://www.gentoo.org/security/en/glsa/glsa-201409-07.xml https://www.debian.org/security/2014/dsa-3101 ======================== Updated packages in core/updates_testing: ======================== libc-icap0-0.2.6-2.2.mga4 libc-icap-devel-0.2.6-2.2.mga4 c-icap-server-0.2.6-2.2.mga4 c-icap-client-0.2.6-2.2.mga4 c-icap-modules-0.2.6-2.2.mga4 from c-icap-0.2.6-2.2.mga4.src.rpm CC:
(none) =>
luis.daniel.lucio Testing on Mageia 4x64 real hardware. From current packages : --------------------- - c-icap-client-0.2.6-2.mga4.x86_64 - c-icap-modules-0.2.6-2.mga4.x86_64 - c-icap-modules-extra-0.2.5-2.mga4.x86_64 - c-icap-server-0.2.6-2.mga4.x86_64 - lib64c-icap0-0.2.6-2.mga4.x86_64 Following instructions found here : http://sourceforge.net/p/c-icap/wiki/c-icapInstall/ # systemctl start icapd # systemctl status icapd icapd.service - ICAP Server Loaded: loaded (/usr/lib/systemd/system/icapd.service; enabled) Active: active (running) $ c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK: Methods:RESPMOD, REQMOD Service:C-ICAP/0.2.6 server - Echo demo service ISTag:CI0001-XXXXXXXXX Transfer-Preview:* Options-TTL:3600 Date:Sun, 14 Dec 2014 21:23:12 GMT Preview:1024 Allow:204 X-Include:X-Authenticated-User, X-Authenticated-Groups Encapsulated:null-body=0 $ c-icap-client -req http://www.mageia.org/fr/ ICAP server:localhost, ip:127.0.0.1, port:1344 No modification needed (Allow 204 response) $ c-icap-client -i localhost -s "info?view=text" -req "a_url" ICAP server:localhost, ip:127.0.0.1, port:1344 which shows server statistics changing each time I access the server through the client. Stopped and disabled icecapd.service. Updated to testing packages : --------------------------- - c-icap-client-0.2.6-2.2.mga4.x86_64 - c-icap-modules-0.2.6-2.2.mga4.x86_64 - c-icap-server-0.2.6-2.2.mga4.x86_64 - lib64c-icap0-0.2.6-2.2.mga4.x86_64 Followed same procedure. c-icap-server functionnal, c-icap-client can access the server. All OK. CC:
(none) =>
olchal Testing on Mageia4x32, using same procedure as in comment 4. From current packages : --------------------- - c-icap-client-0.2.6-2.mga4.i586 - c-icap-modules-0.2.6-2.mga4.i586 - c-icap-modules-extra-0.2.5-2.mga4.i586 - c-icap-server-0.2.6-2.mga4.i586 - libc-icap0-0.2.6-2.mga4.i586 To updated testing packages : --------------------------- - c-icap-client-0.2.6-2.2.mga4.i586 - c-icap-modules-0.2.6-2.2.mga4.i586 - c-icap-server-0.2.6-2.2.mga4.i586 - libc-icap0-0.2.6-2.2.mga4.i586 Which gave same satisfactory results. Giving the OK. Whiteboard:
MGA4-64-OK =>
MGA4-64-OK MGA4-32-OK Validating, advisory uploaded. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0530.html Status:
NEW =>
RESOLVED |