Bug 13441 - sos new security issue CVE-2014-0246 and CVE-2014-3925
Summary: sos new security issue CVE-2014-0246 and CVE-2014-3925
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603751/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-27 20:20 CEST by David Walser
Modified: 2015-03-06 19:09 CET (History)
7 users (show)

See Also:
Source RPM: sos-3.0-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-27 20:20:17 CEST
A security issue in sos was made public today (May 27):
http://openwall.com/lists/oss-security/2014/05/27/1

The RedHat bug says that it's similar to CVE-2012-2664 (Bug 6525) which we deemed INVALID for us as it depended on Anaconda, but I don't know if that's the case for this one.

I don't see a fix available for this one yet.

In Cauldron, this could also be updated to 3.1.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-27 20:20:46 CEST

CC: (none) => doktor5000, remco
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-05-29 14:10:21 CEST
A CVE has been requested for yet another sos issue:
http://openwall.com/lists/oss-security/2014/05/29/6
Comment 2 David Walser 2014-05-30 19:35:03 CEST
(In reply to David Walser from comment #1)
> A CVE has been requested for yet another sos issue:
> http://openwall.com/lists/oss-security/2014/05/29/6

CVE-2014-3925 was allocated:
http://openwall.com/lists/oss-security/2014/05/30/3

The scope of the CVE was limited to RHEL5, because of it not providing a warning to the user about sensitive information.  I'm not sure if our version of sos includes this warning or not.  If so, this new CVE can be considered invalid.

Summary: sos new security issue CVE-2014-0246 => sos new security issue CVE-2014-0246 and CVE-2014-3925

Comment 3 David Walser 2014-06-27 14:08:12 CEST
Fedora has issued an advisory for CVE-2014-0246 on June 18:
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134751.html
David Walser 2014-06-27 18:29:52 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603751/

Comment 4 Bruno Cornec 2014-07-05 00:48:01 CEST
(In reply to David Walser from comment #0)
> A security issue in sos was made public today (May 27):
> http://openwall.com/lists/oss-security/2014/05/27/1

From the Red Hat bug available at 
https://bugzilla.redhat.com/show_bug.cgi?id=1101393 this is no considered as a security issue, which makes sense as sos is collecting lots of files, some of them may contain sensitive info anyway that you may want to purge before sending.

Status: NEW => ASSIGNED

Comment 5 Bruno Cornec 2014-07-05 01:16:25 CEST
It seems 3.1 (which I uploaded to cauldron) doesn't provide the fix either. We'll have to wait for 3.2 to have automatic removal of passwd. Howeve, I ahree with the comments in Fedore/RH that's it's not really per se a security issue more than what the original file already contains.

Let me know if you want me to also retrofit 3.1 to mga4.
Comment 6 David Walser 2014-07-05 21:28:13 CEST
There appears to be some disagreement on whether it's a security bug.  This one at least does affect us, unlike CVE-2012-2664.

It's true that 3.1 doesn't fix the issue, but in Fedora's update to 3.1 for Fedora 20, they added some additional patches which do fix the issue:
http://pkgs.fedoraproject.org/cgit/sos.git/commit/?h=f20&id=0b3105c4a35ad49f673bd68d875acdf956d7409a

It sounds to me like we should update this, but it's a low enough severity issue that it's not urgent at all.  I'll leave it up to you as to when you want to do an update.
Comment 7 David Walser 2014-07-08 15:26:03 CEST
Should there be some branding patch like CentOS has if we're going to have this packaged, since it's for RedHat support?  See here:
https://git.centos.org/log/rpms!sos.git/refs!heads!c7
Comment 8 David Walser 2014-07-08 15:29:02 CEST
(In reply to David Walser from comment #7)
> Should there be some branding patch like CentOS has if we're going to have
> this packaged, since it's for RedHat support?  See here:
> https://git.centos.org/log/rpms!sos.git/refs!heads!c7

Perhaps that would be true of yum as well:
https://git.centos.org/log/rpms!yum.git/refs!heads!c7
Comment 9 Sander Lepik 2014-10-04 15:48:42 CEST
Ping..

CC: (none) => mageia

David Walser 2014-11-27 17:22:09 CET

Blocks: (none) => 14674

Comment 10 Oden Eriksson 2014-11-28 11:55:13 CET
It seems all the patches in sos-3.1-1.fc19.src.rpm was merged in sos-3.2-0.1.a.fc21.src.rpm which is a "new upstream pre-release sos-3.2-alpha1".

CC: (none) => oe

Comment 11 David Walser 2015-02-18 23:57:20 CET
Indeed, so this doesn't need a million patches, you could update to the alpha as Oden said:
http://pkgs.fedoraproject.org/cgit/sos.git/commit/?id=88f20830bded7435977c283fcc93ef7aa4d029bd

Also, please don't forget about the branding patch mentioned in Comment 7.
Comment 12 Bruno Cornec 2015-02-23 02:10:04 CET
version 3.2 is now pushed into cauldron. WHat do you want me to do for 3 & 4 ? I can backport it for these version.

The link you gace in comment https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with the initial bug report which was grub passwd.

The branding is not a question as it was already done since quite a long time.
Comment 13 David Walser 2015-02-23 02:41:56 CET
(In reply to Bruno Cornec from comment #12)
> version 3.2 is now pushed into cauldron.

Not yet it isn't, and I don't see a freeze push request for it.

> WHat do you want me to do for 3 & 4
> ? I can backport it for these version.

Doing the same thing as is done in Cauldron is probably the only thing that makes sense.  Mageia 3 is EOL now, so I've removed that from the whiteboard.

> The link you gace in comment
> https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with
> the initial bug report which was grub passwd.

It is completely related to the initial bug report.  The link in Comment 11 was to Fedora's update to the 3.2 alpha, in which the CVEs from the original bug report are fixed.

> The branding is not a question as it was already done since quite a long
> time.

It is a question, and it hasn't been fixed in our package.

Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 14 David Walser 2015-02-23 02:46:40 CET
(In reply to David Walser from comment #13)
> (In reply to Bruno Cornec from comment #12)
> > version 3.2 is now pushed into cauldron.
> 
> Not yet it isn't, and I don't see a freeze push request for it.

Ahh, I see it now, you posted it as a reply to another thread.  You should post it as a new thread, otherwise it might be missed.

As to whether to update this for Mageia 4, being as minor an issue as it is, it probably isn't strictly necessary (but it shouldn't hurt anything to do it).  I'll leave that up to you.
Comment 15 David Walser 2015-02-23 14:45:13 CET
Fixed in Cauldron in sos-3.2-1.mga5.  Thanks Bruno.

Version: Cauldron => 4
Blocks: 14674 => (none)
Whiteboard: MGA4TOO => (none)

Comment 16 Bruno Cornec 2015-02-27 00:02:05 CET
Pushed into update_testing for MGA4 as well.
Advisory updated.

Assignee: bruno => qa-bugs

Comment 17 Bruno Cornec 2015-02-27 00:06:44 CET
(In reply to David Walser from comment #13)
> (In reply to Bruno Cornec from comment #12)
> > The link you gave in comment
> > https://bugs.mageia.org/show_bug.cgi?id=13441#c11 has no relationship with
> > the initial bug report which was grub passwd.
> 
> It is completely related to the initial bug report.  The link in Comment 11
> was to Fedora's update to the 3.2 alpha, in which the CVEs from the original
> bug report are fixed.

Humm I don't find any reference to CVE in it, nor any code fixing the grub password problem initaly reported.


> > The branding is not a question as it was already done since quite a long
> > time.
> 
> It is a question, and it hasn't been fixed in our package.

Please could you show me why my patches for rebranding are not what you want here ?
------------------------------------------------------------------------
r672164 | bcornec | 2014-09-04 23:04:07 +0200 (jeu. 04 sept. 2014) | 2 lignes
Chemins modifiés :
   A /cauldron/sos/current/SOURCES/sos-mageia-branding.patch
   M /cauldron/sos/current/SPECS/sos.spec

- sos is now more Mageia branded, based on a CentOS patch - Cf: https://bugs.mageia.org/show_bug.cgi?id=13441
------------------------------------------------------------------------

FYI I remade them for this 3.2 version and checked they were used correctly.

CC: (none) => bruno

Comment 18 David Walser 2015-02-27 00:12:39 CET
Thanks Bruno!

(In reply to Bruno Cornec from comment #17)
> Humm I don't find any reference to CVE in it, nor any code fixing the grub
> password problem initaly reported.

The Fedora commits don't list the CVEs, that's true.  The CVEs may not have been allocated yet when Fedora committed the fixes.  They fixed the issues in their 3.1 update, because they included 60 additional patches.  They removed those patches when updating to the 3.2 alpha, because they're included upstream.

> Please could you show me why my patches for rebranding are not what you want
> here ?
> ------------------------------------------------------------------------
> r672164 | bcornec | 2014-09-04 23:04:07 +0200 (jeu. 04 sept. 2014) | 2 lignes
> Chemins modifiés :
>    A /cauldron/sos/current/SOURCES/sos-mageia-branding.patch
>    M /cauldron/sos/current/SPECS/sos.spec
> 
> - sos is now more Mageia branded, based on a CentOS patch - Cf:
> https://bugs.mageia.org/show_bug.cgi?id=13441
> ------------------------------------------------------------------------
> 
> FYI I remade them for this 3.2 version and checked they were used correctly.

