| Summary: | mgetty new security issues CVE-2018-1674[1-5] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, cjw, geiger.david68210, marja11, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | mgetty-1.1.37-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-09-12 20:56:28 CEST
Mageia 5 and Mageia 6 are also affected. Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing a committer. CC:
(none) =>
cjw, marja11 openSUSE has issued an advisory on September 28: https://lists.opensuse.org/opensuse-updates/2018-09/msg00176.html It fixes this, and 4 more, issues. Summary:
mgetty new security issue CVE-2018-16741 =>
mgetty new security issues CVE-2018-1674[1-5] Done for Cauldron and mga6! CC:
(none) =>
geiger.david68210 Advisory: ======================== Updated mgetty packages fix security vulnerability: The function do_activate() did not properly sanitize shell metacharacters to prevent command injection (CVE-2018-16741). Stack-based buffer overflow that could have been triggered via a command-line parameter (CVE-2018-16742). The command-line parameter username wsa passed unsanitized to strcpy(), which could have caused a stack-based buffer overflow (CVE-2018-16743). The mail_to parameter was not sanitized, leading to command injection if untrusted input reached reach it (CVE-2018-16744). The mail_to parameter was not sanitized, leading to a buffer overflow if long untrusted input reached it (CVE-2018-16745). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16744 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16745 https://lists.opensuse.org/opensuse-updates/2018-09/msg00176.html ======================== Updated packages in core/updates_testing: ======================== mgetty-1.1.37-1.1.mga6 mgetty-sendfax-1.1.37-1.1.mga6 mgetty-voice-1.1.37-1.1.mga6 mgetty-viewfax-1.1.37-1.1.mga6 mgetty-contrib-1.1.37-1.1.mga6 from mgetty-1.1.37-1.1.mga6.src.rpm Version:
Cauldron =>
6 In the absence of a fax machine there is probably little that can be done with this package. Installed the files and they updated cleanly. Found configuration files in /etc: $ ls mgetty+sendfax dialin.config faxrunq.config login.config sendfax.config faxheader faxspool.rules.sample mgetty.config voice.conf Giving this an OK. CC:
(none) =>
tarazed25 I agree with Len. This has been waiting long enough. Validating, on the strength of a clean install and update.Advisory in Comment 5. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-10-19 18:39:55 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0402.html Resolution:
(none) =>
FIXED |