Bug 5271

Summary: systemtap missing security update for CVE-2010-417[01] and CVE-2011-250[23]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: systemtap-1.3-1.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-07 18:23:54 CEST 
Advisories for these were issued by Debian and RedHat on November 17 and July 25, respectively:
http://www.debian.org/security/2011/dsa-2348
https://rhn.redhat.com/errata/RHSA-2011-1088.html

Cauldron is not vulnerable.
David Walser 2012-04-07 19:23:56 CEST

CC: (none) => dmorganec

Comment 1 David Walser 2012-04-14 03:18:14 CEST 
Patched package uploaded.

Note to QA:  Testing procedure can be found in Bug 3945.

Advisory:
========================

Updated systemtap package fixes security vulnerabilities:

It was discovered that staprun did not properly sanitize the environment
before executing the modprobe command to load an additional kernel module.
A local, unprivileged user could use this flaw to escalate their
privileges (CVE-2010-4170).

It was discovered that staprun did not check if the module to be
unloaded was previously loaded by SystemTap. A local, unprivileged user
could use this flaw to unload an arbitrary kernel module that was not
in use (CVE-2010-4171).

It was found that SystemTap did not perform proper module path sanity
checking if a user specified a custom path to the uprobes module, used
when performing user-space probing ("staprun -u"). A local user who is a
member of the stapusr group could use this flaw to bypass intended
module-loading restrictions, allowing them to escalate their privileges by
loading an arbitrary, unsigned module (CVE-2011-2502).

A race condition flaw was found in the way the staprun utility performed
module loading. A local user who is a member of the stapusr group could
use this flaw to modify a signed module while it is being loaded,
allowing them to escalate their privileges (CVE-2011-2503).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4171
https://rhn.redhat.com/errata/RHSA-2010-0894.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2503
https://rhn.redhat.com/errata/RHSA-2011-1088.html
========================

Updated packages in core/updates_testing:
========================
systemtap-1.3-1.2.mga1

from systemtap-1.3-1.2.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Dave Hodgins 2012-04-14 06:12:54 CEST 
Testing complete on i586 for the srpm
systemtap-1.3-1.2.mga1.src.rpm

# stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 72 library script(s) using 16876virt/12388res/1672shr kb, in 320usr/50sys/1950real ms.
Pass 2: analyzed script: 1 probe(s), 22 function(s), 3 embed(s), 1 global(s) using 156820virt/62104res/4692shr kb, in 2610usr/440sys/12845real ms.
Pass 3: translated to C into "/root/tmp/stapR42YyX/stap_a6471a7902f00a8f7a75265e0c2717fb_10699.c" using 151704virt/60528res/5752shr kb, in 1120usr/70sys/1589real ms.
Pass 4: compiled C into "stap_a6471a7902f00a8f7a75265e0c2717fb_10699.ko" in 15160usr/1850sys/49326real ms.
Pass 5: starting run.
read performed
Pass 5: run completed in 70usr/280sys/747real ms.

CC: (none) => davidwhodgins

Comment 3 claire robinson 2012-04-14 12:23:53 CEST 
x86_64

Before
------
# stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 75 library script(s) using 60024virt/24584res/1828shr kb, in 160usr/30sys/382real ms.
Pass 2: analyzed script: 1 probe(s), 22 function(s), 3 embed(s), 1 global(s) using 254584virt/109652res/6848shr kb, in 1230usr/220sys/4792real ms.
Pass 3: translated to C into "/tmp/staptOax9e/stap_c04ec5f9c56158b2899f50e45fda86a0_10776.c" using 244968virt/106360res/6380shr kb, in 380usr/30sys/442real ms.
Pass 4: compiled C into "stap_c04ec5f9c56158b2899f50e45fda86a0_10776.ko" in 4850usr/870sys/10515real ms.
Pass 5: starting run.
read performed
Pass 5: run completed in 10usr/40sys/372real ms.

After
-----
# stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 75 library script(s) using 60024virt/24584res/1828shr kb, in 160usr/20sys/174real ms.
Pass 2: analyzed script: 1 probe(s), 22 function(s), 3 embed(s), 1 global(s) using 254584virt/109660res/6848shr kb, in 1200usr/120sys/1330real ms.
Pass 3: translated to C into "/tmp/stapDN3fJn/stap_0079df1254fc07f9cb47ab33ce97ce11_10776.c" using 244968virt/106384res/6396shr kb, in 380usr/30sys/403real ms.
Pass 4: compiled C into "stap_0079df1254fc07f9cb47ab33ce97ce11_10776.ko" in 4820usr/770sys/5768real ms.
Pass 5: starting run.
read performed
Pass 5: run completed in 10usr/40sys/320real ms.


kernel-desktop-debug-latest still points to 2.6.38.8-4, I'll create a bug for that.


Validating, see comment 1 for SRPM & Advisory

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
claire robinson 2012-04-14 12:24:22 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 4 Thomas Backlund 2012-04-18 09:49:49 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED