Bug 26609

Summary: libntlm new security issue CVE-2019-17455
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libntlm-1.5-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-05-11 22:38:43 CEST 
Debian-LTS has issued an advisory on May 10:
https://www.debian.org/lts/security/2020/dla-2207

The issue is fixed upstream in 1.6.
Comment 1 Nicolas Lécureuil 2020-05-17 15:38:50 CEST 
Pushed in updates testing.

Advisory:
========================

A new version of libntlm.
It fixes CVE-2019-17455

Updated packages in core/updates_testing:
========================
lib64ntlm0-1.6-1.mga7
lib64ntlm-devel-1.6-1.mga7


from: libntlm-1.6-1.mga7

Status: NEW => ASSIGNED
Assignee: geiger.david68210 => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2020-05-17 19:28:58 CEST 
Advisory:
========================

Updated libntlm packages fix security vulnerability:

It was discovered that libntlm through 1.5 relies on a fixed buffer size for
tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and
write operations, as demonstrated by a stack-based buffer over-read in
buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request
(CVE-2019-17455).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17455
https://www.debian.org/lts/security/2020/dla-2207
Comment 3 Herman Viaene 2020-05-19 14:32:19 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
lib64ntlm0 announces itself in MCC as "A library for authenticating with Microsoft NTLM challenge-response, derived from Samba sources."
but when I
# urpmq --whatrequires lib64ntlm0
gkrellm
lib64gsasl7
lib64ntlm0

and gkrellm says "GKrellM charts SMP CPU, load, Disk, and all active net interfaces automatically. "
So, I'll give it a try when accessing my Samba shares from my desktop PC.
To be continued......

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-05-19 14:48:03 CEST 
Installed gkrellm, run it, then use MCC trying to mount the SMB-shares in MCC. I can define the mout points, but the actual mounting fails. That's not my first worry now - the smb-shares work OK from a Win10.
Checking the trace, found instance of
openat(AT_FDCWD, "/lib64/libntlm.so.0", O_RDONLY|O_CLOEXEC) = 3
but according MCC, this package provides /usr/lib64/libntlm.so.0 which is not the same???? Or is it?????
Comment 5 David Walser 2020-05-19 14:49:18 CEST 
/lib64 is a symlink to /usr/lib64 since Mageia 2.
Comment 6 Herman Viaene 2020-05-19 15:52:16 CEST 
Of course !!! Stupid me.
OK then for me.

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-05-20 13:55:14 CEST 
Validating. Better advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-24 15:40:24 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2020-05-24 20:06:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0219.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED