Bug 7465

Summary: rpmdevtools new security issue CVE-2012-3500
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: dmorganec, oe, sysadmin-bugs, thierry.vignaud, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/515830/
Whiteboard: MGA1TOO has_procedure MGA1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK
Source RPM: rpmdevtools-8.2-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-09-12 21:55:34 CEST 
Fedora has issued an advisory on September 3:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html

Mageia 1 and Mageia 2 are also affected.

We should upgrade to 8.3 to fix this and other bugs.
David Walser 2012-09-12 21:55:45 CEST

CC: (none) => dmorganec
Whiteboard: (none) => MGA2TOO, MGA1TOO

Manuel Hiebel 2012-09-25 23:04:56 CEST

CC: (none) => thierry.vignaud

David Walser 2012-10-10 00:47:47 CEST

CC: (none) => oe

Comment 1 David Walser 2012-10-16 19:30:21 CEST 
Updated packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated rpmdevtools package fixes security vulnerability:

A TOCTOU race condition was found in the way 'annotate-output' (used to
execute a program annotating the output linewise with time and stream) tool
of rpmdevtools before 8.3 performed management of its temporary files used
for standard output and standard error output. A local attacker could use
this flaw to conduct symbolic link attacks, possibly leading to their
ability in an unauthorized way to alter files belonging to the user running
the 'annotate-output' tool (CVE-2012-3500).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3500
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html
========================

Updated packages in core/updates_testing:
========================
rpmdevtools-8.3-1.mga1
rpmdevtools-8.3-1.mga2

from SRPMS:
rpmdevtools-8.3-1.mga1.src.rpm
rpmdevtools-8.3-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Samuel Verschelde 2012-10-18 22:46:43 CEST 
For Mageia 1, the version jump changes more than just the annotate-output fix, but given that this tool is just targeted at packagers and not required by a lot of packages (and apparently not required at all as a build dependency), ok with pushing version 8.3 to Mageia 1.

I tested some of the commands among those provided by the package, including annotate-output.

Comprehensive list of commands:
/usr/bin/annotate-output
/usr/bin/checkbashisms
/usr/bin/licensecheck
/usr/bin/manpage-alert
/usr/bin/rpmargs
/usr/bin/rpmdev-bumpspec
/usr/bin/rpmdev-checksig
/usr/bin/rpmdev-cksum
/usr/bin/rpmdev-diff
/usr/bin/rpmdev-extract
/usr/bin/rpmdev-md5
/usr/bin/rpmdev-newinit
/usr/bin/rpmdev-newspec
/usr/bin/rpmdev-packager
/usr/bin/rpmdev-rmdevelrpms
/usr/bin/rpmdev-setuptree
/usr/bin/rpmdev-sha1
/usr/bin/rpmdev-sha224
/usr/bin/rpmdev-sha256
/usr/bin/rpmdev-sha384
/usr/bin/rpmdev-sha512
/usr/bin/rpmdev-sort
/usr/bin/rpmdev-sum
/usr/bin/rpmdev-vercmp
/usr/bin/rpmdev-wipetree
/usr/bin/rpmelfsym
/usr/bin/rpmfile
/usr/bin/rpminfo
/usr/bin/rpmls
/usr/bin/rpmpeek
/usr/bin/rpmsodiff
/usr/bin/rpmsoname
/usr/bin/spectool
Samuel Verschelde 2012-10-18 22:48:26 CEST

Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK

Samuel Verschelde 2012-10-18 22:49:51 CEST

Whiteboard: MGA1TOO MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK

Comment 3 claire robinson 2012-10-24 12:17:21 CEST 
rpmdiff shows these bin's changed

S.5........ /usr/bin/annotate-output
S.5........ /usr/bin/checkbashisms
S.5........ /usr/bin/licensecheck
..5........ /usr/bin/manpage-alert
S.5........ /usr/bin/rpmdev-bumpspec
S.5........ /usr/bin/rpmdev-newspec
S.5........ /usr/bin/rpmdev-setuptree

Testing with some of these. The CVE applies to annotate-output.

Before
------
$ annotate-output cat /etc/release
10:44:56 I: Started cat /etc/release
10:44:56 O: Mageia release 2 (Official) for i586
10:44:56 I: Finished with exitcode 0


After
-----
$ annotate-output cat /etc/release
10:46:56 I: Started cat /etc/release
10:46:56 O: Mageia release 2 (Official) for i586
10:46:56 I: Finished with exitcode 0


Testing some others..

$ checkbashisms -f ~/depcheck

shows alot of possible bashisms..(no comment :P)

$ manpage-alert .
No manual entry for ./21323.c
No manual entry for ./examplesh
No manual entry for ./gpl-3.0.txt
No manual entry for ./index.html
etc.

Downloaded the plain text gpl from http://www.gnu.org/licenses/gpl.html

$ licensecheck gpl-3.0.txt
gpl-3.0.txt: UNKNOWN

Maybe some problem there, otherwise OK.

Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK mga2-32-OK

Comment 4 claire robinson 2012-10-29 18:02:43 CET 
testing complete mga2 64

Whiteboard: MGA1TOO has_procedure MGA1-32-OK mga2-32-OK => MGA1TOO has_procedure MGA1-32-OK mga2-32-OK mga2-64-OK

Comment 5 claire robinson 2012-10-29 19:05:28 CET 
testing complete mga1 64

Validating

Advisory and srpms in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA1-32-OK mga2-32-OK mga2-64-OK => MGA1TOO has_procedure MGA1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK

Comment 6 Thomas Backlund 2012-10-29 19:30:59 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0316

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED