Bug 15931

Summary: pcs new security issue CVE-2015-1848
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Anne Nicolas <ennael1>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, mageia
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644258/
Whiteboard:
Source RPM: pcs-0.9.26-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2015-05-14 01:31:40 CEST 
RedHat has issued advisories on May 12:
https://rhn.redhat.com/errata/RHSA-2015-0990.html
https://rhn.redhat.com/errata/RHSA-2015-0980.html

A patch is attached to the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1208294

Reproducible: 

Steps to Reproduce:
Comment 1 David GEIGER 2015-05-14 11:54:03 CEST 
@David

I think that our pcs-0.9.26 package is not affected because it does not contains the pcsd stuff and also it does not contains the pcsd.rb file that need to be patched for the security fix.
It is a very very old version that we have in our mga4 repo.

--------------------------------------------------
RedHat patch:

--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix     2015-03-30 13:48:50.209887370-0500
+++ pcs-0.9.137/pcsd/pcsd.rb   2015-03-30 13:50:47.321660377 -0500
@@ -31,7 +31,9 @@ end
 
 use Rack::Session::Cookie,
   :expire_after => 60 * 60,
-  :secret => secret
+  :secret => secret,
+  :secure => true, # only send over HTTPS
+  :httponly => true # don't provide to javascript
 
 #use Rack::SSL
 
@@ -45,8 +47,6 @@ also_reload 'pcs.rb'
 also_reload 'auth.rb'
 also_reload 'wizard.rb'
 
-enable :sessions
-
 before do
   if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth'
     protected!

CC: (none) => geiger.david68210

Comment 2 David Walser 2015-05-14 16:55:51 CEST 
Thanks, indeed the Mageia 4 version didn't have pcsd.  Only the Cauldron version (which was dropped) did.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 3 Nicolas Lécureuil 2015-05-14 17:31:44 CEST 
mga4 version was old.

btw pcs is dropped from cauldron?  if yes it should be removed from svn then.

CC: (none) => mageia
Resolution: INVALID => FIXED

Comment 4 David Walser 2015-05-14 17:49:02 CEST 
Not really fixed since we didn't do anything, it was invalid for our version.  If it's reimported into Cauldron later it'll need to actually be fixed.

There are several packages in SVN that need to be moved to obsolete.  I was going to wait until after mga5 was branched just in case the maintainers wanted to bring them back again.  There was someone on the dev mailing list that had been running a script to list them, hopefully he will again to help find all the ones that need to be moved.

Resolution: FIXED => INVALID