| Summary: | cpio new security issue CVE-2014-9112 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | lewyssmith, rverschelde, sysadmin-bugs, tarazed25 |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/626452/ | ||
| Whiteboard: | has_procedure MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | cpio-2.11-6.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-09 18:58:54 CET
I am lined up to test this on MGA4 x64 - when I can see the update in Updates Testing. CC:
(none) =>
lewyssmith Testing MGA4 x64 Useful links: http://www.openwall.com/lists/oss-security/2014/11/26/20 -> http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio the latter being the sample cpio archive [download it]. The cpio man page is minimal, and if you want to avoid wrestling with 'info', http://www.gnu.org/software/cpio/manual/cpio.html is a much nicer explanation of it all. In the same directory as the downloaded archive file:- Before the update (the last 2 commands are equivalent):- $ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file $ cpio -idv < lesspipe-cpio-bad-write.cpio Segmentation fault $ cpio -idv -F lesspipe-cpio-bad-write.cpio Segmentation fault Updated from Updates Testing to cpio-2.11-6.1.mga4:- $ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file $ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: premature end of file $ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: premature end of file I take this is 'OK'. Whiteboard:
(none) =>
MGA4-64-OK Yep, nice job Lewis. Whiteboard:
MGA4-64-OK =>
has_procedure MGA4-64-OK On Mageia 4 i586 I still get the segfault... I tested Fedora's update candidate on Fedora 20 and I actually didn't get the segfault before installing the update, but I do after (also testing i686). I've reported this in their QA thing and their Bugzilla. Hopefully they'll see it. Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK feedback Cool, RedHat's packager reported it upstream and they committed additional fixes. I have confirmed that it doesn't crash with the PoC with a local build. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cpio package fixes security vulnerability: Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive (CVE-2014-9112). Additionally, a null pointer dereference in the copyin_link function which could cause a denial of service has also been fixed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112 https://bugzilla.redhat.com/show_bug.cgi?id=1167571 ======================== Updated packages in core/updates_testing: ======================== cpio-2.11-6.2.mga4 from cpio-2.11-6.2.mga4.src.rpm Whiteboard:
has_procedure MGA4-64-OK feedback =>
has_procedure Tested successfully with the mga4 update on i586: $ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: hello: stored filename length is out of range hello cpio: warning: skipped 6 bytes of junk 1 block Whiteboard:
has_procedure =>
has_procedure MGA4-32-OK Tested cpio-2.11-6.2.mga4 on mga4 x86_64 Test procedure by Lewis cf comment 2 Downloaded specimen archive [lcl@altair ~/downloads]$ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file [lcl@altair ~/downloads]$ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: premature end of file [lcl@altair ~/downloads]$ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: premature end of file CC:
(none) =>
tarazed25
Len Lawrence
2014-12-12 01:43:55 CET
Whiteboard:
has_procedure MGA4-32-OK =>
has_procedure MGA4-32-OK MGA4-64-OK mga4 on virtualbox i586 Testing the update confirms David's result in comment 7. The other form of the command also agrees: [lcl@localhost ~]$ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: hello: stored filename length is out of range hello cpio: warning: skipped 6 bytes of junk 1 block Any explanation for the difference from x86_64? (In reply to Len Lawrence from comment #9) > Any explanation for the difference from x86_64? Yes, upstream knows that the output messages are different on different architectures. The important thing is that it doesn't segfault anymore. Advisory uploaded, validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0528.html Status:
NEW =>
RESOLVED
David Walser
2014-12-15 21:15:24 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/626452/ |