Bug 15194

Summary: hivex new security issue CVE-2014-9273
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/631506/
Whiteboard: has_procedure advisory mga4-64-ok mga4-32-ok
Source RPM: hivex-1.3.8-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-03 18:17:24 CET 
OpenSuSE has issued an advisory on February 2:
http://lists.opensuse.org/opensuse-updates/2015-02/msg00005.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated hivex packages fix security vulnerability:

lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary
code and gain privileges via a small hive files, which triggers an
out-of-bounds read or write (CVE-2014-9273).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9273
http://lists.opensuse.org/opensuse-updates/2015-02/msg00005.html
========================

Updated packages in core/updates_testing:
========================
hivex-1.3.8-2.1.mga4
hivex-devel-1.3.8-2.1.mga4
ocaml-hivex-1.3.8-2.1.mga4
ocaml-hivex-devel-1.3.8-2.1.mga4
perl-hivex-1.3.8-2.1.mga4
ruby-hivex-1.3.8-2.1.mga4

from hivex-1.3.8-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2015-02-11 13:04:37 CET 
Testing complete mga4 64

Found a PoC here: https://bugzilla.redhat.com/show_bug.cgi?id=1158992#c0

$ echo -n 'reg' > small
$ valgrind hivexsh -w small
==24244== Memcheck, a memory error detector
==24244== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24244== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==24244== Command: hivexsh -w small
==24244== 
==24244== Invalid read of size 1
==24244==    at 0x4E31EF9: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==24244==    by 0x4034C8: ??? (in /usr/bin/hivexsh)
==24244==    by 0x401B27: ??? (in /usr/bin/hivexsh)
==24244==    by 0x52AAC84: (below main) (in /usr/lib64/libc-2.18.so)
==24244==  Address 0x5ca8ac3 is 0 bytes after a block of size 3 alloc'd
==24244==    at 0x4C266ED: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24244==    by 0x4E31E94: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==24244==    by 0x4034C8: ??? (in /usr/bin/hivexsh)
==24244==    by 0x401B27: ??? (in /usr/bin/hivexsh)
==24244==    by 0x52AAC84: (below main) (in /usr/lib64/libc-2.18.so)
==24244== 
hivexsh: failed to open hive file: small: Invalid argument
...etc


After
-----
$ valgrind hivexsh -w small
==25627== Memcheck, a memory error detector
==25627== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25627== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==25627== Command: hivexsh -w small
==25627== 
hivexsh: failed to open hive file: small: Invalid argument
...etc

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 2 claire robinson 2015-02-11 13:09:39 CET 
Mis-copy/paste. First one actually finishes with..
hivexsh: failed to open hive file: small: Operation not supported
Comment 3 claire robinson 2015-02-11 13:12:52 CET 
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 4 David Walser 2015-02-11 13:47:44 CET 
Same results as Claire got in Comment 1 on Mageia 4 i586.

Validating now.  Please push to core/updates.  Thanks.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-02-11 21:48:41 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0060.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED