Bug 14112 - apt new security issues CVE-2014-048[7-9], CVE-2014-0490, and CVE-2014-6273
Summary: apt new security issues CVE-2014-048[7-9], CVE-2014-0490, and CVE-2014-6273
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/612236/
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-17 18:22 CEST by David Walser
Modified: 2014-11-12 10:57 CET (History)
5 users (show)

See Also:
Source RPM: apt-0.5.15lorg3.94-13.mga5.src.rpm
CVE: CVE-2014-6273
Status comment:


Attachments

Description David Walser 2014-09-17 18:22:03 CEST
Debian and Ubuntu have issued advisories on September 16:
https://www.debian.org/security/2014/dsa-3025
http://www.ubuntu.com/usn/usn-2348-1/

I'm not sure which issues apply to our version (likely just CVE-2014-0487 and CVE-2014-0488), but Mageia 3 and Mageia 4 would also be affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-17 18:22:09 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-09-24 17:04:50 CEST
Debian has issued an advisory on September 23:
https://www.debian.org/security/2014/dsa-3031

This fixes regressions in the previous update and fixes another CVE.

Summary: apt new security issues CVE-2014-048[7-9] and CVE-2014-0490 => apt new security issues CVE-2014-048[7-9], CVE-2014-0490, and CVE-2014-6273

Comment 2 David Walser 2014-09-24 19:07:02 CEST
LWN reference for CVE-2014-6273:
http://lwn.net/Vulnerabilities/613008/
Comment 3 Christiaan Welvaart 2014-10-25 18:34:27 CEST
The first CVEs are for the debian repository system, they don't apply directly to the apt packages in mageia. CVE-2014-6273 is a buffer overflow in HTTP downloading code, fixed in updated packages that can be tested:


MGA3
Source RPM:
apt-0.5.15lorg3.94-9.1.mga3.src.rpm

Binary RPMS:
apt-0.5.15lorg3.94-9.1.mga3.i586.rpm
libapt-pkg4-0.5.15lorg3.94-9.1.mga3.i586.rpm
libapt-pkg4-devel-0.5.15lorg3.94-9.1.mga3.i586.rpm
apt-common-0.5.15lorg3.94-9.1.mga3.i586.rpm
apt-0.5.15lorg3.94-9.1.mga3.x86_64.rpm
lib64apt-pkg4-0.5.15lorg3.94-9.1.mga3.x86_64.rpm
lib64apt-pkg4-devel-0.5.15lorg3.94-9.1.mga3.x86_64.rpm
apt-common-0.5.15lorg3.94-9.1.mga3.x86_64.rpm


MGA4
Source RPM:
apt-0.5.15lorg3.94-11.1.mga4.src.rpm

Binary RPMS:
apt-0.5.15lorg3.94-11.1.mga4.i586.rpm
libapt-pkg4-0.5.15lorg3.94-11.1.mga4.i586.rpm
libapt-pkg-devel-0.5.15lorg3.94-11.1.mga4.i586.rpm
apt-common-0.5.15lorg3.94-11.1.mga4.i586.rpm
apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
lib64apt-pkg-devel-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm



Proposed advisory:


Updated apt packages fix a security issue:

The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the "http" apt method binary, or potentially to arbitrary code execution.

Also fixed is parsing of Mageia package index "synthesis" files with lines longer than 64k characters. This is necessary for upgrading to the "cauldron" development distro that will become Mageia 5. Note however that upgrading from Mageia 3 to Mageia 5 will not be supported.

Assignee: cjw => qa-bugs

Comment 4 David Walser 2014-10-25 18:41:07 CEST
Thanks Christiaan!

Just reformatting and adding references.

Advisory:
========================

Updated apt packages fix security vulnerability:

The Google Security Team discovered a buffer overflow vulnerability in the
HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP
request to an apt repository can trigger the buffer overflow, leading to a
crash of the "http" apt method binary, or potentially to arbitrary code
execution (CVE-2014-6273).

