Bug 19479

Summary: openslp new security issue CVE-2016-7567
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, mageia, mhrambo3501, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/704249/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: openslp-2.0.0-5.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-28 13:59:51 CEST 
A CVE has been assigned for an issue fixed upstream in openslp:
http://openwall.com/lists/oss-security/2016/09/28/1

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated openslp packages fix security vulnerability:

A memory corruption bug was present in openslp due to lack of bounds checking
in SLPFoldWhiteSpace() (CVE-2016-7567).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7567
http://openwall.com/lists/oss-security/2016/09/27/4
========================

Updated packages in core/updates_testing:
========================
openslp-2.0.0-5.2.mga5
libslp1-2.0.0-5.2.mga5
libslp-devel-2.0.0-5.2.mga5

from openslp-2.0.0-5.2.mga5.src.rpm
Lewis Smith 2016-10-10 21:02:33 CEST

CC: (none) => davidwhodgins, lewyssmith

Comment 1 Lewis Smith 2016-10-10 21:06:40 CEST 
Dave (W Hodgins)
As with a previous bug https://bugs.mageia.org/show_bug.cgi?id=18600#c2, you seem our sole competent person on openslp, and seemed to be able to test it relatively easily. Are you able to try this update?
As before, I added you to the CC list in hope. TIA
Nicolas Lécureuil 2016-10-12 11:21:23 CEST

CC: (none) => mageia
Whiteboard: (none) => advisory

Comment 2 Mike Rambo 2016-10-19 13:32:55 CEST 
Using the process at https://bugs.mageia.org/show_bug.cgi?id=18600#c2 on mga5 x86_64 and cauldron x86_64 machines.

[mrambo@rambobox ~]$ sudo urpmi openslp
[mrambo@rambobox ~]$ rpm -qa | grep openslp
openslp-2.0.0-5.1.mga5
[mrambo@rambobox ~]$ sudo systemctl start slpd
[mrambo@rambobox ~]$ slptool findsrvs service:service-agent
service:service-agent://192.168.3.23,65535
service:service-agent://192.168.3.83,65535
[mrambo@rambobox ~]$ sudo systemctl stop slpd

Enabled updates-testing repo.

[mrambo@rambobox ~]$ sudo urpmi openslp
[mrambo@rambobox ~]$ rpm -qa | grep openslp
openslp-2.0.0-5.2.mga5
[mrambo@rambobox ~]$ slptool findsrvs service:service-agent
service:service-agent://192.168.3.23,65535
service:service-agent://192.168.3.83,65535

Results are the same with the update installed and were similar from the other end on the cauldron machine. This only validates mga5 x86_64 as I don't have a 32 bit installation available at present but x86_64 looks good to me.

CC: (none) => mrambo
Whiteboard: advisory => advisory MGA5-64-OK

Comment 3 David Walser 2016-10-19 13:42:18 CEST 
Mike, you have to be careful with testing updates like this with multiple subpackages and especially libraries.  It looks like you only updated openslp, but not lib64slp1.

Rather than using urpmi (which will mess up orphan tracking if you manually urpmi the libs), if you edit /etc/urpmi/urpmi.cfg and mark updates_testing as an update medium, you can use MageiaUpdate to install updated packages from updates_testing, so you can be sure you've selected the right ones without messing up orphan tracking.
Comment 4 Mike Rambo 2016-10-19 14:32:55 CEST 
Re-ran the test using the process at https://bugs.mageia.org/show_bug.cgi?id=18600#c2 on mga5 x86_64 and cauldron x86_64 machines.

[mrambo@rambobox ~]$ sudo urpmi openslp
[mrambo@rambobox ~]$ rpm -qa | grep slp
openslp-2.0.0-5.1.mga5
lib64slp1-2.0.0-5.1.mga5
[mrambo@rambobox ~]$ sudo systemctl start slpd
[mrambo@rambobox ~]$ slptool findsrvs service:service-agent
service:service-agent://192.168.3.23,65535
service:service-agent://192.168.3.83,65535
[mrambo@rambobox ~]$ sudo systemctl stop slpd

Enabled updates-testing repo and specifically installed both parts since there are only two.

[mrambo@rambobox ~]$ sudo urpmi openslp lib64slp1
[mrambo@rambobox ~]$ rpm -qa | grep openslp
openslp-2.0.0-5.2.mga5
lib64slp1-2.0.0-5.2.mga5
[mrambo@rambobox ~]$ slptool findsrvs service:service-agent
service:service-agent://192.168.3.23,65535
service:service-agent://192.168.3.83,65535

Found that the results were the same. The package and the library both look good on mga5 x86_64. Sorry for the mistake.
Comment 5 Dave Hodgins 2016-10-21 00:14:18 CEST 
Repeated tests from https://bugs.mageia.org/show_bug.cgi?id=18600#c2
with same good results. Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-10-21 00:35:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-10-21 18:17:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/704249/