Bug 27042

Summary: python-rtslib new security issue CVE-2020-14019
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=27041
Whiteboard: MGA7-64-OK
Source RPM: python-rtslib-2.1.fb69-4.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-08-05 02:19:46 CEST 
SUSE has issued an advisory on August 3:
https://lists.suse.com/pipermail/sle-security-updates/2020-August/007211.html

Mageia 7 is also affected.
David Walser 2020-08-05 02:19:57 CEST

Whiteboard: (none) => MGA7TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27041

Comment 1 David Walser 2020-08-05 02:26:38 CEST 
Fedora has issued an advisory for this on July 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/

The issue is fixed upstream in 2.1.73.

Status comment: (none) => Fixed upstream in 2.1.73

Comment 2 David GEIGER 2020-08-06 11:01:33 CEST 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-08-06 21:02:10 CEST 
Advisory:
========================

Updated python-rtslib packages fix security vulnerability:

Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for
/etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is
used and thus permissions are not preserved upon editing. An adversary with
prior access to /etc/target/saveconfig.json could access a later version,
resulting in a loss of integrity depending on their permission settings
(CVE-2020-14019).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14019
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/
========================

Updated packages in core/updates_testing:
========================
python-rtslib-2.1.73-1.mga7
python-rtslib-doc-2.1.73-1.mga7
python3-rtslib-2.1.73-1.mga7

from python-rtslib-2.1.73-1.mga7.src.rpm

Assignee: lists.jjorge => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.1.73 => (none)

Comment 4 Herman Viaene 2020-08-10 14:06:49 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous updates, so try....
# urpmq --whatrequires-recursive python-rtslib
python-rtslib
python-rtslib-doc
targetcli

Insstalled targetcli and then:
# strace -o pthrtslib.txt targetcli

In targetcli I tried:
/> help

GENERALITIES
============
This is a shell in which you can create, delete and configure
configuration objects.
and a lot more
/> pwd
/
/> ls
o- / ......................................................................................................................... [...]
  o- backstores .............................................................................................................. [...]
  | o- block .................................................................................................. [Storage Objects: 0]
  | o- fileio ................................................................................................. [Storage Objects: 0]
  | o- pscsi .................................................................................................. [Storage Objects: 0]
  | o- ramdisk ................................................................................................ [Storage Objects: 0]
  o- iscsi ............................................................................................................ [Targets: 0]
  o- loopback ......................................................................................................... [Targets: 0]
  o- vhost ............................................................................................................ [Targets: 0]
  o- xen-pvscsi ....................................................................................................... [Targets: 0]
/> status
Status for /: 
/> version
targetcli version 2.1.fb49
/> sessions
(no open sessions)
/> exit
Global pref auto_save_on_exit=true
Configuration saved to /etc/target/saveconfig.json

Then checked the trace and found a.o.
stat("/usr/lib/python2.7/site-packages/targetcli/rtslib_fb", 0x7ffc4bc33aa0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.so", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fbmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.py", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/python2.7/site-packages/targetcli/rtslib_fb.pyc", O_RDONLY) = -1 ENOENT (No such file or directory)
So, it looks it did something usefull.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-08-11 02:18:38 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-08-18 19:43:53 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-08-18 20:48:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0336.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED