Bug 15707

Summary: abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151, CVE-2015-3159)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Shlomi Fish <shlomif>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mageia
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/647748/
Whiteboard:
Source RPM: abrt-2.2.2-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-15 18:23:31 CEST 
Multiple security issues in abrt were reported:
http://openwall.com/lists/oss-security/2015/04/14/4

RedHat has a bug report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1211835

Mageia 4 and Mageia 5 are affected.  No fixes are available yet.

There is also the unrelated CVE-2015-1862 issue, for which a fix has been committed in Cauldron SVN and a freeze push requested.  Mageia 4 is not affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-15 18:23:39 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-16 16:43:49 CEST 
This has been assigned CVE-2015-3315:
http://openwall.com/lists/oss-security/2015/04/16/12

Summary: abrt new security issues => abrt new security issues (CVE-2015-3315)

Comment 2 David Walser 2015-04-17 21:29:49 CEST 
More details on abrt issues (including links to RedHat bugs):
http://openwall.com/lists/oss-security/2015/04/17/5

Additional CVEs have been assigned:
CVE-2015-3142 CVE-2015-1869 CVE-2015-1870 CVE-2015-3147

Summary: abrt new security issues (CVE-2015-3315) => abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147)

Sander Lepik 2015-04-18 21:54:17 CEST

CC: (none) => mageia
Assignee: bugsquad => shlomif

Comment 3 Shlomi Fish 2015-04-21 08:07:11 CEST 
Marking as ASSIGNED.

Status: NEW => ASSIGNED

Comment 4 David Walser 2015-04-23 21:30:24 CEST 
More links and info about the abrt issues:
http://openwall.com/lists/oss-security/2015/04/23/26

CVE-2015-3150 and CVE-2015-3151 have been assigned to two of the issues.

Summary: abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147) => abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151)

Comment 5 David Walser 2015-05-05 17:19:19 CEST 
An additional issue, CVE-2015-3159, was identified:
http://openwall.com/lists/oss-security/2015/05/05/10

Proposed fixes for all of the issues are now available.

Summary: abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151) => abrt new security issues (CVE-2015-3315, CVE-2015-3142, CVE-2015-1869, CVE-2015-1870, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151, CVE-2015-3159)

Comment 6 Shlomi Fish 2015-05-13 16:51:56 CEST 
OK, an update on my progress. The patches in the pull request do not apply cleanly against the version of abrt in our repository (And they seem to be against a non-released GitHub branch). Backporting them seems like a huge chore. I don't know what to do.
Comment 7 David Walser 2015-05-13 16:54:57 CEST 
Yeah I thought that might be an issue.  Probably at least we'll have to wait for Fedora to issue some updates and see what they do.  We might end up just having to update it to a newer version(s).
Comment 8 Sander Lepik 2015-06-06 13:27:37 CEST 
Any progress? It's on its 4th warning now..
Comment 9 Shlomi Fish 2015-06-06 13:49:09 CEST 
(In reply to Sander Lepik from comment #8)
> Any progress? It's on its 4th warning now..

Are there any new releases with the fixes? It would be hard to progress without them.
Comment 10 Sander Lepik 2015-06-06 14:15:53 CEST 
Looking at Red Hat's bug report it doesn't seem that many changes to apply them manually.

A more important question. Are we even using this package or do we need it?
Comment 11 David Walser 2015-06-06 18:08:44 CEST 
(In reply to Sander Lepik from comment #10)
> A more important question. Are we even using this package or do we need it?

Unless there's time to drop it from Mageia 5 still (I don't think there is), that's not really a more important question.  If anyone is running this service they're vulnerable to trivial local privilege escalation, so we need to fix it.
Comment 12 David Walser 2015-06-06 18:09:58 CEST 
(In reply to Shlomi Fish from comment #9)
> (In reply to Sander Lepik from comment #8)
> > Any progress? It's on its 4th warning now..
> 
> Are there any new releases with the fixes? It would be hard to progress
> without them.

There aren't yet, and I agree.  These issues are serious, but vetted fixes are not yet available AFAIK.
Comment 13 David Walser 2015-06-10 18:56:16 CEST 
RedHat has issued an advisory for this on June 9:
https://rhn.redhat.com/errata/RHSA-2015-1083.html

URL: (none) => http://lwn.net/Vulnerabilities/647748/

Comment 14 David Walser 2015-06-11 23:28:02 CEST 
Dropped from Cauldron before the Mageia 5 release.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 15 David Walser 2015-07-01 17:54:26 CEST 
Fedora has issued an advisory for this for Fedora 21, their oldest supported version:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/161247.html
Comment 16 David Walser 2015-07-07 18:05:48 CEST 
RedHat has issued an advisory for this today (July 7):
https://rhn.redhat.com/errata/RHSA-2015-1210.html

As that's a slightly older 2.0 release of abrt than we have in Mageia 4, maybe the patches they used there would work for us.
Comment 17 David Walser 2015-09-02 17:38:17 CEST 
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: ASSIGNED => RESOLVED
Resolution: (none) => OLD