Bug 22054

Summary: apr-util new security issue CVE-2017-12618
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, marja11, richard, shlomif, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: apr-util-1.5.4-7.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-17 17:58:51 CET 
Fedora has issued an advisory on November 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3Z2STTD6D27UYP6XERSJGSCPYXEZ7KN6/

The issue is fixed upstream in 1.6.1 (already in Cauldron).

Fedora added this patch for 1.5.4:
http://pkgs.fedoraproject.org/cgit/rpms/apr-util.git/plain/apr-util-1.5.4-CVE-2017-12618.patch?h=f26&id=9f69a4deb371a2663b94ccc257ee4840accce119

Mageia 5 is also affected.
David Walser 2017-11-17 17:58:56 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-11-17 20:55:14 CET 
Assigning to the registered apr-util maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Stig-Ørjan Smelror 2017-11-18 15:24:37 CET 
Hi.

Updated RPMs uploaded to updates_testing for MGA5 and MGA6.

apr-util-1.5.4-5.mga5
apr-util-1.5.4-8.mga6

Cheers,
Stig

CC: (none) => smelror

Comment 3 David Walser 2017-11-18 17:59:49 CET 
Thanks Stig-Ørjan and Shlomi.  Please remember to use subrels for stable updates.

Advisory:
========================

Updated apr-util packages fix security vulnerability:

Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the
integrity of SDBM database files used by apr_sdbm*() functions, resulting in a
possible out of bound read access. A local user with write access to the
database can make a program or process using these functions crash, and cause a
denial of service (CVE-2017-12618).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618
http://www.apache.org/dist/apr/Announcement1.x.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3Z2STTD6D27UYP6XERSJGSCPYXEZ7KN6/
========================

Updated packages in core/updates_testing:
========================
libapr-util1_0-1.5.4-5.mga5
apr-util-dbd-ldap-1.5.4-5.mga5
apr-util-dbd-pgsql-1.5.4-5.mga5
apr-util-dbd-mysql-1.5.4-5.mga5
apr-util-dbd-sqlite3-1.5.4-5.mga5
apr-util-dbd-freetds-1.5.4-5.mga5
apr-util-dbd-odbc-1.5.4-5.mga5
apr-util-dbm-db-1.5.4-5.mga5
apr-util-openssl-1.5.4-5.mga5
apr-util-nss-1.5.4-5.mga5
libapr-util-devel-1.5.4-5.mga5
libapr-util1_0-1.5.4-8.mga6
apr-util-dbd-ldap-1.5.4-8.mga6
apr-util-dbd-pgsql-1.5.4-8.mga6
apr-util-dbd-mysql-1.5.4-8.mga6
apr-util-dbd-sqlite3-1.5.4-8.mga6
apr-util-dbd-freetds-1.5.4-8.mga6
apr-util-dbd-odbc-1.5.4-8.mga6
apr-util-dbm-db-1.5.4-8.mga6
apr-util-openssl-1.5.4-8.mga6
apr-util-nss-1.5.4-8.mga6
libapr-util-devel-1.5.4-8.mga6

from SRPMS:
apr-util-1.5.4-5.mga5.src.rpm
apr-util-1.5.4-8.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif
Summary: apr-util new security issue => apr-util new security issue CVE-2017-12618

Comment 5 Herman Viaene 2017-11-22 16:49:59 CET 
MGA5-64 on Lenovo B50 KDE
No installation issues.
Found apache-mod-session to be dependent on apr-util-openssl
So as root at CLI:
# systemctl stop httpd
# strace -o /home/tester5/Documenten/aprutil.txt httpd
# systemctl stop httpd
The trace file shows:
open("/lib64/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3
So seems OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 6 Lewis Smith 2017-11-24 10:02:22 CET 
Testing M6/64

Before the update, I only had lib64apr-util1_0-1.5.4-7.mga6 installed, so clearly need just that for normal Apache usage. I added all the apr-util- packages largely for 'clean update' testing.

After updating without issues all 10 pkgs to version 1.5.4-8.mga6, then stopping httpd, tried:
 # strace httpd 2>&1 | grep apr
 open("/lib64/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libapr-1.so.0", O_RDONLY|O_CLOEXEC) = 3
which shows the library is used; but returned to the command prompt immediately. So re-started httpd, and am using it now.
This is a very passive OK, but for want of better... Validating, doing the advisory.

Keywords: (none) => advisory, validated_update
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 rexy 2017-11-26 12:53:54 CET 
Hi,

After a fresh installation of MGA5 with apache, the "htdigest" command (included in apache rpm) doesn't work due to the lack of libapr-1.so.0 library.

After forcing the installation of libapr (urpmi libapr) all seems ok.

CC: (none) => richard

Comment 8 Mageia Robot 2017-11-26 22:19:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0427.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 rexy 2017-11-27 23:22:07 CET 
Ok for this update, but this doesn't solve the RPM dependency problem on MGA5 (all is ok on MGA6) :

urpmi apache
1 - lib64unimrcp-deps-1.1.2-6.mga5.x86_64
2 - lib64apr-util1_0-1.5.4-5.mga5.x86_64

If you chose 1 (by default), "htdigest" can't be used
Comment 10 David Walser 2017-11-28 02:28:18 CET 
rexy, please file a bug on unimrcp-deps, which should *not* be including this library.  In the fix we will probably also have to add something to prefer.vendor.list (in meta-task) to make sure apr-util gets selected first.
Lewis Smith 2017-11-28 09:09:16 CET

CC: lewyssmith => (none)

Comment 11 rexy 2017-11-28 22:54:27 CET 
Thx for your answer.
I just file it there :
https://bugs.mageia.org/show_bug.cgi?id=18831