Bug 23561

Summary:	iniparser new security issue rhbz#1545824
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, arusekk, brtians1, geiger.david68210, lewyssmith, lists.jjorge, marja11, sysadmin-bugs
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-64-OK MGA6-32-OK
Source RPM:	iniparser-3.1-7.mga6.src.rpm	CVE:
Status comment:
Attachments:	The example program I found

Description David Walser 2018-09-11 23:28:29 CEST

Fedora has issued an advisory today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/

The issue is fixed upstream in 4.1.

Mageia 5 is also affected.

Comment 1 Marja Van Waes 2018-09-12 20:01:23 CEST

Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

Note that, after council's decision last night, this cannot be fixed in Mga5.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11

Comment 2 José Jorge 2018-09-23 19:54:11 CEST

My padawan arek is working on it.

Status: NEW => ASSIGNED
Assignee: pkg-bugs => lists.jjorge
CC: (none) => lists.jjorge

Comment 3 David GEIGER 2018-09-23 20:03:41 CEST

for an update in a release distro you should use "%define subrel" and not bump the rel.

Comment 4 José Jorge 2018-09-23 21:45:48 CEST

(In reply to David GEIGER from comment #3)
> for an update in a release distro you should use "%define subrel" and not
> bump the rel.

Not in the case cauldron has an higher version of the software, as for here.

Comment 5 Arusekk K 2018-09-23 22:52:34 CEST

Advisory:
========================

Updated iniparser packages fix security vulnerability:

A flaw was found in iniparser version prior to 4.1. A stack buffer underflow in the function iniparser_load() in iniparser.c file which can be triggered by parsing a file that containing a zero-byte. This vulnerability may allow an attacker to cause a Denial of Service (DoS).

References:
https://github.com/ndevilla/iniparser/issues/68
https://bugzilla.redhat.com/show_bug.cgi?id=1545824
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/
========================

Updated packages in core/updates_testing:
========================
iniparser-3.1-8.mga6
libiniparser0-3.1-8.mga6
libiniparser-devel-3.1-8.mga6

from iniparser-3.1-8.mga6.src.rpm

CC: (none) => arusekk

Comment 6 David Walser 2018-09-24 04:45:38 CEST

(In reply to José Jorge from comment #4)
> (In reply to David GEIGER from comment #3)
> > for an update in a release distro you should use "%define subrel" and not
> > bump the rel.
> 
> Not in the case cauldron has an higher version of the software, as for here.

Incorrect.  You should use a subrel and not bump the rel, even in that case.

Comment 7 David Walser 2018-10-15 23:01:37 CEST

This never got assigned to QA.  Advisory and package list in Comment 5.

Assignee: lists.jjorge => qa-bugs

Comment 8 Brian Rockwell 2018-11-03 16:14:10 CET

$ uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



The following 2 packages are going to be installed:

- lib64iniparser-devel-3.1-8.mga6.x86_64
- lib64iniparser0-3.1-8.mga6.x86_64

-----------------------------

- I installed gcc
- found an example program that calls iniparser (see attached).

Compile and link via this command:

$ gcc iniexample.c -lm /usr/lib64/libiniparser.so.0 -o iniexamp

execute the program by

$ ./iniexamp

by default the program produces a file called example.ini.

You can cat the file by:

$ cat example.ini

I also tried it against an empty file

$ touch empty.ini

$ ./iniexamp empty.ini

It processes the empty file

I tried echo null to the file (need some input here oh echoing null)

$ echo $'\0' > empty.ini

Ran the program again - no issues

The library works

Whiteboard: (none) => MGA6_64_OK
CC: (none) => brtians1

Comment 9 Brian Rockwell 2018-11-03 16:15:38 CET

Created attachment 10447 [details]
The example program I found

I found the example at:  https://github.com/ndevilla/iniparser/blob/master/example/iniexample.c

Brian Rockwell 2018-11-03 16:16:16 CET

Whiteboard: MGA6_64_OK => MGA6-64-OK

Comment 10 Brian Rockwell 2018-11-08 22:15:15 CET

The following 2 packages are going to be installed:

- libiniparser-devel-3.1-8.mga6.i586
- libiniparser0-3.1-8.mga6.i586

37KB of additional disk space will be used.

26KB of packages will be retrieved.

Is it ok to continue?


------------

Compiled:

$ gcc iniexample.c -lm /usr/lib/libiniparser.so.0 -o iniexamp

Executed:

brian@localhost ~]$ ./iniexamp
[pizza]=UNDEF
[pizza:ham]=[yes]
[pizza:mushrooms]=[TRUE]
[pizza:capres]=[0]
[pizza:cheese]=[Non]
[wine]=UNDEF
[wine:grape]=[Cabernet Sauvignon]
[wine:year]=[1989]
[wine:country]=[Spain]
[wine:alcohol]=[12.5]
Pizza:
Ham:       [1]
Mushrooms: [1]
Capres:    [0]
Cheese:    [0]
Wine:
Grape:     [Cabernet Sauvignon]
Year:      [1989]
Country:   [Spain]
Alcohol:   [12.5]


Working in 32-bit

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 11 Thomas Andrews 2018-11-09 21:55:22 CET

I prefer sausage and pepperoni on my pizza, but we'll let that one go. Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Lewis Smith 2018-11-11 21:04:47 CET

Advisory done from comment 5. Note *no* CVE.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 13 Mageia Robot 2018-11-11 22:10:59 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0440.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED