Bug 23380

Summary: libcgroup new security issue CVE-2018-14348
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, arusekk, davidwhodgins, herman.viaene, lists.jjorge, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: libcgroup-0.41-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-02 17:39:22 CEST 
SUSE has issued an advisory on July 30:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004358.html
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004359.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-02 17:39:33 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-02 18:34:22 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Comment 2 David Walser 2018-08-08 15:00:38 CEST 
openSUSE has issued an advisory for this on August 7:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00044.html
Comment 3 David Walser 2018-08-08 20:19:56 CEST 
Fedora has issued an advisory for this today (August 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3VH333EONOEEGKOLHHFXCJYHCYMHJ4KK/
Comment 4 Arusekk K 2018-08-31 15:26:12 CEST 
The latest build fixes this issue with the following patch taken from Fedora (August 30):
https://svnweb.mageia.org/packages/cauldron/libcgroup/current/SOURCES/libcgroup-0.41-fedora-CVE-2018-14348.patch?revision=1255790&view=markup

CC: (none) => arusekk

José Jorge 2018-09-08 12:22:21 CEST

CC: (none) => lists.jjorge
Assignee: lists.jjorge => qa-bugs
Version: Cauldron => 6

Comment 5 José Jorge 2018-09-08 12:23:00 CEST 
I have submitted Arusekk work to Mageia 6 Updates Testing.

Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)

Comment 6 David Walser 2018-09-08 12:53:39 CEST 
Advisory:
========================

Updated libcgroup packages fix security vulnerability:

The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log
files (/var/log/cgred) with world readable and writable permissions (0o666) due
to a reset of the file mode creation mask (umask(0)) in the
daemon/cgrulesengd.c:cgre_start_daemon() function (CVE-2018-14348).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14348
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3VH333EONOEEGKOLHHFXCJYHCYMHJ4KK/
========================

Updated packages in core/updates_testing:
========================
cgroup-0.41-1.1.mga6
pam_cgroup-0.41-1.1.mga6
libcgroup1-0.41-1.1.mga6
libcgroup-devel-0.41-1.1.mga6

from libcgroup-0.41-1.1.mga6.src.rpm
Comment 7 Herman Viaene 2018-09-14 15:20:47 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
MCC tells me  "The tools to manipulate, control, administrate and monitor control groups and the associated controllers."
Tried display commands
$ lscgroup 
net_cls:/
cpu,cpuacct:/
devices:/
devices:/user.slice
devices:/init.scope
devices:/system.slice
devices:/system.slice/var-lib-nfs-rpc_pipefs.mount
devices:/system.slice/sys-kernel-debug.mount
devices:/system.slice/tmp.mount
devices:/system.slice/alsa-state.service
and a load more
$ lssubsys 
cpuset
cpu,cpuacct
blkio
devices
freezer
net_cls

Looks sensible without studying all about it.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Len Lawrence 2018-09-19 12:12:47 CEST 
Mageia 6, x86_64

Started the cgred service successfully then tried some of the  commands from the man pages hoping to trigger logging for cgred (working entirely in the dark here) with a view to checking permissions on the log files before updating (CVE-2018-14348).  Like Herman - no wish to undertake a course of study.

# modprobe cls_cgroup
# mkdir /sys/fs/cgroup/net_cls
mkdir: cannot create directory ‘/sys/fs/cgroup/net_cls’: File exists
# mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
mount: net_cls is already mounted or /sys/fs/cgroup/net_cls busy
# mkdir /sys/fs/cgroup/net_cls/foobar
mkdir: cannot create directory ‘/sys/fs/cgroup/net_cls/foobar’: File exists
# echo 0x10002 > /sys/fs/cgroup/net_cls/foobar/net_cls.classid

No cgred directory appears under /var/log so cannot check permissions.

Updated the four packages.

lscgroup and lssubsys returned the same sort of information which Herman saw, comment #7.

CC: (none) => tarazed25
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 9 Thomas Andrews 2018-09-19 14:06:34 CEST 
Looks OK to me, as far as I can tell. Validating. Suggested advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 16:47:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2018-09-21 18:27:36 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0380.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED