| Summary: | augeas new security issue CVE-2017-7555 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, mageia, sysadmin-bugs, tarazed25, wilcal.int |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory | ||
| Source RPM: | augeas-1.8.0-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-08-17 12:02:56 CEST
David Walser
2017-08-17 12:03:11 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO
Nicolas Lécureuil
2017-08-18 00:09:33 CEST
Version:
Cauldron =>
6 pushed in updates_testing
src.rpm:
augeas-1.8.0-1.1.mga6
pushed in mga5 too
src.rpm:
augeas-1.2.0-3.1.mga5Assignee:
bruno =>
qa-bugs Advisory: ======================== Updated augeas packages fix security vulnerability: A vulnerability was discovered in augeas affecting the handling of escaped strings. An attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution (CVE-2017-7555). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7555 http://openwall.com/lists/oss-security/2017/08/17/3 ======================== Updated packages in core/updates_testing: ======================== augeas-1.2.0-3.1.mga5 libaugeas-devel-1.2.0-3.1.mga5 libaugeas0-1.2.0-3.1.mga5 libfa1-1.2.0-3.1.mga5 augeas-lenses-1.2.0-3.1.mga5 augeas-1.8.0-1.1.mga6 libaugeas-devel-1.8.0-1.1.mga6 libaugeas0-1.8.0-1.1.mga6 libfa1-1.8.0-1.1.mga6 augeas-lenses-1.8.0-1.1.mga6 from SRPMS: augeas-1.2.0-3.1.mga5.src.rpm augeas-1.8.0-1.1.mga6.src.rpm MGA5-32 on Asus A6000VM Xfce No installation issues. Available commands augtool and augparse At CLI: $ augtool augtool> help Admin commands: help - print help load - (re)load files under /files and more... augtool> print /files/etc displays whole tree of /etc same with augtool> print /files/lib $ augparse --version augparse 1.2.0 <http://augeas.net/> Copyright (C) 2007-2011 David Lutterkort License LGPLv2+: GNU LGPL version 2.1 or later <http://www.gnu.org/licenses/lgpl-2.1.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by David Lutterkort OK for me. CC:
(none) =>
herman.viaene
Lewis Smith
2017-08-20 10:16:58 CEST
CC:
(none) =>
lewyssmith Following in Herman's footsteps, hoping to test this on mga6::x86_64.
I set up a sandbox as instructed and edited the /etc/hosts file under root:
$ export AUGEAS_ROOT=/tmp/augeas-sandbox
$ mkdir $AUGEAS_ROOT
$ sudo cp -pr /etc $AUGEAS_ROOT
$ sudo chown -R $(id -nu):$(id -ng) $AUGEAS_ROOT
$ augtool -b
augtool> print /file/etc/resolv.conf
augtool> set /files/etc/hosts/01/ipaddr 208.67.222.222
augtool> set /files/etc/hosts/01/canonical resolver1.opendns.com
augtool> set /files/etc/hosts/01/alias[1] dns1
augtool> save
Saved 1 file(s)
augtool> ls /files/etc/hosts/01
ipaddr = 208.67.222.222
canonical = resolver1.opendns.com
alias = dns1
augtool>
Then:
$ cd ${AUGEAS_ROOT} && diff -u ./etc/hosts ./etc/hosts.augsave
--- ./etc/hosts 2017-08-20 20:54:46.383550252 +0100
+++ ./etc/hosts.augsave 2017-08-20 20:25:44.625550460 +0100
@@ -19,4 +19,3 @@
192.168.1.10 rastaban
192.168.1.1 Arcturus
208.67.222.222 resolver1.opendns.com dns1
-208.67.222.222 resolver1.opendns.com dns1
So far so good I think.
The file /tmp/augeas-sandbox/etc/hosts.augsave contains the added information.
Replacing the target configuration file with this is done with the store command if I understand the documentation but that requires a specific "lens" to map the information in the sandbox file to the actual file.
However, I could not find a way to do this, following the manual to the letter.
Changed to user root
$ augtool
augtool> load
augtool> store Host_Conf /files/etc/hosts/01 /etc/hosts
error: No match for path expression
Source node /files/etc/hosts/01 does not exist
augtool> store Host_Conf /tmp/augeas-sandbox/etc/hosts/01 /etc/hosts
error: No match for path expression
Source node /tmp/augeas-sandbox/etc/hosts/01 does not exist
augtool> print /files/etc/hosts
/files/etc/hosts
/files/etc/hosts/#comment = "generated by drakhosts"
/files/etc/hosts/1
/files/etc/hosts/1/ipaddr = "127.0.0.1"
/files/etc/hosts/1/canonical = "localhost"
/files/etc/hosts/2
.........................