Also fixed is parsing of Mageia package index "synthesis" files with lines
longer than 64k characters. This is necessary for upgrading to the "cauldron"
development distro that will become Mageia 5. Note however that upgrading from
Mageia 3 to Mageia 5 will not be supported.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6273
https://www.debian.org/security/2014/dsa-3031
Comment 5 David Walser 2014-10-25 18:44:54 CEST
Arbitrary code execution shouldn't be possible because of the compiler options we use, so the CVE is really just a denial of service.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: critical => major

Comment 6 David Walser 2014-10-25 18:46:30 CEST
That's worth clarifying in the advisory.  I'll use Ubuntu's text for the CVE instead of Debian's.

Advisory:
========================

Updated apt packages fix security vulnerability:

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. The default compiler options for
affected releases should reduce the vulnerability to a denial of service (CVE-2014-6273).

Also fixed is parsing of Mageia package index "synthesis" files with lines
longer than 64k characters. This is necessary for upgrading to the "cauldron"
development distro that will become Mageia 5. Note however that upgrading from
Mageia 3 to Mageia 5 will not be supported.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6273
http://www.ubuntu.com/usn/usn-2353-1/
David Walser 2014-10-25 18:46:42 CEST

CVE: (none) => CVE-2014-6273

Comment 7 Christiaan Welvaart 2014-10-25 18:50:48 CEST
Possible test procedure (as root):

1. Install apt

2. edit /etc/apt/sources.list to have a HTTP source (medium), different for each distro & platform, for example:
MGA3 i586:   urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/i586/media/core/release media_info/synthesis.hdlist /
MGA3 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/x86_64/media/core/release media_info/synthesis.hdlist /
MGA4 i586:   urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/4/i586/media/core/release media_info/synthesis.hdlist /
MGA4 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/4/x86_64/media/core/release media_info/synthesis.hdlist /

3. update apt's package index:
   apt-get update

4. install a new package, e.g. neverball:
   apt-get install neverball

apt-get should offer to install any dependencies if necessary, then show one or more downloads and package installs. 

5. check that the requested package is installed:
   rpm -q neverball



I tested the upgrade to cauldron from mga3 (after manually updating the timezone package) in an i586 VM. To test this from mga4 one would change the "4" in /etc/apt/sources.list by "cauldron", run   apt-get update   and   apt-get dist-upgrade  . Not part of the test procedure.

CC: (none) => cjw
Version: 4 => Cauldron

Comment 8 Christiaan Welvaart 2014-10-25 18:53:23 CEST
Clarification of test procedure:

In 2. /etc/apt/sources.list remove or comment out existing source lines so the new source is the only one active.
David Walser 2014-10-25 18:53:32 CEST

Version: Cauldron => 4

Rémi Verschelde 2014-10-25 19:02:00 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 9 Len Lawrence 2014-10-25 23:41:03 CEST
[root@vega ~]# ecupdt
Enabling Core Updates Testing

[root@vega ~]# urpmi apt
Unknown option: x
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64jsoncpp0                  0.6.0        0.rc2.2.mga4  x86_64  
Testing on mga4.1 x86_64

[root@vega ~]# ecupdt
Enabling Core Updates Testing

[root@vega ~]# urpmi apt
Unknown option: x
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64jsoncpp0                  0.6.0        0.rc2.2.mga4  x86_64  

(medium "Core Updates Testing (distrib5)")
  apt                            0.5.15lorg3> 11.1.mga4     x86_64  
  apt-common                     0.5.15lorg3> 11.1.mga4     x86_64  
  lib64apt-pkg4                  0.5.15lorg3> 11.1.mga4     x86_64  
2.5MB of additional disk space will be used.
780KB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) 


    $MIRRORLIST: media/core/release/lib64jsoncpp0-0.6.0-0.rc2.2.mga4.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm
installing apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64jsoncpp0-0.6.0-0.rc2.2.mga4.x86_64.rpm apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/4: lib64jsoncpp0         #############################################
      2/4: lib64apt-pkg4         #############################################
      3/4: apt-common            #############################################
      4/4: apt                   #############################################

[root@vega apt]# apt-get update
Get:1 ftp://ftp.nluug.nl media_info/synthesis.hdlist pkglist [3016kB]
Fetched 3016kB in 1s (1534kB/s)    
Reading Package Lists... Error!
E: Dynamic MMap ran out of room
E: Error occured while processing glibc (NewVersion1)
E: Problem with MergeList /var/lib/rpm/Packages
E: The package lists or status file could not be parsed or opened.
[root@vega apt]# apt-get install neverball
Reading Package Lists... Error!
E: Dynamic MMap ran out of room
E: Error occured while processing glibc (NewVersion1)
E: Problem with MergeList /var/lib/rpm/Packages
E: The package lists or status file could not be parsed or opened.
[root@vega apt]# apt-get install bonnie++
Reading Package Lists... Error!
E: Dynamic MMap ran out of room
E: Error occured while processing glibc (NewVersion1)
E: Problem with MergeList /var/lib/rpm/Packages
E: The package lists or status file could not be parsed or opened.

[root@vega apt]# cat /etc/apt/sources.list
.....
urpm ftp://ftp.nluug.nl/pub/os/Linux/distr/mageia/distrib/cauldron/x86_64/media/core/release media_info/synthesis.hdlist /

[root@vega apt]# apt-cache search nvidia settings
E: The package cache file is corrupted

CC: (none) => tarazed25

Comment 10 Len Lawrence 2014-10-25 23:42:45 CEST
Ignore the duplication in comment 9.  Cut and paste error.
Comment 11 Len Lawrence 2014-10-26 00:13:59 CEST
Tried a different mirror:

urpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release media_info/synthesis.hdlist /

[root@vega apt]# apt-get update
Get:1 ftp://distrib-coffee.ipsl.jussieu.fr media_info/synthesis.hdlist pkglist [3014kB]
Fetched 3014kB in 12s (250kB/s)                                                
Reading Package Lists... Error!
E: Dynamic MMap ran out of room
E: Error occured while processing glibc (NewVersion1)
E: Problem with MergeList /var/lib/rpm/Packages
E: The package lists or status file could not be parsed or opened.

[root@vega apt]# apt-cache search neverball
E: The package cache file is corrupted
Comment 12 Christiaan Welvaart 2014-10-26 00:44:04 CEST
Sorry Len, this can be fixed in the config file. I forgot to check this issue while I knew it would likely be a problem on mga3 and mga4 as well. New packages are building with an updated default config.

You can fix without installing new packages by adding a line to /etc/apt/apt.conf:
APT::Cache-Limit 95000000;

This change will be needed if you install new packages and /etc/apt/apt.conf is not updated .

Version: 4 => Cauldron

David Walser 2014-10-26 00:52:51 CEST

Version: Cauldron => 4

Comment 13 Christiaan Welvaart 2014-10-26 01:53:52 CEST
Updated packages with working default configuration:

MGA3
Source RPM:
apt-0.5.15lorg3.94-9.2.mga3.src.rpm

Binary RPMS:
apt-0.5.15lorg3.94-9.2.mga3.i586.rpm
libapt-pkg4-0.5.15lorg3.94-9.2.mga3.i586.rpm
libapt-pkg4-devel-0.5.15lorg3.94-9.2.mga3.i586.rpm
apt-common-0.5.15lorg3.94-9.2.mga3.i586.rpm
apt-0.5.15lorg3.94-9.2.mga3.x86_64.rpm
lib64apt-pkg4-0.5.15lorg3.94-9.2.mga3.x86_64.rpm
lib64apt-pkg4-devel-0.5.15lorg3.94-9.2.mga3.x86_64.rpm
apt-common-0.5.15lorg3.94-9.2.mga3.x86_64.rpm


