Bug 29576

Summary: watchdog new security issue rhbz#2013934
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: watchdog-5.15-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-10-22 00:06:41 CEST 
Fedora has issued an advisory today (October 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J5W2UNUV6UGNCHVRZWELPPPBJ444STNM/

Mageia 8 is also affected.
David Walser 2021-10-22 00:06:56 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-10-23 20:56:50 CEST 
No evident maintainer in sight, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-10-25 09:46:01 CEST 
Hi,

I cannot find the code that causes the issue in version 5.15.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2021-10-25 20:14:27 CEST 
There is a realloc call in src/mount.c, but I don't know if it has the same issue.
Comment 4 Nicolas Lécureuil 2021-11-25 23:04:33 CET 
can we update to 5.16 in mga8/9 ?

CC: (none) => mageia

Comment 5 David Walser 2021-11-26 01:29:07 CET 
It looks like 5.16 also fixed a buffer overflow, so it sounds like a good idea.
Comment 6 Nicolas Lécureuil 2021-12-14 00:35:22 CET 
updated in cauldron and mga8:

src:
    - watchdog-5.16-1.mga8

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Status comment: Patch available from Fedora => (none)
Whiteboard: MGA8TOO => (none)

Comment 7 Herman Viaene 2021-12-14 15:27:53 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No wiki, no previous updates, so went googling and found https://linuxhint.com/linux-kernel-watchdog-explained/
So went on and dived in the deep
#  systemctl  start watchdog
#  systemctl -l status watchdog
● watchdog.service - watchdog daemon
     Loaded: loaded (/usr/lib/systemd/system/watchdog.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-12-14 15:23:31 CET; 4s ago
    Process: 8872 ExecStart=/usr/sbin/watchdog (code=exited, status=0/SUCCESS)
   Main PID: 8874 (watchdog)
      Tasks: 1 (limit: 9396)
     Memory: 588.0K
        CPU: 4ms
     CGroup: /system.slice/watchdog.service
             └─8874 /usr/sbin/watchdog

dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  file: no file to check
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  pidfile: no server process to check
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  interface: no interface to check
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  temperature: no sensors to check
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  no test binary files
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  no repair binary files
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  error retry time-out = 60 seconds
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  repair attempts = 1
dec 14 15:23:31 mach5.hviaene.thuis watchdog[8874]:  alive=[none] heartbeat=[none] to=root no_act=no force=no
dec 14 15:23:31 mach5.hviaene.thuis systemd[1]: Started watchdog daemon.

My laptop keeps running normally, that's good!!!!
OK'ing unless someone has a better idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2021-12-14 16:13:17 CET 
The website you cited does give an easy-sounding test procedure:

Testing the Watchdog

If you want to test if the hardware watchdog is working, you can do the following from your administrator command prompt:
cat >> /dev/watchdog

And press “enter” twice and wait. The prompt will not come back. After awhile depending on your kernel’s setting, the system should perform the hard reboot.

Care to try that? If you'd rather not risk it for some reason, I can try it on one of my test installs.

CC: (none) => andrewsfarm

Comment 9 Herman Viaene 2021-12-14 16:35:09 CET 
That"s the most scary test I ever did. This indeed provokes a reboot, and the system boots OK (writing on it now). Watchdog was inactive, so I hurried to get rid of it.
Comment 10 Thomas Andrews 2021-12-14 16:59:25 CET 
That's why I said I'd be willing to try it on a test install - something I'd be willing to lose if things went awry. I always keep one or two of those available. 

The article does say "Personal computer users don’t need watchdog as they can reset the system manually," so I too would have removed it promptly after doing the test.

Thanks for taking the risk. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-12-19 16:07:35 CET

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-12-19 17:14:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0569.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED