Bug 23455

Summary: units new security issue rhbz#1598913
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, jani.valimaa, lewyssmith, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: units-2.16-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-16 20:00:53 CEST 
Fedora has issued an advisory today (August 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NGM5T2F2STAUWF76LMEA7NCLE3STBAQI/

The actual bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1598913

I'm not sure which older versions are affected.
Comment 1 Marja Van Waes 2018-08-17 19:02:19 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => jani.valimaa
CC: (none) => marja11

Comment 2 David Walser 2019-01-01 02:21:00 CET 
Issue fixed upstream in 2.18, uploaded by Jani in Cauldron.

Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 22:53:09 CET 
Advisory:
========================

Updated units package fixes security vulnerability:

A flaw was found in units. units_cur doesn't sanitize downloaded data. This
allows a maliciously intended server to execute arbitrary code remotely on the
client (rhbz#1598913).

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NGM5T2F2STAUWF76LMEA7NCLE3STBAQI/
========================

Updated packages in core/updates_testing:
========================
units-2.18-1.mga6

from units-2.18-1.mga6.src.rpm

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 4 David Walser 2019-01-01 22:59:18 CET 
I got a bogus e-mail from the build system:
The upload of the following packages failed:

- units-2.18-1.mga6.i586.rpm
- units-debuginfo-2.18-1.mga6.i586.rpm
- units-2.18-1.mga6.x86_64.rpm
- units-debuginfo-2.18-1.mga6.x86_64.rpm

Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101213908.luigiwalser.duvel.2390.youri

CC: (none) => sysadmin-bugs

Comment 5 Herman Viaene 2019-01-03 14:54:31 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues:
At CLI:
$ units
Currency exchange rates from FloatRates (USD base) on 2018-10-20 
3070 units, 109 prefixes, 109 nonlinear units

You have: 1000€
You want: USD
	* 1146.8274
	/ 0.0008719708
You have: 1000€
You want: AUD
	* 1609.6068
	/ 0.00062126973
You have: 90deg
You want: rad
conformability error
	1.5707963 radian
	0.01 m^2 / s^2
Seems OK, but
$ units_cur 
Traceback (most recent call last):
  File "/usr/bin/units_cur", line 57, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 60, in <module>
    from .packages.urllib3.exceptions import DependencyWarning
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 29, in <module>
    import urllib3
  File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 8, in <module>
    from .connectionpool import (
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in <module>
    from .connection import (
  File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in <module>
    from .util.ssl_ import (
  File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in <module>
    from .request import make_headers
  File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in <module>
    from ..exceptions import UnrewindableBodyError
ImportError: cannot import name UnrewindableBodyError

Checked older version 2.14 on another PC. The units_cur command also fails there with another traceback, so the update can go for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Lewis Smith 2019-01-03 20:03:12 CET 
Testing M6/64

Just 'units_cur' because of Herman's finds, and the fact that the bug refers specifically to that. From the man page:
"To update the exchange rates, run 'units_cur', which rewrites the file containing the currency rates, typically '/var/lib/units/currency.units' or
'/usr/local/com/units/currency.units' on a Unix-like system".

BEFORE update: units-2.14-1.mga6
 $ units_cur
Traceback (most recent call last):
  File "/usr/bin/units_cur", line 40, in <module>
    currencies = ET.parse(urllib.urlopen('http://rss.timegenie.com/forex.xml')).findall('data')
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1182, in parse
    tree.parse(source, parser)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 657, in parse
    self._root = parser.close()
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1671, in close
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1523, in _raiseerror
    raise err
xml.etree.ElementTree.ParseError: no element found: line 1, column 0

AFTER update: units-2.18-1.mga6
# units_cur
#
Note the need to be root, or you get: Unable to write to output file:
[Errno 13] Permission denied: '/var/lib/units/currency.units'

This is definitely an improvement, so seconding Herman's OK.
Validating & advisoried.

CC: (none) => lewyssmith
Keywords: (none) => advisory, validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 7 Mageia Robot 2019-01-05 19:31:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0007.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED