Bug 13413 - mono new security issue CVE-2012-3543
Summary: mono new security issue CVE-2012-3543
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/599440/
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-19 21:23 CEST by David Walser
Modified: 2014-05-29 09:26 CEST (History)
4 users (show)

See Also:
Source RPM: mono-2.10.9-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-19 21:23:36 CEST
Gentoo has issued an advisory on May 18:
http://www.gentoo.org/security/en/glsa/glsa-201405-16.xml

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated mono packages fix security vulnerability:

Mono 2.10.9 does not properly randomize hash functions for form posts to
protect against hash collision attacks. A remote attacker could send
specially crafted parameters, possibly resulting in a Denial of Service
condition (CVE-2012-3543).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3543
http://www.gentoo.org/security/en/glsa/glsa-201405-16.xml
========================

Updated packages in core/updates_testing:
========================
mono-2.10.9-4.1.mga3
mono-doc-2.10.9-4.1.mga3
libmono0-2.10.9-4.1.mga3
libmono2.0_1-2.10.9-4.1.mga3
mono-data-sqlite-2.10.9-4.1.mga3
libmono-devel-2.10.9-4.1.mga3
mono-winfxcore-2.10.9-4.1.mga3
mono-web-2.10.9-4.1.mga3
mono-data-oracle-2.10.9-4.1.mga3
mono-data-2.10.9-4.1.mga3
mono-extras-2.10.9-4.1.mga3
mono-ibm-data-db2-2.10.9-4.1.mga3
mono-winforms-2.10.9-4.1.mga3
mono-locale-extras-2.10.9-4.1.mga3
mono-data-postgresql-2.10.9-4.1.mga3
mono-nunit-2.10.9-4.1.mga3
monodoc-core-2.10.9-4.1.mga3
mono-wcf-2.10.9-4.1.mga3

from mono-2.10.9-4.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Carolyn Rowse 2014-05-27 08:04:05 CEST
Is there a PoC, or should I just test apps that use mono?

Carolyn

CC: (none) => cmrisolde

Comment 2 David Walser 2014-05-27 14:57:05 CEST
I'm not aware of a PoC.
Comment 3 claire robinson 2014-05-27 18:14:16 CEST
Test with something from the list from..

$ urpmq --whatrequires mono

Banshee media player is a good one
claire robinson 2014-05-27 18:14:26 CEST

Whiteboard: (none) => has_procedure

Comment 4 William Kenney 2014-05-27 21:40:41 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
mono banshee ( mono installs with banshee install )

default install of mono & banshee

[root@localhost wilcal]# urpmi mono
Package mono-2.10.9-4.mga3.i586 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.0-3.mga3.i586 is already installed

I can play an mp3 file with banshee.

install mono from updates_testing

[root@localhost wilcal]# urpmi mono
Package mono-2.10.9-4.1.mga3.i586 is already installed

I can play an mp3 file with banshee.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2014-05-27 21:41:05 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
mono banshee ( mono installs with banshee install )

default install of mono & banshee

[root@localhost wilcal]# urpmi mono
Package mono-2.10.9-4.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.0-3.mga3.x86_64 is already installed

I can play an mp3 file with banshee.

install mono from updates_testing

[root@localhost wilcal]# urpmi mono
Package mono-2.10.9-4.1.mga3.x86_64 is already installed

I can play an mp3 file with banshee.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-05-27 21:41:19 CEST
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Is this enough to Validate this update?
Comment 7 David Walser 2014-05-27 21:47:37 CEST
(In reply to William Kenney from comment #6)
> For me this update works fine.
> Testing complete for mga3 32-bit & 64-bit
> Is this enough to Validate this update?

I believe so.
Comment 8 William Kenney 2014-05-27 22:03:30 CEST
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-05-29 09:26:47 CEST
Advisory uploaded.

Update pushed:
http://advisories.mageia.org/MGASA-2014-0244.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory


Note You need to log in before you can comment on or make changes to this bug.