MGA4
Source RPM:
apt-0.5.15lorg3.94-11.2.mga4.src.rpm

Binary RPMS:
apt-0.5.15lorg3.94-11.2.mga4.i586.rpm
libapt-pkg4-0.5.15lorg3.94-11.2.mga4.i586.rpm
libapt-pkg-devel-0.5.15lorg3.94-11.2.mga4.i586.rpm
apt-common-0.5.15lorg3.94-11.2.mga4.i586.rpm
apt-0.5.15lorg3.94-11.2.mga4.x86_64.rpm
lib64apt-pkg4-0.5.15lorg3.94-11.2.mga4.x86_64.rpm
lib64apt-pkg-devel-0.5.15lorg3.94-11.2.mga4.x86_64.rpm
apt-common-0.5.15lorg3.94-11.2.mga4.x86_64.rpm
Comment 14 Len Lawrence 2014-10-26 08:10:53 CET
Reply to comment 12.
Thanks Christiaaan - I figured that there could be a cache limit in apt.conf.
Trying it now.
Comment 15 Len Lawrence 2014-10-26 08:19:40 CET
[root@vega apt]# apt-get update
Get:1 ftp://distrib-coffee.ipsl.jussieu.fr media_info/synthesis.hdlist pkglist [3010kB]
Fetched 3010kB in 5s (522kB/s)    
Reading Package Lists... Done
Building Dependency Tree... Done

[root@vega apt]# apt-get install neverball
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
   lib64physfs2 (2.0.3-4.mga5)
   lib64sdl2.0_0 (2.0.3-4.mga5)
   lib64sdl2_ttf2.0_0 (2.0.12-3.mga5)
The following NEW packages will be installed:
   lib64physfs2 (2.0.3-4.mga5)
   lib64sdl2.0_0 (2.0.3-4.mga5)
   lib64sdl2_ttf2.0_0 (2.0.12-3.mga5)
   neverball (1.6.0-4.mga5)
0 upgraded, 4 newly installed, 0 removed and 2498 not upgraded.
Need to get 42.9MB of archives.
After unpacking 149MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 ftp://distrib-coffee.ipsl.jussieu.fr / lib64physfs2 2.0.3-4.mga5 [47.8kB]
Get:2 ftp://distrib-coffee.ipsl.jussieu.fr / lib64sdl2.0_0 2.0.3-4.mga5 [341kB]
Get:3 ftp://distrib-coffee.ipsl.jussieu.fr / lib64sdl2_ttf2.0_0 2.0.12-3.mga5 [22.2kB]
Get:4 ftp://distrib-coffee.ipsl.jussieu.fr / neverball 1:1.6.0-4.mga5 [42.5MB]
Fetched 42.9MB in 43s (975kB/s)                                                
Committing changes...
Preparing                                ############################## [100%]
Updating / installing
  lib64sdl2.0_0-2.0.3-4.mga5.x86_64      ############################## [100%]
  lib64sdl2_ttf2.0_0-2.0.12-3.mga5.x86_6 ############################## [100%]
  lib64physfs2-2.0.3-4.mga5.x86_64       ############################## [100%]
  neverball-1.6.0-4.mga5.x86_64          ############################## [100%]
Done.
[root@vega apt]# urpmq neverball
neverball|neverball|neverball

[root@vega apt]# apt-cache search bonnie
bonnie++ - A program for benchmarking hard drives and filesystems

So, all looks OK.  Marking it on whiteboard.
Len Lawrence 2014-10-26 08:21:10 CET

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 16 olivier charles 2014-11-01 22:12:10 CET
Tested on Mageia3-64 real hardware following procedure found in comment 7

With core packages :

- apt-0.5.15lorg3.94-9.mga3.x86_64
- apt-common-0.5.15lorg3.94-9.mga3.x86_64
- lib64apt-pkg4-0.5.15lorg3.94-9.mga3.x86_64
- lib64jsoncpp0-0.5.0-11.mga3.x86_64

MGA3 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/x86_64/media/core/release media_info/synthesis.hdlist /

updated package list (apt-get update)
installed package with depencies (apt-get install bacula-common)
Checked everything was installed
removed packages (apt-get remove)


With update-testing packages :

- apt-0.5.15lorg3.94-9.2.mga3.x86_64
- apt-common-0.5.15lorg3.94-9.2.mga3.x86_64
- lib64apt-pkg4-0.5.15lorg3.94-9.2.mga3.x86_64

updated apt, installed and removed packages, all fine.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK

Comment 17 olivier charles 2014-11-01 22:32:30 CET
Testing on Mageia4-32 real hardware.

Same procedure as in comment 16, just changed the source to match Mageia4-32.

Worked well, no problems encountered.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK

Comment 18 Rémi Verschelde 2014-11-03 17:31:41 CET
Advisory uploaded. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 19 Mageia Robot 2014-11-12 10:57:30 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0442.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.