Bug 13459 - libcap-ng new security issue CVE-2014-3215
Summary: libcap-ng new security issue CVE-2014-3215
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/600797/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-30 18:12 CEST by David Walser
Modified: 2014-06-06 08:28 CEST (History)
2 users (show)

See Also:
Source RPM: libcap-ng-0.7.3-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-30 18:12:25 CEST
OpenSuSE has issued an advisory today (May 30):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html

The issue is fixed upstream in 0.7.4 (which is in Cauldron).

Patched packages uploaded for Mageia 3 and Mageia 4.

Note that this is marked as critical for us based on RedHat's bug, rather than low as OpenSuSE did, because unlike OpenSuSE, our /sbin/seunshare binary in policycoreutils is SUID root.  Here's RedHat's bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3215

Advisory:
========================

Updated libcap-ng packages fix security vulnerability:

capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to
prevent regaining capabilities using setuid-root programs. This allows a user
to run setuid programs, such as seunshare from policycoreutils, as uid 0 but
without capabilities, which is potentially dangerous (CVE-2014-3215).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html
========================

Updated packages in core/updates_testing:
========================
libcap-ng0-0.7.3-2.1.mga3
libcap-ng-devel-0.7.3-2.1.mga3
python-libcap-ng-0.7.3-2.1.mga3
libcap-ng-utils-0.7.3-2.1.mga3
libcap-ng0-0.7.3-3.1.mga4
libcap-ng-devel-0.7.3-3.1.mga4
python-libcap-ng-0.7.3-3.1.mga4
libcap-ng-utils-0.7.3-3.1.mga4

from SRPMS:
libcap-ng-0.7.3-2.1.mga3.src.rpm
libcap-ng-0.7.3-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 18:12:31 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-05-30 18:13:55 CEST
There was a tl;dr thread about this recently on oss-security:
http://openwall.com/lists/oss-security/2014/04/29/7
David Walser 2014-05-30 19:36:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/600797/

Comment 2 claire robinson 2014-06-02 20:00:02 CEST
Testing with the PoC from the openwall link in comment 1

Saved as sesploit.c and compiled with
gcc -o sesploit sesploit.c

$ ./sesploit 
Dropped privs; real uid is 500 and effective uid is 500
Phew, safe.

$ /usr/sbin/seunshare -t . `realpath ./sesploit`
Dropped privs; real uid is 500 and effective uid is 500
Phew, safe.

Not showing vulnerable with this exploit but we can use it anyway with strace to show seunshare (from package policycoreutils-sandbox) using the updated libcap-ng

$ strace -o strace.out /usr/sbin/seunshare -t . `realpath ./sesploit`

$ grep cap strace.out 
open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3

Testing complete mga4 64

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 claire robinson 2014-06-03 10:50:17 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 4 claire robinson 2014-06-03 10:57:39 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 5 claire robinson 2014-06-03 11:10:04 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-03 11:15:13 CEST
Validating. Advisory uploaded. 

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-06-06 08:28:43 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0251.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.