Cool.  svnweb didn't show a branding patch until February 23rd, which is after I posted that comment.  Looks like all is well now.  Thanks again.
Comment 19 David Walser 2015-02-27 00:16:23 CET
This is the advisory that Bruno added to SVN (I added the Fedora reference from Comment 3):
type: bugfix
subject: Updated sos package fixes CVE-2014-0246 and CVE-2014-3925
src:
  4:
   core:
     - sos-3.2-1.mga4
description: |
  Update to upstream 3.2 in order to fix some minor security issues
  on password inclusion in log files reported as CVE-2014-0246 and CVE-2014-3925
references:
 - https://bugs.mageia.org/show_bug.cgi?id=13441
 - https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134751.html

Whiteboard: (none) => advisory

Comment 20 olivier charles 2015-03-01 22:24:01 CET
Testing on Mageia4x64 real hardware

From current package :
--------------------
sos-2.2-3.mga3.noarch

# sosreport -l

sosreport (version 2.1)

Les plugins suivants sont activés :

 acpid           acpid related information
 apache          Apache related information
 auditd          Auditd related information
 bootloader      Bootloader information
 crontab         Crontab information
 devicemapper    device-mapper related information (dm, lvm, multipath)
 dovecot         dovecot server related information
 (...)

# sosreport -v

sosreport (version 2.1)

This utility will collect some detailed  information about the
hardware and setup of your Red Hat Enterprise Linux system.
The information is collected and an archive is  packaged under
/tmp, which you can send to a support representative.
Red Hat Enterprise Linux will use this information for diagnostic purposes ONLY
and it will be considered confidential information.

This process may take a while to complete.
No changes will be made to your system.

Appuyez sur Entrée pour continuer ou CTRL-C pour quitter.

Veuillez saisir votre premier prénom (si vous en avez plusieurs) et votre nom [localhost] :olivier localhost
Veuillez saisir le numéro de cas pour lequel vous générez ce rapport :1000

Lancement des extensions. Veuillez patienter...

  Completed [42/42] ...      
Création d'une archive compressée...

Votre rapport sos a été généré et enregistré dans :
  /tmp/sosreport-olivierlocalhost.1000-20150301221056-57fb.tar.xz

Le md5sum est :df442c2a1a3b5f1c43c8cc7a14a057fb

Veuillez envoyer ce fichier à votre représentant de support.

Could find sosreport file in tmp.

To updated testing package :
--------------------------
sos-3.2-1.mga4.noarch

# sosreport -l
Traceback (most recent call last):
  File "/usr/sbin/sosreport", line 20, in <module>
    from sos.sosreport import main
  File "/usr/lib/python2.7/site-packages/sos/sosreport.py", line 30, in <module>
    from sos.plugins import import_plugin
  File "/usr/lib/python2.7/site-packages/sos/plugins/__init__.py", line 21, in <module>
    from sos.utilities import (sos_get_command_output, import_module, grep,
  File "/usr/lib/python2.7/site-packages/sos/utilities.py", line 31, in <module>
    import six
ImportError: No module named six

# sosreport

produces the same error.


Updated testing package does not work for me.

CC: (none) => olchal

Comment 21 David Walser 2015-03-01 22:45:00 CET
Install python-six.  It should be added as a Requires.  We can't add it to the update candidate unless we can get it added in Cauldron first, otherwise it'll cause upgrade problems.
Comment 22 olivier charles 2015-03-01 22:59:24 CET
Thanks David

Following comment 21, installed :
- python-six-1.4.1-3.mga4.noarch

# sosreport -l
All OK

# sosreport -v
All OK (even more verbose, and now puts the report in /var/tmp)

As I did not give grub a password, I cannot tell if the sos logs don't give it away anymore.

All I can say is updated testing sos-3.2-1.mga4.noarch runs well as long as python-six is installed.
Comment 23 claire robinson 2015-03-05 15:44:32 CET
Adding feedback marker for the missing require.

Whiteboard: advisory => advisory feedback

Comment 24 David Walser 2015-03-05 17:48:56 CET
Freeze push requested, added in Mageia 4 SVN.  I'll push it to the build system once it's pushed in Cauldron.
Comment 25 David Walser 2015-03-05 22:08:39 CET
Fixed Requires pushed in Mageia 4 and Cauldron.

sos-3.2-1.1.mga4 is the Mageia 4 update now.

Whiteboard: advisory feedback => advisory

Comment 26 olivier charles 2015-03-05 23:33:06 CET
Testing on Mageia 4x32 real hardware, using same procedure as in comment 20

From current package :
-------------------
sos-2.2-3.mga3.noarch

# sosreport -l
and
# sosreport -v
gave expected results.

To latest updated testing package :
---------------------------------
sos-3.2-1.1.mga4.noarch

which brought along : python-six-1.4.1-3.mga4.noarch

# sosreport -l
# sosreport -v
OK (report wrote in /var/tmp)

OK on Mageia 4x32

Whiteboard: advisory => advisory MGA4-32-OK

Comment 27 claire robinson 2015-03-06 17:26:12 CET
Testing complete mga4 64

Whiteboard: advisory MGA4-32-OK => advisory MGA4-32-OK mga4-64-ok

Comment 28 claire robinson 2015-03-06 17:39:42 CET
Advisory updated with new srpm from comment 25

Validating. Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 29 Mageia Robot 2015-03-06 19:09:32 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0023.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.