| Summary: | libbsd new security issue CVE-2019-20367 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libbsd-0.9.1-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-01-24 18:15:45 CET
Done for mga7 witn an upstream patch! Advisory: ======================== Updated libbsd packages fix security vulnerability: It was discovered that libbsd incorrectly handled certain strings, due to an out-of-bounds read during a comparison for a symbol name from the string table (strtab) in nlist.c. An attacker could possibly use this issue to access sensitive information (CVE-2019-20367). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20367 https://usn.ubuntu.com/4243-1/ ======================== Updated packages in core/updates_testing: ======================== libbsd0-0.9.1-3.1.mga7 libbsd-devel-0.9.1-3.1.mga7 from libbsd-0.9.1-3.1.mga7.src.rpm CC:
(none) =>
geiger.david68210 $ urpmq --whatrequires lib64bsd0 | sort -u Mageia7, x86_64 A list of the extra C utility functions provided by libbsd can be seen athttps://packages.debian.org/sid/libbsd-dev A short list of applications using it includes bumblebee ettercap - https://www.ettercap-project.org/ fwts - firmware test suite - https://github.com/ColinIanKing/fwts/blob/master/README links metastore - https://www.quora.com/What-is-Hive-Metastore opendkim - http://www.opendkim.org/opendkim-README x11-server-xorg x11-server-xwayland xdm Installed the packages and fwts. Ran a quick test with strace to check that fwts actually uses libbsd. $ strace -o trace fwts acpiinfo $ grep bsd trace openat(AT_FDCWD, "/lib64/libbsd.so.0", O_RDONLY|O_CLOEXEC) = 3 Updated the packages. Used ftws to test the library. $ fwts --show-tests ACPI tests: acpi_ac AC adapter device test acpi_als Ambient light sensor device test ..... It is an extensive list. $ sudo fwts boot Running 1 tests, results appended to results.log Test: BOOT Table test. Test skipped. $ sudo fwts acpiinfo Running 1 tests, results appended to results.log Test: General ACPI information test. Determine Kernel ACPI version. 1 info only Determine machine's ACPI version. 1 info only Determine AML compiler. 1 info only $ tail results.log Low failures: NONE Other failures: NONE Test |Pass |Fail |Abort|Warn |Skip |Info | ---------------+-----+-----+-----+-----+-----+-----+ acpiinfo | | | | | | 3| ---------------+-----+-----+-----+-----+-----+-----+ Total: | 0| 0| 0| 0| 0| 3| ---------------+-----+-----+-----+-----+-----+-----+ $ sudo fwts cmosdump Running 1 tests, results appended to results.log Test: Dump CMOS Memory. Dump CMOS Memory. 1 info only $ tail -30 results.log Drive 1: Type 16-47 Installed H/W: (CMOS 0x14): 0xff Maths Coprocessor: 0x1 (Installed) Keyboard: 0x1 (Installed) Display Adaptor: 0x1 (Installed) Primary Display: 0x3 (Monochrome) Floppy Drives: 0x03 (4 drives) Base Mem: (CMOS 0x16): 0x027f (639K) Extended Mem: (CMOS 0x18): 0xffff (65535K) [untrustworthy] Hard Disk Extended Types (CMOS 0x19, 0x1a): Hard Disk 0: 0xff Hard Disk 1: 0xff CMOS Checksum:(CMOS 0x2e):0x261b Extended Mem: (CMOS 0x30):0xffff Century Date: (CMOS 0x32):20 POST Information Flag (CMOS 0x33): POST cache test: 0x1 Failed BIOS size: 0x1 128KB This should be enough to pass the update. CC:
(none) =>
tarazed25 Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Lewis Smith
2020-01-27 20:34:17 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0061.html Resolution:
(none) =>
FIXED |