| Summary: | libmaxminddb new security issue CVE-2020-28241 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | guillomovitch, herman.viaene, ouaurelien, sysadmin-bugs, tarazed25, zombie_ryushu |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libmaxminddb-1.3.2-3.mga7.src.rpm | CVE: | CVE-2020-28241 |
| Status comment: | |||
|
Description
David Walser
2020-11-14 23:10:37 CET
David Walser
2020-11-14 23:10:43 CET
Whiteboard:
(none) =>
MGA7TOO Ubuntu has issued an advisory for this on November 12: https://ubuntu.com/security/notices/USN-4631-1 Severity:
normal =>
major This looks good for Guillaume. Assignee:
bugsquad =>
guillomovitch I just submitted libmaxminddb-1.3.2-3.1 to updates/testing, with a backported patch that should fix the issue. Advisory: ======================== Updated libmaxminddb packages fix security vulnerability: libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c (CVE-2020-28241). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28241 https://ubuntu.com/security/notices/USN-4631-1 ======================== Updated packages in core/updates_testing: ======================== libmaxminddb0-1.3.2-3.1.mga7 libmaxminddb-devel-1.3.2-3.1.mga7 from libmaxminddb-1.3.2-3.1.mga7.src.rpm CC:
(none) =>
guillomovitch MGA7-64 MATE on Peaq C1011
No installation issues
No previous updates, so hunting
# urpmq --whatrequires lib64maxminddb0
lib64maxminddb-devel
lib64maxminddb0
ntopng
syslog-ng
wireshark-tools
Installed wireshark and wireshark-tools
Traced a run of wireshark capturing and found
stat("/root/.config/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory)
stat("/usr/share/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory)
But in Wireshark I don't find any mention of handling maxmind files.
This confirms me there is something, then checking the wireshark-tools commands:
using capture file from wireshark
$ mmdbresolve -f dora2.pcapng
[init]
db.0.path: dora2.pcapng
db.0.status: ERROR The MaxMind DB file contains invalid metadata
mmdbresolve.status: false
# End init
That could be expected
$ strace -o maxmind.txt capinfos dora.pcapng
File name: dora.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: nanoseconds (9)
etc ....
but the trace file shows nothing like maxmind.
Googled on maxmind, but that's all a separate carreer.
Leavinf to someone else, unless there is agreement on clean install.CC:
(none) =>
herman.viaene
Zombie Ryushu
2020-12-08 00:53:08 CET
CC:
(none) =>
zombie_ryushu Adding this to back up Herman's test.
# strace -o ntopng.trace ntopng -i enp3s0
$ grep maxmind ntopng.trace
process_vm_readv(19289, [{iov_base=" /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096
process_vm_readv(19289, [{iov_base=" /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096
Updated the two packages.
$ ntopng -i enp3s0 > monitor.eth0
$ cat monitor.eth0
18/Dec/2020 16:19:05 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8
18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:19:05 [NetworkDiscovery.cpp:44] ERROR: Unable to create pcap socket on enp3s0 [1/Operation not permitted]
18/Dec/2020 16:19:05 [main.cpp:239] ERROR: An exception occurred during enp3s0 interface creation[1]: Operation not permitted
18/Dec/2020 16:
# ntopng -i enp3s0 > monitor.eth0
^C
# chown lcl:lcl monitor.eth0
$ cat monitor.eth0
18/Dec/2020 16:23:13 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8
18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:23:13 [PcapInterface.cpp:93] Reading packets from interface enp3s0...
18/Dec/2020 16:23:13 [Ntop.cpp:1996] Registered interface enp3s0 [id: 1]
18/Dec/2020 16:23:13 [main.cpp:308] PID stored in file /var/run/ntopng/ntopng.pid
18/Dec/2020 16:23:13 [Utils.cpp:592] User changed to ntopng
18/Dec/2020 16:23:13 [HTTPserver.cpp:1198] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
18/Dec/2020 16:23:13 [HTTPserver.cpp:1201] HTTP server listening on 3000
[...]
18/Dec/2020 16:24:25 [HTTPserver.cpp:1224] HTTP server terminated
18/Dec/2020 16:24:25 [NetworkInterface.cpp:590] Flushing host contacts for interface enp3s0
18/Dec/2020 16:24:25 [NetworkInterface.cpp:2606] Cleanup interface enp3s0
18/Dec/2020 16:24:25 [AddressResolution.cpp:61] Address resolution stats [1 resolved][0 failures]
Giving this the go-ahead.Whiteboard:
(none) =>
MGA7-64-OK Thanks,validating Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update
Aurelien Oudelet
2020-12-22 11:42:48 CET
Source RPM:
libmaxminddb-1.4.2-2.mga8.src.rpm =>
libmaxminddb-1.3.2-3.mga7.src.rpm Fedora has issued an advisory for this today (December 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WUK4UCOB5FJVK36E22IRLEYGKMUWGBG/ An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0471.html Status:
NEW =>
RESOLVED |