/files/etc/hosts/21
/files/etc/hosts/21/ipaddr = "208.67.222.222"
/files/etc/hosts/21/canonical = "resolver1.opendns.com"
/files/etc/hosts/21/alias = "dns1"
augtool> store Host_Conf /files/etc/hosts /etc/hosts
error: No match for path expression
Source node /files/etc/hosts has a NULL value
augtool> ls /files/etc
postfix/ = (none)
.........................
nsswitch.conf/ = (none)
hosts/ = (none)
X11/ = (none)
.........................
augtool> store Host_Conf /files/etc/hosts/21 /etc/hosts
error: No match for path expression
Source node /files/etc/hosts/21 has a NULL value
augtool> quit
$
Having to give up on this one - been at it for hours. Almost no progress.CC:
(none) =>
tarazed25 It occurs to me that even if there is a good reason to use augtool for editing there is no point at all in using augtool for replacing the target file. Just make your own backup copy and $ sudo cp $AUGEAS_ROOT/etc/hosts.augsave /etc/hosts Anyway, I am done with it. In VirtualBox, M5.1, KDE, 64-bit Package(s) under test: augeas augeas-lenses lib64augeas0 & lib64fa1 default install of augeas augeas-lenses lib64augeas0 lib64fa1 [root@localhost wilcal]# urpmi augeas Package augeas-1.2.0-3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.2.0-3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64augeas0 Package lib64augeas0-1.2.0-3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64fa1 Package lib64fa1-1.2.0-3.mga5.x86_64 is already installed All packages installed without issue. install augeas augeas-lenses lib64augeas0 & lib64fa1 from updates_testing [root@localhost wilcal]# urpmi augeas Package augeas-1.2.0-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.2.0-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64augeas0 Package lib64augeas0-1.2.0-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64fa1 Package lib64fa1-1.2.0-3.1.mga5.x86_64 is already installed All packages installed without issue. CC:
(none) =>
wilcal.int
William Kenney
2017-08-24 20:34:49 CEST
Whiteboard:
MGA5TOO MGA5-32-OK advisory =>
MGA5TOO MGA5-32-OK MGA5-64-OK advisory In VirtualBox, M6, MATE, 32-bit Package(s) under test: augeas augeas-lenses libaugeas0 & libfa1 default install of augeas augeas-lenses libaugeas0 libfa1 [root@localhost wilcal]# urpmi augeas Package augeas-1.8.0-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.8.0-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libaugeas0 Package libaugeas0-1.8.0-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libfa1 Package libfa1-1.8.0-1.mga6.i586 is already installed All packages installed without issue. install augeas augeas-lenses libaugeas0 & libfa1 from updates_testing [root@localhost wilcal]# urpmi augeas Package augeas-1.8.0-1.1.mga6.i586 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.8.0-1.1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libaugeas0 Package libaugeas0-1.8.0-1.1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libfa1 Package libfa1-1.8.0-1.1.mga6.i586 is already installed All packages installed without issue.
William Kenney
2017-08-24 22:34:33 CEST
Whiteboard:
MGA5TOO MGA5-32-OK MGA5-64-OK advisory =>
MGA5TOO MGA5-32-OK MGA5-64-OK MGA5-32-OK advisory
William Kenney
2017-08-24 22:35:24 CEST
Whiteboard:
MGA5TOO MGA5-32-OK MGA5-64-OK MGA5-32-OK advisory =>
MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK advisory In VirtualBox, M6, MATE, 64-bit Package(s) under test: augeas augeas-lenses lib64augeas0 & lib64fa1 default install of augeas augeas-lenses lib64augeas0 lib64fa1 [root@localhost wilcal]# urpmi augeas Package augeas-1.8.0-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.8.0-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64augeas0 Package lib64augeas0-1.8.0-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64fa1 Package lib64fa1-1.8.0-1.mga6.x86_64 is already installed All packages installed without issue. install augeas augeas-lenses lib64augeas0 & lib64fa1 from updates_testing [root@localhost wilcal]# urpmi augeas Package augeas-1.8.0-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi augeas-lenses Package augeas-lenses-1.8.0-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64augeas0 Package lib64augeas0-1.8.0-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64fa1 Package lib64fa1-1.8.0-1.1.mga6.x86_64 is already installed All packages installed without issue.
William Kenney
2017-08-24 22:47:59 CEST
Whiteboard:
MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK advisory =>
MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory This update works fine. Testing complete for MGA5 & MGA6, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0306.html Status:
NEW =>
RESOLVED |