| Summary: | nmap new security issue CVE-2017-18594 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | CheeseEBoi, andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | nmap-7.70-2.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-11-26 23:31:17 CET
David Walser
2020-01-14 17:43:08 CET
Status comment:
(none) =>
Fixed upstream in 7.80 CC'ing Eliot who is starting to look at this. Proposed diff is here: https://paste.debian.net/1146833/ It looks good. I'd like to see the subrel line moved to immediately above the mkrel line, since the previous committer unfortunately didn't put it there. I'm looking at the openSUSE commit associated with this update: https://build.opensuse.org/request/show/732262 reached from here: https://build.opensuse.org/package/show/openSUSE:Leap:15.1:Update/nmap It looks like we had a totally different patch (patches actually) for CVE-2018-15173. Perhaps we should add these patches from openSUSE: nmap-7.70-CVE-2018-15173_pcre_limits.patch nmap-7.70-fix_infinite_loop.patch CC:
(none) =>
CheeseEBoi Here is a better diff with all of the necessary patches applied: https://paste.debian.net/1146909/ It has all of the patches and formatting suggestions David mentioned. Thanks Elliot! Committed and submitted to the build system. Status comment:
Fixed upstream in 7.80 =>
(none) Now that a patched package has been submitted to core/updates_testing, there are a few patches to test: cve-2017-18594.patch: Create an SSH connection that is guaranteed to fail. There should be no "double free" nor a segfault. cve-2018-15173.patch: Run "nmap -sV" while experiencing a crafted TCP-based denial of service attack. This should not result in a segfault. infinite-loop.patch: Have a server force a protocol and not return TLS ALPN extension. This should no longer cause an infinite loop. References: 2017-18594 https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00075.html 2018-15173 https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00073.html https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00067.html https://code610.blogspot.com/2018/07/crashing-nmap-760.html https://code610.blogspot.com/2018/07/crashing-nmap-770.html infinite-loop https://github.com/nmap/nmap/commit/3b8b6516a7697d8b6d4cd87e253daa369fcdbf2a Updated packages in core/updates_testing: nmap-7.70-2.2.mga7.src.rpm nmap-7.70-2.2.mga7.x86_64.rpm nmap-debuginfo-7.70-2.2.mga7.x86_64.rpm nmap-debugsource-7.70-2.2.mga7.x86_64.rpm nmap-frontend-7.70-2.2.mga7.x86_64.rpm Thanks again Elliot. For the advisory, it will usually describe the issues rather than the fix. I'll use yours as a starting point. The CVE-2018-15173 issue was supposed to be fixed in a previous Mageia bug, though I'm not sure why we and openSUSE patched completely different things for it. I'll leave it out for now. For CVE-2017-18594, I'll take the description from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1148742 For the package list, you don't need to include the debuginfo or debugsource. Advisory: ======================== Updated nmap packages fix security vulnerability: nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse (CVE-2017-18594). Also, when a server forced a protocol and did not return TLS ALPN extension, this caused an infinite loop. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18594 https://github.com/nmap/nmap/commit/3b8b6516a7697d8b6d4cd87e253daa369fcdbf2a https://lists.opensuse.org/opensuse-updates/2019-09/msg00156.html ======================== Updated packages in core/updates_testing: ======================== nmap-7.70-2.2.mga7 nmap-frontend-7.70-2.2.mga7 from nmap-7.70-2.2.mga7.src.rpm Assignee:
guillomovitch =>
qa-bugs Installed and tested without issues. Various tests of the nmap CLI and GUI on the a LAN and a VPN. No issues noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep nmap nmap-frontend-7.70-2.2.mga7 nmap-7.70-2.2.mga7 CC:
(none) =>
mageia MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25262 for testing. Run nmapfe (runs zenmap) as root, scanning this laptop as localhost and from it scanning also my desktop. Reporting services and ports as I would expect. Running xnmap does the same call to zenmap. OK for me. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-05-24 17:49:29 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0216.html Resolution:
(none) =>
FIXED |