Bug 10889 - 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283
: 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: Thomas Spuhler
: Sec team
: http://lwn.net/Vulnerabilities/561621/
:
:
: 10138
:
  Show dependency treegraph
 
Reported: 2013-07-31 19:33 CEST by David Walser
Modified: 2013-08-30 19:27 CEST (History)
2 users (show)

See Also:
Source RPM: 389-ds-base-1.3.0.5-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-31 19:33:07 CEST
RedHat has issued an advisory on July 30:
https://rhn.redhat.com/errata/RHSA-2013-1119.html

It's not clear which versions are affected, but we have it packaged in Mageia 3 and Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2013-07-31 20:31:37 CEST
According to the announcement, version 1.2 are affected
https://rhn.redhat.com/errata/RHSA-2013-1119.html
We have versions 1.3 on mga3 and cauldron has been updated last night
Comment 2 David Walser 2013-07-31 20:34:18 CEST
Version 1.2 is what they issued an update for, because that's what they have in RHEL6.  It doesn't mean 1.3 isn't affected (it probably is).  Your best bet is to check the patch they added to the package against the code in 1.3.
Comment 3 David Walser 2013-08-02 16:47:47 CEST
The patch in RedHat's SRPM on RHEL6 that fixes this is:
0047-CVE-2013-2219-ACLs-inoperative-in-some-search-scenar.patch

It is already fixed in the version we have in Cauldron, but not in Mageia 3.

The patch applies cleanly and I have checked it into Mageia 3 SVN.

Please submit it to the build system if it looks good to you.
Comment 4 Thomas Spuhler 2013-08-02 19:28:36 CEST
The patch has been applied in mga3 and is in updates_testing.
I have done some testing by installing the package on a local box and did setup a maildomain, add users to it and sent e-mails back and forth. Also the roundcubemail shows the addresses in the addressbook and as far as I can see everything in Roundcubemail as well as in Thunderbird works.
Teh updated packages are:

389-ds-base-1.3.0.5-2.2.mga3.src.rpm
389-ds-base-1.3.0.5-2.2.mga3.xxx.rpm
389-ds-base-debuginfo-1.3.0.5-2.2.mga3.xxx.rpm
389-ds-base-devel-1.3.0.5-2.2.mga3.xxxx.rpm
389-ds-base-libs-1.3.0.5-2.2.mga3.xxx.rpm

The package in cauldron will be fixed by updating it to version >= 1.3.1.5
(1.3.1.5 currently doesn't build)
Comment 5 David Walser 2013-08-02 21:28:33 CEST
Thanks Thomas.  BTW, if you can give more details on the testing setup, it'd help.

Advisory:
========================

Updated 389-ds-base packages fix security vulnerability:

It was discovered that the 389 Directory Server did not honor defined
attribute access controls when evaluating search filter expressions. A
remote attacker (with permission to query the Directory Server) could use
this flaw to determine the values of restricted attributes via a series of
search queries with filter conditions that used restricted attributes
(CVE-2013-2219).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2219
https://rhn.redhat.com/errata/RHSA-2013-1119.html
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.0.5-2.2.mga3
389-ds-base-libs-1.3.0.5-2.2.mga3
389-ds-base-devel-1.3.0.5-2.2.mga3

from 389-ds-base-1.3.0.5-2.2.mga3.src.rpm
Comment 6 claire robinson 2013-08-03 11:04:13 CEST
We now have 2 bugs assigned to QA for 389-ds-base. Only one bug should be assigned to QA for each update. As the last one wasn't pushed yet this build, whatever it includes is now the current one.

Does this include the bugfix from bug 10138 ? 
Were the issues in that bug addressed before building this on top of it?
Which bug do you want to close?

Whichever bug is left should include a full advisory of the changes.
Comment 7 David Walser 2013-08-03 16:52:12 CEST
Whoops, sorry, didn't see the other bug.  I'll make this one depend on the other one.
Comment 8 Thomas Spuhler 2013-08-28 23:58:36 CEST
Oooops, seems this has never been assigned to QA.
Comment 9 David Walser 2013-08-29 00:28:27 CEST
Actually it was, but this bug is for the same update as the one in Bug 10138, so we are using that bug to QA this update.  Both bugs will be closed once the update is released.
Comment 10 Thomas Spuhler 2013-08-29 00:32:52 CEST
I understand. No problem. But it looked like it was stuck.
Comment 11 David Walser 2013-08-29 21:10:21 CEST
RedHat has issued an advisory on August 28:
https://rhn.redhat.com/errata/RHSA-2013-1182.html

This fixed a new security issue, CVE-2013-4283.

from http://lwn.net/Vulnerabilities/565273/
Comment 12 Thomas Spuhler 2013-08-30 03:57:24 CEST
This security issue has been fixed by upgrading the package to version 1.3.0.8.
Also the creation of the systemd dir has been made conditional to avoid the error message when this directory already exists when upgrading from a previous version.


Updated packages in core/updates_testing:
========================

389-ds-base-1.3.0.8-1.mga3.src.rpm
389-ds-base-1.3.0.8-1.mga3.x86_64.rpm
389-ds-base-libs-1.3.0.8-1.mga3.x86_64.rpm
389-ds-base-devel-1.3.0.8-1.mga3.x86_64.rpm
389-ds-base-debuginfo-1.3.0.8-1.mga3.x86_64.rpm

I tested the upgrade and an inital installation

Re-assigning the bug to qa-bugs@ml.mageia.org

Hopefully, we can get this out before the next CVE will be announced
:)
Comment 13 David Walser 2013-08-30 03:59:01 CEST
Bug 10138 is the one QA is using for this update.
Comment 14 David Walser 2013-08-30 19:27:51 CEST
Fixed in Bug 10138:
http://advisories.mageia.org/MGASA-2013-0263.html

Note You need to log in before you can comment on or make changes to this bug.