Bug 11305 - nas new security issues CVE-2013-425[6-8]
Summary: nas new security issues CVE-2013-425[6-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/568669/
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-09-27 20:10 CEST by David Walser
Modified: 2013-10-10 00:52 CEST (History)
4 users (show)

See Also:
Source RPM: nas-1.9.3-2.mga3.src.rpmq
CVE:
Status comment:


Attachments

Description David Walser 2013-09-27 20:10:19 CEST
Fedora has issued an advisory on September 18:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/117049.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-27 20:10:28 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Oden Eriksson 2013-09-30 14:44:01 CEST
Fixed packages has been submitted for all.

NOTE: CVE-2013-4258 was already fixed with the nas-1.9.2-fix-str-fmt.patch patch in mga2 -> cauldron.

CC: (none) => oe

Comment 2 David Walser 2013-10-01 00:22:34 CEST
Thanks Oden!

Advisory:
========================

Updated nas packages fix security vulnerabilities:

Buffer overflow when parsing display number and various other buffer overflows
(CVE-2013-4256).

Heap overflow when using AUDIOHOST environment variable (CVE-2013-4257).

Race when opening a TCP device (nas#289).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4257
http://sourceforge.net/p/nas/code/289/
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/117049.html
========================

Updated packages in core/updates_testing:
========================
nas-1.9.2-6.1.mga2
libnas2-1.9.2-6.1.mga2
libnas-devel-1.9.2-6.1.mga2
libnas-static-devel-1.9.2-6.1.mga2
nas-1.9.3-2.1.mga3
libnas2-1.9.3-2.1.mga3
libnas-devel-1.9.3-2.1.mga3
libnas-static-devel-1.9.3-2.1.mga3

from SRPMS:
nas-1.9.2-6.1.mga2.src.rpm
nas-1.9.3-2.1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 claire robinson 2013-10-07 09:39:53 CEST
Some basic info for testing: http://radscan.com/nas/nas-README.txt
Comment 4 Oden Eriksson 2013-10-07 09:46:40 CEST
Additionally, someone should sync the systemd scripts with fedora to get rid of the sysv scripts.
Comment 5 claire robinson 2013-10-07 09:59:31 CEST
Testing mga3 64

Before
------

I don't think this is working.

# service nasd start
Starting nasd (via systemctl):      [  OK  ]

# auinfo
auinfo:  unable to connect to audio server

# auinfo -audio localhost
auinfo:  unable to connect to audio server

# nasd -aa
Network Audio System Release 1.9.3
Network Audio System Release 1.9.3
Init: Output open(/dev/dsp) failed: No such file or directory

Fatal server error:
could not create audio connection block info
Comment 6 claire robinson 2013-10-07 10:07:39 CEST
Oops, I skipped a step and maybe shouldn't run it as root anyway :\

# service nasd start
Starting nasd (via systemctl):         [  OK  ]

$ export AUDIOSERVER="`hostname`:0"

It still fails though.

Checked the hostname was correct..

$ echo $AUDIOSERVER

$ auinfo
auinfo:  unable to connect to audio server

$ auinfo -audio "`hostname`:0"
auinfo:  unable to connect to audio server

# service nasd stop
Stopping nasd (via systemctl):       [  OK  ]

$ nasd -aa
Network Audio System Release 1.9.3
Network Audio System Release 1.9.3
Error binding unix socket: /var/run/nasd/audio0
: Address already in use

Fatal server error:
Cannot establish unix listening socket
Comment 7 claire robinson 2013-10-07 10:18:36 CEST
A bit further..

$ export AUDIOSERVER="`hostname`:1"

$ nasd -d 3
Network Audio System Release 1.9.3
Network Audio System Release 1.9.3
AuInitPhysicalDevices();
Init: will close device when finished with stream.
Init: will keep mixer device open.
Init: Leaving the mixer device options alone at startup.
Init: openDevice OUT /dev/dsp mode 1
Init: Output open(/dev/dsp) failed: No such file or directory

Fatal server error:
could not create audio connection block info
Comment 8 claire robinson 2013-10-07 11:09:11 CEST
After installing ossp and rebooting there is now a /dev/dsp 

Possibly missing a require or better default configuration. I'll create a new bug for it as this is appears possibly remotely exploitable, although no PoC's

When started with -pn option it now starts.

$ auinfo -audio "`hostname`:0"

Shows stuff.


After
-----
Started the same way with -pn.

$ auinfo -audio "`hostname`:0"

Shows stuff.

$ audemo -audio "`hostname`:0"

Scans $HOME for files and eventually opens an X window with some sounds to play. When selected they do play Ok.

Testing complete mga3 64

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

Comment 9 claire robinson 2013-10-07 11:40:54 CEST
Bug 11399 created for missing /dev/dsp
Comment 10 claire robinson 2013-10-07 12:11:55 CEST
Testing complete mga3 32

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga3-32-ok

Comment 11 claire robinson 2013-10-07 14:57:46 CEST
Can't get guest sound to work in Virtualbox to test mga2 :\
Comment 12 Dave Hodgins 2013-10-07 17:30:57 CEST
For sound in Mageia 2 under virtualbox, see
https://bugs.mageia.org/show_bug.cgi?id=5509#c12

CC: (none) => davidwhodgins

Comment 13 claire robinson 2013-10-07 17:35:56 CEST
Ahh great, thanks Dave, that did the trick.
Comment 14 claire robinson 2013-10-07 17:44:57 CEST
Testing complete mga2 32

Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok

Comment 15 claire robinson 2013-10-07 18:24:20 CEST
Having issues with this mga2 64, I can't seem to get beyond this..

$ nasd -d 3 -pn
Network Audio System Release 1.9.2
Network Audio System Release 1.9.2
Binding TCP socket: Address already in use
Cannot establish tcp listening socket
Error binding unix socket: /var/run/nasd/audio0
: No such file or directory
Cannot establish unix listening socket

Fatal server error:
Cannot establish any listening sockets

ossp installed and system rebooted so /dev/dsp exists. 
Mga2 32 was ok, both these mga2 are in vbox.

Sometimes nasd causes the terminal to close, no errors reported in syslog.

I've run out of time today.
Comment 16 claire robinson 2013-10-09 13:17:23 CEST
Testing mga2 64 again in vbox

Seems /dev/dsp was missing again, created when starting osspd service.

nasd -d 3 -pn still closes the terminal but opening it again and checking with ps aux | grep nasd shows it is still running.

Tested with audemo/auplay and found it played a wav file ok. I suspect issues with OSS.

Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok

Comment 17 claire robinson 2013-10-09 13:23:04 CEST
Validating. Advisory 11305.adv uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Thomas Backlund 2013-10-10 00:52:08 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0298.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.