| Summary: | sleuthkit new security issue CVE-2012-5619 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | pmdenielou, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/533735/ | ||
| Whiteboard: | MGA2-64-OK, MGA2-32-OK | ||
| Source RPM: | sleuthkit-3.2.3-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-01-23 21:51:10 CET
David Walser
2013-01-23 21:51:25 CET
CC:
(none) =>
pierre-malo.denielou
David Walser
2013-01-23 21:51:32 CET
Assignee:
bugsquad =>
pierre-malo.denielou I will provide an update to 4.0.1 for mageia 2 then. Status:
NEW =>
ASSIGNED I have uploaded an updated package for Mageia 2, just like fedora did. To test this, please have a look at the first link. Suggested advisory: ======================== Updated sleuthkit packages fix security vulnerabilities: A security flaw was found in the way the Sleuth Kit (TSK), a collection of UNIX-based command line tools allowing to investigate a computer, performed management of '.' (dotfile) file system entry. An attacker could use this flaw to evade detection by forensic analysis (hide certain files not to be scanned) by renaming the file in question it to be '.' file system entry. The original reports speaks about this attack vector to be present when scanning FAT (File Allocation Table) file system. It is possible though, the flaw to be present on other file systems, which do not reserve usage of '.' entry for special purpose, too. References: http://www.openwall.com/lists/oss-security/2012/12/01/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5619 https://bugzilla.redhat.com/show_bug.cgi?id=883330 ======================== Updated packages in core/updates_testing: ======================== sleuthkit-4.0.1-1.mga2 lib(64)tsk3_9-4.0.1-1.mga2 lib64tsk3-devel-4.0.1-1.mga2 Source RPM: sleuthkit-4.0.1-1.mga2 Assignee:
pierre-malo.denielou =>
qa-bugs tested on x86_64 using the PoC from Claire: before update: [root@MGA2_64 marc]# fls -V The Sleuth Kit ver 3.2.3 [root@MGA2_64 marc]# fls -a empty.img v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles [root@MGA2_64 marc]# fls -a file.img r/r 3: FILE.TXT v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles [root@MGA2_64 marc]# fls -a dot.img r/d 2: . v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles after update: [root@MGA2_64 marc]# fls -V The Sleuth Kit ver 4.0.1 [root@MGA2_64 marc]# fls -a empty.img v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles [root@MGA2_64 marc]# fls -a file.img r/r 3: FILE.TXT v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles [root@MGA2_64 marc]# fls -a dot.img r/d 2: . v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles I do not see any differences and cannot interpret the result ;) Is that good, or not? CC:
(none) =>
marc.lattemann same results for i586. If this is fine, than package can be validated... Strange, looks to me like you got the good/desired output from both. Since after major version jump the new version is not vulnerable I will validate this package: Please see Comment 2 for advisory and SRPMS. Can sysadmin push package to update? Thanks. Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0031 Status:
ASSIGNED =>
RESOLVED |