Bug 6424

Summary: libgssglue missing fix for security issue CVE-2011-2709
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, guillomovitch, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/449435/
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, mga2-64-OK
Source RPM: libgssglue-0.3-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-06-11 21:31:37 CEST 
SuSE issued an advisory for this on June 24 last year:
http://lwn.net/Alerts/449415/

The issue was fixed upstream in version 0.4.  Fedora has provided an update to this version for Fedora 16 to fix this issue (May 18):
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html

Mageia 1 may be affected as well.
David Walser 2012-06-11 21:31:47 CEST

CC: (none) => guillomovitch

Comment 1 Guillaume Rousse 2012-06-12 21:45:33 CEST 
I just submitted libgssglue-0.4-1.mga2 and libgssglue-0.1-8.1.mga1 in updates_testing.

Suggested advisory:
This update fixes insecure getenv() usage in libgssglue, which could be  used under some circumstances by local attackers do gain root privileges.

Assignee: bugsquad => qa-bugs

Comment 3 Dave Hodgins 2012-06-14 05:37:32 CEST 
Testing complete on Mageia 1 i586 for the srpm
libgssglue-0.1-8.1.mga1.src.rpm

For testing, I used a Mageia 1 client under virtual box accessing
an nfs share on the host Mageia 1 system.

I'll test Mageia 2 i586 shortly.

CC: (none) => davidwhodgins
Whiteboard: (none) => mga1-32-OK

Comment 4 Dave Hodgins 2012-06-14 06:37:55 CEST 
Testing complete on Mageia 2 i586 for the srpm
libgssglue-0.4-1.mga2.src.rpm

Testing using an nfs share on the Mageia 2 host, accessed by the Mageia 1
vb guest, and and nfs share on the vb guest accessed by the host.

Whiteboard: mga1-32-OK => mga1-32-OK, mga2-32-OK

Comment 5 Guillaume Rousse 2012-06-14 09:13:18 CEST 
You may forget testing here, as libgssglue is only used with Kerberos support, and this is really painful to setup.
Comment 6 Dave Hodgins 2012-06-15 04:02:33 CEST 
Should the packages be removed from updates testing, and this bug closed as wont fix
then?
Comment 7 David Walser 2012-06-15 05:04:37 CEST 
Whoa, I don't think that's what he meant.  I think he was just saying testing normal NFS functionality won't test the library, so unless you want to go through all the pain of setting Kerberos, just make sure the package installs.

I've never used NFS with Kerberos before, but I wasn't aware it was that difficult.  I'll probably get to find out pretty soon at work actually.
Comment 8 Dave Hodgins 2012-06-15 09:08:29 CEST 
Ok. We still need 64 bit testing on both releases.
Comment 9 Samuel Verschelde 2012-07-08 16:08:07 CEST 
libgssglue installs cleanly on MGA1 64 bits.

Testing only install per comment #5

CC: (none) => stormi
Whiteboard: mga1-32-OK, mga2-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK

Comment 10 Samuel Verschelde 2012-07-10 13:47:12 CEST 
Testing install on MGA2 64 bits: went fine. Validating per comment #5.


Update validated for MGA1 and MGA2. See comment #2 for packages and advisory.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, mga2-64-OK

Comment 11 Thomas Backlund 2012-07-10 15:07:09 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0159

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED