Debian and Ubuntu have issued advisories on September 16: https://www.debian.org/security/2014/dsa-3025 http://www.ubuntu.com/usn/usn-2348-1/ I'm not sure which issues apply to our version (likely just CVE-2014-0487 and CVE-2014-0488), but Mageia 3 and Mageia 4 would also be affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory on September 23: https://www.debian.org/security/2014/dsa-3031 This fixes regressions in the previous update and fixes another CVE.
Summary: apt new security issues CVE-2014-048[7-9] and CVE-2014-0490 => apt new security issues CVE-2014-048[7-9], CVE-2014-0490, and CVE-2014-6273
LWN reference for CVE-2014-6273: http://lwn.net/Vulnerabilities/613008/
The first CVEs are for the debian repository system, they don't apply directly to the apt packages in mageia. CVE-2014-6273 is a buffer overflow in HTTP downloading code, fixed in updated packages that can be tested: MGA3 Source RPM: apt-0.5.15lorg3.94-9.1.mga3.src.rpm Binary RPMS: apt-0.5.15lorg3.94-9.1.mga3.i586.rpm libapt-pkg4-0.5.15lorg3.94-9.1.mga3.i586.rpm libapt-pkg4-devel-0.5.15lorg3.94-9.1.mga3.i586.rpm apt-common-0.5.15lorg3.94-9.1.mga3.i586.rpm apt-0.5.15lorg3.94-9.1.mga3.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-9.1.mga3.x86_64.rpm lib64apt-pkg4-devel-0.5.15lorg3.94-9.1.mga3.x86_64.rpm apt-common-0.5.15lorg3.94-9.1.mga3.x86_64.rpm MGA4 Source RPM: apt-0.5.15lorg3.94-11.1.mga4.src.rpm Binary RPMS: apt-0.5.15lorg3.94-11.1.mga4.i586.rpm libapt-pkg4-0.5.15lorg3.94-11.1.mga4.i586.rpm libapt-pkg-devel-0.5.15lorg3.94-11.1.mga4.i586.rpm apt-common-0.5.15lorg3.94-11.1.mga4.i586.rpm apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64apt-pkg-devel-0.5.15lorg3.94-11.1.mga4.x86_64.rpm apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm Proposed advisory: Updated apt packages fix a security issue: The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the "http" apt method binary, or potentially to arbitrary code execution. Also fixed is parsing of Mageia package index "synthesis" files with lines longer than 64k characters. This is necessary for upgrading to the "cauldron" development distro that will become Mageia 5. Note however that upgrading from Mageia 3 to Mageia 5 will not be supported.
Assignee: cjw => qa-bugs
Thanks Christiaan! Just reformatting and adding references. Advisory: ======================== Updated apt packages fix security vulnerability: The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the "http" apt method binary, or potentially to arbitrary code execution (CVE-2014-6273). Also fixed is parsing of Mageia package index "synthesis" files with lines longer than 64k characters. This is necessary for upgrading to the "cauldron" development distro that will become Mageia 5. Note however that upgrading from Mageia 3 to Mageia 5 will not be supported. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6273 https://www.debian.org/security/2014/dsa-3031
Arbitrary code execution shouldn't be possible because of the compiler options we use, so the CVE is really just a denial of service.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: critical => major
That's worth clarifying in the advisory. I'll use Ubuntu's text for the CVE instead of Debian's. Advisory: ======================== Updated apt packages fix security vulnerability: It was discovered that APT incorrectly handled certain http URLs. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to cause APT to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service (CVE-2014-6273). Also fixed is parsing of Mageia package index "synthesis" files with lines longer than 64k characters. This is necessary for upgrading to the "cauldron" development distro that will become Mageia 5. Note however that upgrading from Mageia 3 to Mageia 5 will not be supported. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6273 http://www.ubuntu.com/usn/usn-2353-1/
CVE: (none) => CVE-2014-6273
Possible test procedure (as root): 1. Install apt 2. edit /etc/apt/sources.list to have a HTTP source (medium), different for each distro & platform, for example: MGA3 i586: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/i586/media/core/release media_info/synthesis.hdlist / MGA3 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/x86_64/media/core/release media_info/synthesis.hdlist / MGA4 i586: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/4/i586/media/core/release media_info/synthesis.hdlist / MGA4 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/4/x86_64/media/core/release media_info/synthesis.hdlist / 3. update apt's package index: apt-get update 4. install a new package, e.g. neverball: apt-get install neverball apt-get should offer to install any dependencies if necessary, then show one or more downloads and package installs. 5. check that the requested package is installed: rpm -q neverball I tested the upgrade to cauldron from mga3 (after manually updating the timezone package) in an i586 VM. To test this from mga4 one would change the "4" in /etc/apt/sources.list by "cauldron", run apt-get update and apt-get dist-upgrade . Not part of the test procedure.
CC: (none) => cjwVersion: 4 => Cauldron
Clarification of test procedure: In 2. /etc/apt/sources.list remove or comment out existing source lines so the new source is the only one active.
Version: Cauldron => 4
Whiteboard: MGA3TOO => MGA3TOO has_procedure
[root@vega ~]# ecupdt Enabling Core Updates Testing [root@vega ~]# urpmi apt Unknown option: x To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64jsoncpp0 0.6.0 0.rc2.2.mga4 x86_64 Testing on mga4.1 x86_64 [root@vega ~]# ecupdt Enabling Core Updates Testing [root@vega ~]# urpmi apt Unknown option: x To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64jsoncpp0 0.6.0 0.rc2.2.mga4 x86_64 (medium "Core Updates Testing (distrib5)") apt 0.5.15lorg3> 11.1.mga4 x86_64 apt-common 0.5.15lorg3> 11.1.mga4 x86_64 lib64apt-pkg4 0.5.15lorg3> 11.1.mga4 x86_64 2.5MB of additional disk space will be used. 780KB of packages will be retrieved. Proceed with the installation of the 4 packages? (Y/n) $MIRRORLIST: media/core/release/lib64jsoncpp0-0.6.0-0.rc2.2.mga4.x86_64.rpm $MIRRORLIST: media/core/updates_testing/apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm $MIRRORLIST: media/core/updates_testing/lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm $MIRRORLIST: media/core/updates_testing/apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm installing apt-common-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-11.1.mga4.x86_64.rpm lib64jsoncpp0-0.6.0-0.rc2.2.mga4.x86_64.rpm apt-0.5.15lorg3.94-11.1.mga4.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/4: lib64jsoncpp0 ############################################# 2/4: lib64apt-pkg4 ############################################# 3/4: apt-common ############################################# 4/4: apt ############################################# [root@vega apt]# apt-get update Get:1 ftp://ftp.nluug.nl media_info/synthesis.hdlist pkglist [3016kB] Fetched 3016kB in 1s (1534kB/s) Reading Package Lists... Error! E: Dynamic MMap ran out of room E: Error occured while processing glibc (NewVersion1) E: Problem with MergeList /var/lib/rpm/Packages E: The package lists or status file could not be parsed or opened. [root@vega apt]# apt-get install neverball Reading Package Lists... Error! E: Dynamic MMap ran out of room E: Error occured while processing glibc (NewVersion1) E: Problem with MergeList /var/lib/rpm/Packages E: The package lists or status file could not be parsed or opened. [root@vega apt]# apt-get install bonnie++ Reading Package Lists... Error! E: Dynamic MMap ran out of room E: Error occured while processing glibc (NewVersion1) E: Problem with MergeList /var/lib/rpm/Packages E: The package lists or status file could not be parsed or opened. [root@vega apt]# cat /etc/apt/sources.list ..... urpm ftp://ftp.nluug.nl/pub/os/Linux/distr/mageia/distrib/cauldron/x86_64/media/core/release media_info/synthesis.hdlist / [root@vega apt]# apt-cache search nvidia settings E: The package cache file is corrupted
CC: (none) => tarazed25
Ignore the duplication in comment 9. Cut and paste error.
Tried a different mirror: urpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release media_info/synthesis.hdlist / [root@vega apt]# apt-get update Get:1 ftp://distrib-coffee.ipsl.jussieu.fr media_info/synthesis.hdlist pkglist [3014kB] Fetched 3014kB in 12s (250kB/s) Reading Package Lists... Error! E: Dynamic MMap ran out of room E: Error occured while processing glibc (NewVersion1) E: Problem with MergeList /var/lib/rpm/Packages E: The package lists or status file could not be parsed or opened. [root@vega apt]# apt-cache search neverball E: The package cache file is corrupted
Sorry Len, this can be fixed in the config file. I forgot to check this issue while I knew it would likely be a problem on mga3 and mga4 as well. New packages are building with an updated default config. You can fix without installing new packages by adding a line to /etc/apt/apt.conf: APT::Cache-Limit 95000000; This change will be needed if you install new packages and /etc/apt/apt.conf is not updated .
Version: 4 => Cauldron
Updated packages with working default configuration: MGA3 Source RPM: apt-0.5.15lorg3.94-9.2.mga3.src.rpm Binary RPMS: apt-0.5.15lorg3.94-9.2.mga3.i586.rpm libapt-pkg4-0.5.15lorg3.94-9.2.mga3.i586.rpm libapt-pkg4-devel-0.5.15lorg3.94-9.2.mga3.i586.rpm apt-common-0.5.15lorg3.94-9.2.mga3.i586.rpm apt-0.5.15lorg3.94-9.2.mga3.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-9.2.mga3.x86_64.rpm lib64apt-pkg4-devel-0.5.15lorg3.94-9.2.mga3.x86_64.rpm apt-common-0.5.15lorg3.94-9.2.mga3.x86_64.rpm MGA4 Source RPM: apt-0.5.15lorg3.94-11.2.mga4.src.rpm Binary RPMS: apt-0.5.15lorg3.94-11.2.mga4.i586.rpm libapt-pkg4-0.5.15lorg3.94-11.2.mga4.i586.rpm libapt-pkg-devel-0.5.15lorg3.94-11.2.mga4.i586.rpm apt-common-0.5.15lorg3.94-11.2.mga4.i586.rpm apt-0.5.15lorg3.94-11.2.mga4.x86_64.rpm lib64apt-pkg4-0.5.15lorg3.94-11.2.mga4.x86_64.rpm lib64apt-pkg-devel-0.5.15lorg3.94-11.2.mga4.x86_64.rpm apt-common-0.5.15lorg3.94-11.2.mga4.x86_64.rpm
Reply to comment 12. Thanks Christiaaan - I figured that there could be a cache limit in apt.conf. Trying it now.
[root@vega apt]# apt-get update Get:1 ftp://distrib-coffee.ipsl.jussieu.fr media_info/synthesis.hdlist pkglist [3010kB] Fetched 3010kB in 5s (522kB/s) Reading Package Lists... Done Building Dependency Tree... Done [root@vega apt]# apt-get install neverball Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: lib64physfs2 (2.0.3-4.mga5) lib64sdl2.0_0 (2.0.3-4.mga5) lib64sdl2_ttf2.0_0 (2.0.12-3.mga5) The following NEW packages will be installed: lib64physfs2 (2.0.3-4.mga5) lib64sdl2.0_0 (2.0.3-4.mga5) lib64sdl2_ttf2.0_0 (2.0.12-3.mga5) neverball (1.6.0-4.mga5) 0 upgraded, 4 newly installed, 0 removed and 2498 not upgraded. Need to get 42.9MB of archives. After unpacking 149MB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 ftp://distrib-coffee.ipsl.jussieu.fr / lib64physfs2 2.0.3-4.mga5 [47.8kB] Get:2 ftp://distrib-coffee.ipsl.jussieu.fr / lib64sdl2.0_0 2.0.3-4.mga5 [341kB] Get:3 ftp://distrib-coffee.ipsl.jussieu.fr / lib64sdl2_ttf2.0_0 2.0.12-3.mga5 [22.2kB] Get:4 ftp://distrib-coffee.ipsl.jussieu.fr / neverball 1:1.6.0-4.mga5 [42.5MB] Fetched 42.9MB in 43s (975kB/s) Committing changes... Preparing ############################## [100%] Updating / installing lib64sdl2.0_0-2.0.3-4.mga5.x86_64 ############################## [100%] lib64sdl2_ttf2.0_0-2.0.12-3.mga5.x86_6 ############################## [100%] lib64physfs2-2.0.3-4.mga5.x86_64 ############################## [100%] neverball-1.6.0-4.mga5.x86_64 ############################## [100%] Done. [root@vega apt]# urpmq neverball neverball|neverball|neverball [root@vega apt]# apt-cache search bonnie bonnie++ - A program for benchmarking hard drives and filesystems So, all looks OK. Marking it on whiteboard.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Tested on Mageia3-64 real hardware following procedure found in comment 7 With core packages : - apt-0.5.15lorg3.94-9.mga3.x86_64 - apt-common-0.5.15lorg3.94-9.mga3.x86_64 - lib64apt-pkg4-0.5.15lorg3.94-9.mga3.x86_64 - lib64jsoncpp0-0.5.0-11.mga3.x86_64 MGA3 x86_64: urpm http://ftp.nluug.nl/os/Linux/distr/mageia/distrib/3/x86_64/media/core/release media_info/synthesis.hdlist / updated package list (apt-get update) installed package with depencies (apt-get install bacula-common) Checked everything was installed removed packages (apt-get remove) With update-testing packages : - apt-0.5.15lorg3.94-9.2.mga3.x86_64 - apt-common-0.5.15lorg3.94-9.2.mga3.x86_64 - lib64apt-pkg4-0.5.15lorg3.94-9.2.mga3.x86_64 updated apt, installed and removed packages, all fine.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK
Testing on Mageia4-32 real hardware. Same procedure as in comment 16, just changed the source to match Mageia4-32. Worked well, no problems encountered.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK
Advisory uploaded. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0442.html
Status: NEW => RESOLVEDResolution: (none) => FIXED