Bug 26654

Summary: sleuthkit new security issues CVE-2019-14532 and CVE-2020-10233
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: sleuthkit-4.6.6-1.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-05-21 00:20:48 CEST 
Fedora has issued an advisory on May 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5EY53OYU7UZLAJWNIVVNR3EX2RNCCFTB/

The issues are fixed upstream in 4.9.0.
David Walser 2020-05-21 00:39:31 CEST

Status comment: (none) => Fixed upstream in 4.9.0

Comment 1 David GEIGER 2020-05-21 07:32:48 CEST 
Done for mga7!
Comment 2 David Walser 2020-05-21 14:29:05 CEST 
Advisory:
========================

Updated sleuthkit packages fix security vulnerabilities:

An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off-by-one
overwrite due to an underflow on tools/hashtools/hfind.cpp while using a bogus
hash table (CVE-2019-14532).

In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap-based
buffer over-read in ntfs_dinode_lookup in fs/ntfs.c (CVE-2020-10233).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10233
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5EY53OYU7UZLAJWNIVVNR3EX2RNCCFTB/
========================

Updated packages in core/updates_testing:
========================
sleuthkit-4.9.0-1.mga7
libtsk19-4.9.0-1.mga7
libtsk-devel-4.9.0-1.mga7

from sleuthkit-4.9.0-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 4.9.0 => (none)

Comment 3 Herman Viaene 2020-05-22 14:52:13 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 2633 for testing:
# fsstat /dev/sdb1 | more
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32

OEM Name: MSWIN4.1
Volume ID: 0x54e7a176
Volume Label (Boot Sector): NO NAME    
Volume Label (Root Directory):
File System Type Label: FAT32   
Next Free Sector (FS Info): 4067584
Free Sector Count (FS Info): 8692416

Sectors before file system: 63

File System Layout (in sectors)
Total Range: 0 - 15663040
* Reserved: 0 - 33
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 34 - 15300
* FAT 1: 15301 - 30567
* Data Area: 30568 - 15663040
** Cluster Area: 30568 - 15663039
*** Root Directory: 30568 - 30575
** Non-clustered: 15663040 - 15663040

METADATA INFORMATION
--------------------------------------------
Range: 2 - 250119574
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 1954060

FAT CONTENTS (in sectors)
--------------------------------------------
30568-30575 (8) -> EOF
30576-30583 (8) -> EOF
30584-30591 (8) -> EOF
and a lot more .....
Seems OK to me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-26 03:10:36 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 11:20:36 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 5 Mageia Robot 2020-05-27 11:54:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED