Bug 32670

Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh
Product: Mageia Reporter: papoteur <yvesbrungard>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: erlang-24.3.4.7 CVE: CVE-2023-48795
Status comment:
Bug Depends on:    
Bug Blocks: 32641    
Attachments: Log of the test of earlang packages

Description papoteur 2023-12-31 07:40:17 CET 
Description of problem:
See main report  in bug 32641

Version affected : 24.3.4.7
Marja Van Waes 2023-12-31 17:37:43 CET

Blocks: (none) => 32641

Comment 1 Lewis Smith 2023-12-31 20:03:41 CET 
Thanks papoteur for raising this individual bug.

The original report mentions 'Erlang ssh 5.1.1'; I do not know how this relates to the erlang SRPM version.
ns80 put up erlang-24.3.4.7, but it seems that papoteur (thanks) has just re-built it. Was that for this security issue?

Assigning this bug back to Yves for starters; normally ns80 does erlang, so re-assign to him if appropriate.

Whiteboard: (none) => MGA9TOO
Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang => CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh
Assignee: bugsquad => yvesbrungard
Version: 9 => Cauldron

Marja Van Waes 2024-01-02 12:01:50 CET

CC: (none) => marja11
CVE: (none) => CVE-2023-48795

papoteur 2024-01-02 12:40:41 CET

Assignee: yvesbrungard => nicolas.salguero

Comment 2 Nicolas Salguero 2024-01-08 13:56:18 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh. (CVE-2023-48795)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
https://bugs.mageia.org/show_bug.cgi?id=32641
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3
========================

Updated packages in core/updates_testing:
========================
erlang-24.3.4.15-1.mga9
erlang-asn1-24.3.4.15-1.mga9
erlang-common_test-24.3.4.15-1.mga9
erlang-compiler-24.3.4.15-1.mga9
erlang-crypto-24.3.4.15-1.mga9
erlang-debugger-24.3.4.15-1.mga9
erlang-dialyzer-24.3.4.15-1.mga9
erlang-diameter-24.3.4.15-1.mga9
erlang-doc-24.3.4.15-1.mga9
erlang-edoc-24.3.4.15-1.mga9
erlang-eldap-24.3.4.15-1.mga9
erlang-erl_docgen-24.3.4.15-1.mga9
erlang-erl_interface-24.3.4.15-1.mga9
erlang-erts-24.3.4.15-1.mga9
erlang-et-24.3.4.15-1.mga9
erlang-eunit-24.3.4.15-1.mga9
erlang-examples-24.3.4.15-1.mga9
erlang-ftp-24.3.4.15-1.mga9
erlang-inets-24.3.4.15-1.mga9
erlang-jinterface-24.3.4.15-1.mga9
erlang-kernel-24.3.4.15-1.mga9
erlang-megaco-24.3.4.15-1.mga9
erlang-mnesia-24.3.4.15-1.mga9
erlang-observer-24.3.4.15-1.mga9
erlang-odbc-24.3.4.15-1.mga9
erlang-os_mon-24.3.4.15-1.mga9
erlang-parsetools-24.3.4.15-1.mga9
erlang-public_key-24.3.4.15-1.mga9
erlang-reltool-24.3.4.15-1.mga9
erlang-runtime_tools-24.3.4.15-1.mga9
erlang-sasl-24.3.4.15-1.mga9
erlang-snmp-24.3.4.15-1.mga9
erlang-ssh-24.3.4.15-1.mga9
erlang-ssl-24.3.4.15-1.mga9
erlang-stdlib-24.3.4.15-1.mga9
erlang-syntax_tools-24.3.4.15-1.mga9
erlang-tftp-24.3.4.15-1.mga9
erlang-tools-24.3.4.15-1.mga9
erlang-wx-24.3.4.15-1.mga9
erlang-xmerl-24.3.4.15-1.mga9

from SRPM:
erlang-24.3.4.15-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 3 Marja Van Waes 2024-01-08 15:54:16 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 4 katnatek 2024-01-18 22:31:31 CET 
Created attachment 14269 [details]
Log of the test of earlang packages

Test done in real hardware Mageia 9 x86_64 lxqt

Install current versions of the packages
Update to testing packages

Not issues in the update as you can see in the log
Comment 5 Thomas Andrews 2024-01-18 23:24:28 CET 
Tested in a VirtualBox MGA9-64 Plasma guest. I installed erlang, which pulled in most if not all of the others, then updated using qarepo. There were no installation issues.

Even more out of my depth than before, if that's possible, I used the same basic test as in bug 31190:

Referenced https://www.tutorialspoint.com/erlang/erlang_basic_syntax.htm for a basic example:

Created a file named helloworld.erl:

% hello world program
-module(helloworld).
-import(io,[fwrite/1]).
-export([start/0]).

start() ->
   fwrite("Hello, world!\n").

Compiled it and ran it:

[tom@localhost ~]$ erlc helloworld.erl 2>&1
[tom@localhost ~]$ erl -noshell -s helloworld start -s init stop
Hello, world!

This is the same result as in Bug 31190, and the expected result according to the above link.

That basic function test was enough for an OK in the previous bug, so I'm calling it OK for this one, too.

Validating.
Thomas Andrews 2024-01-18 23:29:38 CET

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)

Comment 6 Mageia Robot 2024-01-19 23:44:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0015.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED