Bug 21942

Summary: rpm new security issues CVE-2017-7500 and CVE-2017-7501
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: rpm-4.13.0.1-3.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-10-26 18:35:41 CEST 
RPM 4.13.0.2 has been released today (October 26), fixing two security issues:
http://rpm.org/wiki/Releases/4.13.0.2

Thierry has already uploaded an updated package for Mageia 6.

Advisory:
========================

Updated rpm packages fix security vulnerabilities:
 	
It was found that rpm did not properly handle RPM installations when a
destination path was a symbolic link to a directory, possibly changing
ownership and permissions of an arbitrary directory, and RPM files being
placed in an arbitrary destination. An attacker, with write access to a
directory in which a subdirectory will be installed, could redirect that
directory to an arbitrary location and gain root privilege (CVE-2017-7500).

It was found that rpm uses temporary files with predictable names when
installing an RPM. An attacker with ability to write in a directory where
files will be installed could create symbolic links to an arbitrary location
and modify content, and possibly permissions to arbitrary files, which could
be used for denial of service or possibly privilege escalation
(CVE-2017-7501).

The rpm package has been updated to version 4.13.0.2, fixing these issues and
other bugs.  See the release announcement for details.

References:
http://rpm.org/wiki/Releases/4.13.0.2
https://bugzilla.redhat.com/show_bug.cgi?id=1450369
https://bugzilla.redhat.com/show_bug.cgi?id=1452133
========================

Updated packages in core/updates_testing:
========================
rpm-4.13.0.2-3.1.mga6
librpm7-4.13.0.2-3.1.mga6
librpmbuild7-4.13.0.2-3.1.mga6
librpm-devel-4.13.0.2-3.1.mga6
librpmsign7-4.13.0.2-3.1.mga6
rpm-build-4.13.0.2-3.1.mga6
rpm-sign-4.13.0.2-3.1.mga6
python2-rpm-4.13.0.2-3.1.mga6
python3-rpm-4.13.0.2-3.1.mga6
rpm-apidocs-4.13.0.2-3.1.mga6

from rpm-4.13.0.2-3.1.mga6.src.rpm
Comment 1 Len Lawrence 2017-10-28 16:06:30 CEST 
Mageia 6 :: x86_64

Installed any missing packages before the update then ran the update.
No problems.  Shall leave this for a few hours or a day to see that it works via urpmi.
Tried a local installation, which I expected would fail, and it did.
$ sudo rpm -i glmark2*.rpm
error: Failed dependencies:
	libGLESv2.so.2 is needed by glmark2-2012.12-2.fc20.i686
	libjpeg.so.62 is needed by glmark2-2012.12-2.fc20.i686
	libjpeg.so.62(LIBJPEG_6.2) is needed by glmark2-2012.12-2.fc20.i686
	libpng12.so.0 is needed by glmark2-2012.12-2.fc20.i686
	libpng12.so.0(PNG12_0) is needed by glmark2-2012.12-2.fc20.i686

Interrogated local packages.
$ rpm -qilp w_scan-0-0.20120605.5.mga5.x86_64.rpm
Name        : w_scan
Version     : 0
Release     : 0.20120605.5.mga5
Architecture: x86_64
Install Date: (not installed)
Group       : Video/Television
Size        : 291215
License     : GPLv2+
Signature   : RSA/SHA1, Sat 18 Oct 2014 02:05:52 BST, Key ID b742fa8b80420f66
Source RPM  : w_scan-0-0.20120605.5.mga5.src.rpm
Build Date  : Sat 18 Oct 2014 01:47:19 BST
Build Host  : valstar.mageia.org
Relocations : (not relocatable)
Packager    : umeabot <umeabot>
Vendor      : Mageia.Org
URL         : http://edafe.org/vdr/w_scan/
Summary     : Channel scan tool for DVB-T and DVB-C
Description :
w_scan is an application that greatly simplifies the task of scanning
for DVB-T, DVB-C and ATSC channel information. Winfried Köhler’s
w_scan is special because it does not require any region-specific
initial transponder data for operation. It will create configuration
files for VDR, Kaffeine and Xine.
/usr/bin/w_scan
/usr/share/doc/w_scan
/usr/share/doc/w_scan/README
/usr/share/man/man1/w_scan.1.xz
$ rpm -qpl tkimg-1.4-2.1.mga4.x86_64.rpm
/usr/lib64/libjpegtcl8.2.so
/usr/lib64/libpngtcl1.4.3.so
/usr/lib64/libtifftcl3.9.4.so
/usr/lib64/libzlibtcl1.2.5.so
/usr/lib64/tcl8.5/Img1.4
/usr/lib64/tcl8.5/Img1.4/libjpegtcl8.2.so
/usr/lib64/tcl8.5/Img1.4/libpngtcl1.4.3.so
..........
/usr/share/man/mann/img-window.n.xz
/usr/share/man/mann/img-xbm.n.xz
/usr/share/man/mann/img-xpm.n.xz
/usr/share/man/mann/img.n.xz

That all looks OK.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2017-10-28 16:09:52 CEST 
Further to comment 1:

$ sudo urpmi celestia
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  celestia                       1.6.1        18.mga6       x86_64  
  lib64gtkglext-1.0_0            1.2.0        21.mga6       x86_64  
  lib64pangox1.0_0               0.0.2        6.mga6        x86_64  
66MB of additional disk space will be used.
32MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) 
    $MIRRORLIST: media/core/release/lib64gtkglext-1.0_0-1.2.0-21.mga6.x86_64.rpm
    $MIRRORLIST: media/core/release/lib64pangox1.0_0-0.0.2-6.mga6.x86_64.rpm   
    $MIRRORLIST: media/core/release/celestia-1.6.1-18.mga6.x86_64.rpm          
installing celestia-1.6.1-18.mga6.x86_64.rpm lib64pangox1.0_0-0.0.2-6.mga6.x86_64.rpm lib64gtkglext-1.0_0-1.2.0-21.mga6.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/3: lib64pangox1.0_0      #############################################
      2/3: lib64gtkglext-1.0_0   #############################################
      3/3: celestia              #############################################

Good enough.
Len Lawrence 2017-10-28 16:10:14 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 3 Len Lawrence 2017-10-29 11:28:56 CET 
Mageia 6 for i586 in virtualbox

Installed all of the packages listed in the Description.
Downloaded a celestia RPM from a mirror using wget.
$ sudo rpm -i cherrytree-0.37.5-1.mga6.noarch.rpm
error: Failed dependencies:
	python-gtksourceview is needed by cherrytree-0.37.5-1.mga6.noarch
$ sudo urpmi python-gtksourceview
$ sudo rpm -i cherrytree-0.37.5-1.mga6.noarch.rpm
$ rpm -qilp cherrytree-0.37.5-1.mga6.noarch.rpm 
Name        : cherrytree
Version     : 0.37.5
Release     : 1.mga6
Architecture: noarch
Install Date: (not installed)
Group       : Office/Utilities
Size        : 3635891
License     : GPLv3+
...........................................

$ rpm -qlp cherrytree-0.37.5-1.mga6.noarch.rpm 
/usr/bin/cherrytree
/usr/share/appdata/cherrytree.appdata.xml
/usr/share/applications/cherrytree.desktop
/usr/share/cherrytree
/usr/share/cherrytree/glade
/usr/share/cherrytree/glade/add.png
...............................

$ sudo rpm -e cherrytree
$ sudo rpm -e python-gtksourceview

$ sudo urpmi cherrytree
Use of uninitialized value in null operation at /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi/URPM/Resolve.pm line 1847.
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  cherrytree                     0.37.5       1.mga6        noarch  
  python-gtksourceview           2.10.1       13.mga6       i586    
3MB of additional disk space will be used.
908KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) 
.......................
      1/2: python-gtksourceview  #############################################
      2/2: cherrytree            #############################################

$ urpmq -f cherrytree
cherrytree-0.37.5-1.mga6.noarch
$ urpmf -i /usr/bin/cherrytree
    $MIRRORLIST: media/core/release/media_info/20170714-192023-files.xml.lzma
cherrytree:/usr/bin/cherrytree
..........................

                                                 
    $MIRRORLIST: media/core/updates/media_info/20171027-065238-files.xml.lzma

This is OK for 32 bits.
Len Lawrence 2017-10-29 11:29:53 CET

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Lewis Smith 2017-10-29 20:18:00 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-10-30 20:24:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0394.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED