Bug 12616 - tntnet new security issue CVE-2013-7299
: tntnet new security issue CVE-2013-7299
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584268/
: MGA3TOO has_procedure mga3-32-ok mga3...
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-05 19:31 CET by David Walser
Modified: 2014-02-16 14:45 CET (History)
5 users (show)

See Also:
Source RPM: tntnet-2.2-2.mga4.src.rpm
CVE: CVE-2013-7299


Attachments

Description David Walser 2014-02-05 19:31:11 CET
Fedora has issued an advisory on January 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127746.html

The issue is fixed upstream in 2.2.1.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Anssi Hannula 2014-02-09 20:01:22 CET
Advisory:
============
A flaw in Tntnet allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests.

This update fixes the vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299
============

Updated packages in mga3+mga4 core/updates_testing and cauldron core/release.

Source packages:
tntnet-2.1-2.1.mga3
tntnet-2.2-2.1.mga4

Binary packages:
tntnet-2.1-2.1.mga3
tntnet-demos-2.1-2.1.mga3
lib64tntnet10-2.1-2.1.mga3
lib64tntnet-devel-2.1-2.1.mga3
tntnet-2.2-2.1.mga4
tntnet-demos-2.2-2.1.mga4
lib64tntnet11-2.2-2.1.mga4
lib64tntnet-devel-2.2-2.1.mga4
Comment 2 David Walser 2014-02-09 21:25:40 CET
Thanks Anssi!

Just making some formatting changes.

Advisory:
========================

Updated tntnet packages fix security vulnerability:

A flaw in Tntnet before 2.2.1 allows remote attackers to obtain sensitive
information via a header that ends in \n instead of \r\n, which prevents a
null terminator from being added and causes Tntnet to include headers from
other requests (CVE-2013-7299).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7299
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127746.html
========================

Updated packages in core/updates_testing:
========================
tntnet-2.1-2.1.mga3
tntnet-demos-2.1-2.1.mga3
libtntnet10-2.1-2.1.mga3
libtntnet-devel-2.1-2.1.mga3
tntnet-2.2-2.1.mga4
tntnet-demos-2.2-2.1.mga4
libtntnet11-2.2-2.1.mga4
libtntnet-devel-2.2-2.1.mga4

from SRPMS:
tntnet-2.1-2.1.mga3.src.rpm
tntnet-2.2-2.1.mga4.src.rpm
Comment 3 claire robinson 2014-02-11 08:00:44 CET
Procedure: Follow "How to create your first web application" from
http://www.tntnet.org/quick-start-guide.html

----------------------
To create a web application it is necessary to create some initial project files. This is achieved by executing tntnet-config:

tntnet-config --project=myfirstproject

This creates:

    a directory "myfirstproject"
    a source file "myfirstproject.ecpp" containing your application
    a configurationfile "tntnet.xml"
    a Makefile

To build and execute your first enter the following commands:

cd myfirstproject
make
tntnet

Now you can start your web browser and navigate to http://localhost:8000/myfirstproject.

You can see the result of your first running tntnet application, which prints the name of the application.
----------------------
Comment 4 claire robinson 2014-02-11 08:09:27 CET
Testing mga3 64

The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you confirm this is correct Anssi please?

$ urpmf tntnet-config
lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config
lib64tntnet-devel:/usr/bin/tntnet-config
lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz
Comment 5 Anssi Hannula 2014-02-11 12:34:31 CET
It is debatable, but I think it is OK.

IIRC Tntnet web applications are C++ software compiled against Tntnet, so you need the -devel package to build them.

Debian and Fedora also have tntnet-config in -devel.
Comment 6 claire robinson 2014-02-11 19:38:09 CET
Testing complete mga3 32 & 64
Comment 7 Samuel Verschelde 2014-02-12 11:11:08 CET
Advisory uploaded.
Comment 8 claire robinson 2014-02-12 18:20:22 CET
tntnet requires libcxxtools (bug 12691) so both can be tested together.
Comment 9 Manuel Hiebel 2014-02-13 23:20:55 CET
(In reply to claire robinson from comment #4)
> Testing mga3 64
> 
> The lib devel is providing /usr/bin/tntnet-config which seems wrong, can you
> confirm this is correct Anssi please?
> 
> $ urpmf tntnet-config
> lib64tntnet-devel:/usr/bin/multiarch-x86_64-linux/tntnet-config
> lib64tntnet-devel:/usr/bin/tntnet-config
> lib64tntnet-devel:/usr/share/man/man1/tntnet-config.1.xz

And a require/suggest for gcc-c++

g++ -I/usr/include -fPIC -O2   -c -o myfirstproject.o myfirstproject.cpp
make: g++: commande introuvable
Comment 10 Carolyn Rowse 2014-02-15 20:09:48 CET
Tested Mga3 32-bit, worked as expected before and after update.

So that seems to complete testing for this one.

Update validated.

See comment 2 for advisory and SRPM.

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.
Comment 11 Samuel Verschelde 2014-02-15 22:43:45 CET
(In reply to Carolyn Rowse from comment #10)
> See comment 2 for advisory and SRPM.
> 

Actually the advisory was already uploaded to SVN.
Comment 12 Thomas Backlund 2014-02-16 14:45:54 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0072.html

Note You need to log in before you can comment on or make changes to this bug.