Bug 26336

Summary: sleuthkit new security issue CVE-2020-10232
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: sleuthkit-4.6.6-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-03-12 22:14:41 CET 
Debian-LTS has issued an advisory on March 11:
https://www.debian.org/lts/security/2020/dla-2137

Mageia 7 is also affected.
David Walser 2020-03-12 22:15:28 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Debian and upstream

Comment 1 David GEIGER 2020-03-14 16:35:26 CET 
done for both Cauldron and mga7!
Comment 2 David Walser 2020-03-14 16:39:48 CET 
Advisory:
========================

Updated sleuthkit packages fix security vulnerability:

In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack buffer
overflow vulnerability in the YAFFS file timestamp parsing logic in
yaffsfs_istat() in fs/yaffs.c (CVE-2020-10232).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10232
https://www.debian.org/lts/security/2020/dla-2137
========================

Updated packages in core/updates_testing:
========================
sleuthkit-4.6.6-1.1.mga7
libtsk13-4.6.6-1.1.mga7
libtsk-devel-4.6.6-1.1.mga7

from sleuthkit-4.6.6-1.1.mga7.src.rpm

CC: (none) => geiger.david68210
Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 7
Status comment: Patch available from Debian and upstream => (none)
Source RPM: sleuthkit-4.8.0-2.mga8.src.rpm => sleuthkit-4.6.6-1.mga7.src.rpm

Comment 3 Herman Viaene 2020-03-15 11:31:44 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Googling and reading man pages broughtme to:
insert USB mem stick, finfd device id in dolphin, and then
# fsstat /dev/sdb1 | more
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32

OEM Name: MSWIN4.1
Volume ID: 0x2313eff9
Volume Label (Boot Sector): KINGSTON   
Volume Label (Root Directory):
File System Type Label: FAT32   
Next Free Sector (FS Info): 292480
Free Sector Count (FS Info): 7531648

Sectors before file system: 8064

File System Layout (in sectors)
Total Range: 0 - 7823487
* Reserved: 0 - 47
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 8
* FAT 0: 48 - 1959
* FAT 1: 1960 - 3871
* Data Area: 3872 - 7823487
** Cluster Area: 3872 - 7823487
*** Root Directory: 3872 - 3903

METADATA INFORMATION
--------------------------------------------
Range: 2 - 125113862
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 16384
Total Cluster Range: 2 - 244364

FAT CONTENTS (in sectors)
--------------------------------------------
3872-3903 (32) -> EOF
3904-3935 (32) -> EOF
3936-4095 (160) -> EOF
and a long list .....
Looks OK, and then thought of checking older updates and found bug 23501 where Len did the same, so I feel comforted I made a godd choice for testing.
OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2020-03-15 15:18:12 CET 
You beat me to it Herman.  Found no obvious PoC for the overflow issue.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2020-03-17 14:58:37 CET 
Then we have a consensus. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-18 15:56:17 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-18 16:28:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0143.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED