Bug 14153 - c-icap new security issues CVE-2013-7401 and CVE-2013-7402
Summary: c-icap new security issues CVE-2013-7401 and CVE-2013-7402
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/612810/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-23 18:38 CEST by David Walser
Modified: 2014-12-19 16:07 CET (History)
4 users (show)

See Also:
Source RPM: c-icap-0.2.5-4.2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-23 18:38:00 CEST
Gentoo has issued an advisory on September 19:
http://www.gentoo.org/security/en/glsa/glsa-201409-07.xml

According to Gentoo it was fixed upstream in 0.2.6, so only Mageia 3 is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-09-23 18:39:33 CEST
According to the Gentoo bug, it actually wasn't yet fixed upstream in 0.2.6, they had backported an additional patch:
https://bugs.gentoo.org/show_bug.cgi?id=455324

So Mageia 4 would also be affected.

Version: 3 => 4
Whiteboard: (none) => MGA3TOO

Comment 2 David Walser 2014-10-03 23:38:54 CEST
The patch Gentoo added only fixes CVE-2013-7401:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-proxy/c-icap/files/c-icap-0.2.6-fix-icap-parsing.patch?revision=1.1&view=markup

CVE-2013-7402 is only fixed in 0.3.x, in these commits:
http://sourceforge.net/p/c-icap/code/1018/
http://sourceforge.net/p/c-icap/code/1021/

see this bug report for CVE-2013-7402:
http://sourceforge.net/p/c-icap/bugs/59/

I guess it could be updated to 0.3.x in Mageia 3 and Mageia 4 (and c-icap-modules-extra would need to be as well I would imagine).  If so, even Cauldron should be updated to the newest 0.3.4, as it contains a crasher fix:
http://sourceforge.net/p/c-icap/news/

Here's an osvdb advisory for CVE-2013-7401 and more info including a PoC:
http://www.osvdb.org/show/osvdb/89304
http://osvdb.org/ref/89/c-icap.txt
Comment 3 David Walser 2014-12-13 22:12:24 CET
Debian has issued an advisory for this on December 13:
https://www.debian.org/security/2014/dsa-3101

Now I see that the two upstream commits that I linked in Comment 2 apply cleanly to 0.2.6 and fix both CVEs.  I guess I should have figured that out earlier...

Patched package uploaded for Mageia 4.

Removing Mageia 3 from the whiteboard due to EOL.

This package has been removed from Cauldron due to lack of response from the maintainer.

Advisory:
========================

Updated c-icap packages fix security vulnerabilities:

Several vulnerabilities were found in c-icap, which could allow a remote
attacker to cause c-icap to crash, or have other, unspecified impacts
(CVE-2013-7401, CVE-2013-7402).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7402
http://www.gentoo.org/security/en/glsa/glsa-201409-07.xml
https://www.debian.org/security/2014/dsa-3101
========================

Updated packages in core/updates_testing:
========================
libc-icap0-0.2.6-2.2.mga4
libc-icap-devel-0.2.6-2.2.mga4
c-icap-server-0.2.6-2.2.mga4
c-icap-client-0.2.6-2.2.mga4
c-icap-modules-0.2.6-2.2.mga4

from c-icap-0.2.6-2.2.mga4.src.rpm

CC: (none) => luis.daniel.lucio
Assignee: luis.daniel.lucio => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 4 olivier charles 2014-12-14 23:01:42 CET
Testing on Mageia 4x64 real hardware.

From current packages :
---------------------

- c-icap-client-0.2.6-2.mga4.x86_64
- c-icap-modules-0.2.6-2.mga4.x86_64
- c-icap-modules-extra-0.2.5-2.mga4.x86_64
- c-icap-server-0.2.6-2.mga4.x86_64
- lib64c-icap0-0.2.6-2.mga4.x86_64

Following instructions found here :
http://sourceforge.net/p/c-icap/wiki/c-icapInstall/

# systemctl start icapd
# systemctl status  icapd
icapd.service - ICAP Server
   Loaded: loaded (/usr/lib/systemd/system/icapd.service; enabled)
   Active: active (running)

$ c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
	Allow 204: Yes
	Preview: 1024
	Keep alive: Yes

ICAP HEADERS:
	ICAP/1.0 200 OK:
	Methods:RESPMOD, REQMOD
	Service:C-ICAP/0.2.6 server - Echo demo service
	ISTag:CI0001-XXXXXXXXX
	Transfer-Preview:*
	Options-TTL:3600
	Date:Sun, 14 Dec 2014 21:23:12 GMT
	Preview:1024
	Allow:204
	X-Include:X-Authenticated-User, X-Authenticated-Groups
	Encapsulated:null-body=0

$ c-icap-client  -req http://www.mageia.org/fr/
ICAP server:localhost, ip:127.0.0.1, port:1344

No modification needed (Allow 204 response)

$ c-icap-client -i localhost -s "info?view=text" -req "a_url"
ICAP server:localhost, ip:127.0.0.1, port:1344

which shows server statistics changing each time I access the server through the client.

Stopped and disabled icecapd.service.

Updated to testing packages :
---------------------------

- c-icap-client-0.2.6-2.2.mga4.x86_64
- c-icap-modules-0.2.6-2.2.mga4.x86_64
- c-icap-server-0.2.6-2.2.mga4.x86_64
- lib64c-icap0-0.2.6-2.2.mga4.x86_64

Followed same procedure.

c-icap-server functionnal, c-icap-client can access the server.

All OK.

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 5 olivier charles 2014-12-16 15:14:41 CET
Testing on Mageia4x32, using same procedure as in comment 4.

From current packages :
---------------------
- c-icap-client-0.2.6-2.mga4.i586
- c-icap-modules-0.2.6-2.mga4.i586
- c-icap-modules-extra-0.2.5-2.mga4.i586
- c-icap-server-0.2.6-2.mga4.i586
- libc-icap0-0.2.6-2.mga4.i586

To updated testing packages :
---------------------------
- c-icap-client-0.2.6-2.2.mga4.i586
- c-icap-modules-0.2.6-2.2.mga4.i586
- c-icap-server-0.2.6-2.2.mga4.i586
- libc-icap0-0.2.6-2.2.mga4.i586

Which gave same satisfactory results.

Giving the OK.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 6 Rémi Verschelde 2014-12-16 20:51:53 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Mageia Robot 2014-12-19 16:07:10 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0530.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.