Bug 11459 - polarssl new security issue CVE-2013-5915
: polarssl new security issue CVE-2013-5915
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/570337/
: has_procedure advisory mga3-64-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-14 19:05 CEST by David Walser
Modified: 2013-11-30 22:43 CET (History)
3 users (show)

See Also:
Source RPM: polarssl-1.2.8-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-10-14 19:05:05 CEST
Fedora has issued an advisory on October 4:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html

The issue is fixed upstream in 1.2.9:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-15 08:52:06 CEST
polarssl-1.3.0-1.mga4 has been submitted.
Comment 2 Oden Eriksson 2013-10-15 08:58:50 CEST
polarssl-1.2.9-1.mga3 has been submitted.

NOTE. polarssl-1.3.0 bumps the major (2 -> 4), which would require at least pdns to be rebuilt for mga3, if one would upgrade to polarssl-1.3.0 that is.
Comment 3 Oden Eriksson 2013-11-22 09:32:20 CET
polarssl-1.3.1-1.mga3 has been submitted.

The upstream patches broke the api anyway, preventing pdns to build.

https://github.com/polarssl/polarssl/commit/43f9799ce61c6392a014d0a2ea136b4b3a9ee194
https://github.com/polarssl/polarssl/commit/6b06502c4b19ce40a88faca3528b9f3f0c87a755

This has been fixed in git by pdns upstream. Backporting pdns-3.3.1-1.1.mga4.src.rpm will fix this problem.

To my knowledge only pdns uses polarssl.
Comment 4 Oden Eriksson 2013-11-22 10:17:48 CET
pdns-3.3.1-0.1.mga3 has also been submitted.
Comment 5 David Walser 2013-11-22 13:37:21 CET
Thanks Oden!

Advisory:
========================

Updated polarssl packages fix security vulnerability:

The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL
RSA implementation and discovered a bias in the implementation of the Montgomery
multiplication that we used. For which they then show that it can be used to
mount an attack on the RSA key. Although their test attack is done on a local
system, there seems to be enough indication that this can properly be performed
from a remote system as well (CVE-2013-5915).

Also, the pdns package has been updated to work with the updated polarssl.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html
========================

Updated packages in core/updates_testing:
========================
polarssl-1.3.1-1.mga3
libpolarssl5-1.3.1-1.mga3
libpolarssl-devel-1.3.1-1.mga3
pdns-3.3.1-0.1.mga3
pdns-backend-pipe-3.3.1-0.1.mga3
pdns-backend-mysql-3.3.1-0.1.mga3
pdns-backend-pgsql-3.3.1-0.1.mga3
pdns-backend-ldap-3.3.1-0.1.mga3
pdns-backend-sqlite-3.3.1-0.1.mga3
pdns-backend-geo-3.3.1-0.1.mga3

from SRPMS:
polarssl-1.3.1-1.mga3.src.rpm
pdns-3.3.1-0.1.mga3.src.rpm
Comment 6 David Walser 2013-11-23 02:16:03 CET
Looks like the ragel package that Oden built is required by this pdns update, so adding that to the packages list.

Advisory:
========================

Updated polarssl packages fix security vulnerability:

The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL
RSA implementation and discovered a bias in the implementation of the Montgomery
multiplication that we used. For which they then show that it can be used to
mount an attack on the RSA key. Although their test attack is done on a local
system, there seems to be enough indication that this can properly be performed
from a remote system as well (CVE-2013-5915).

Also, the pdns package has been updated to work with the updated polarssl.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5915
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html
========================

Updated packages in core/updates_testing:
========================
polarssl-1.3.1-1.mga3
libpolarssl5-1.3.1-1.mga3
libpolarssl-devel-1.3.1-1.mga3
pdns-3.3.1-0.1.mga3
pdns-backend-pipe-3.3.1-0.1.mga3
pdns-backend-mysql-3.3.1-0.1.mga3
pdns-backend-pgsql-3.3.1-0.1.mga3
pdns-backend-ldap-3.3.1-0.1.mga3
pdns-backend-sqlite-3.3.1-0.1.mga3
pdns-backend-geo-3.3.1-0.1.mga3
ragel-6.8-1.mga3

from SRPMS:
polarssl-1.3.1-1.mga3.src.rpm
pdns-3.3.1-0.1.mga3.src.rpm
ragel-6.8-1.mga3.src.rpm
Comment 7 claire robinson 2013-11-27 17:05:47 CET
Testing complete mga3 32

Testing with polarssl-selftest that all tests pass. The last few took some time to complete but all passed.

Configured /etc/powerdns/pdns.conf to listen on port 2000 so it wouldn't conflict with anything else and started the service, sent it a 'dig'

# dig www.example.com A @127.0.0.1 -p 2000

; <<>> DiG 9.9.3-P2 <<>> www.example.com A @127.0.0.1 -p 2000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13964
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;www.example.com.               IN      A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#2000(127.0.0.1)
;; WHEN: Wed Nov 27 15:59:22 GMT 2013
;; MSG SIZE  rcvd: 44
Comment 8 claire robinson 2013-11-27 17:13:16 CET
One noteworthy issue, adding feedback for now, when installing pdns..

Failed to issue method call: Unit powerdns.service failed to load: No such file or directory. See system logs and 'systemctl status powerdns.service' for details.
warning: %post(pdns-3.3.1-0.1.mga3.x86_64) scriptlet failed, exit status 6
ERROR: 'script' failed for pdns-3.3.1-0.1.mga3.x86_64: 


It seems to be looking for powerdns.service when IINM it should look for pdns.service


# ls /lib/systemd/system/ | grep dns
dnsmasq.service
pdns.service
Comment 9 David Walser 2013-11-27 17:17:38 CET
Indeed, and I imagine it's the same in Cauldron.

%post
%_tmpfilescreate %{name}
%_post_service powerdns

%preun
%_preun_service powerdns

Should be:

%post
%_tmpfilescreate %{name}
%_post_service %{name}

%preun
%_preun_service %{name}
Comment 10 Oden Eriksson 2013-11-27 17:46:58 CET
fixed with pdns-3.3.1-1.mga3 & pdns-3.3.1-2.mga4.
Comment 11 David Walser 2013-11-27 18:02:20 CET
Thanks Oden.
Comment 12 claire robinson 2013-11-28 14:07:54 CET
Testing complete mga3 32
Comment 13 claire robinson 2013-11-28 14:08:26 CET
mga3 64 above :\
Comment 14 Oden Eriksson 2013-11-28 15:58:07 CET
(In reply to claire robinson from comment #13)
> mga3 64 above :\

Huh?
Comment 15 claire robinson 2013-11-29 12:30:02 CET
Testing complete mga3 32 (really 32 this time)

Validating


Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 16 Thomas Backlund 2013-11-30 22:43:41 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0353.html

Note You need to log in before you can comment on or make changes to this bug.