Bug 14718 - openvas-manager new security issue CVE-2014-9220
Summary: openvas-manager new security issue CVE-2014-9220
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/628617/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-03 16:55 CET by David Walser
Modified: 2015-01-06 21:54 CET (History)
4 users (show)

See Also:
Source RPM: openvas-manager-4.0.2-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-03 16:55:55 CET
A CVE has been assigned for an issue fixed upstream in openvas-manager:
http://openwall.com/lists/oss-security/2014/12/03/1

The issue is fixed upstream in 4.0.6 and 5.0.7:
http://www.openvas.org/OVSA20141128.html

Guillaume has requested a freeze push for Cauldron.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-25 00:03:03 CET
Updated packages uploaded for Mageia 4.

Advisory:
========================

Updated openvas-manager packages fixes security vulnerability:

It has been identified that OpenVAS Manager before 4.0.6 is vulnerable to sql
injections due to a improper handling of the timezone parameter in
modify_schedule OMP command. It has been identified that this vulnerability
may allow read-access via sql for authorized user account which have
permission to modify schedule objects (CVE-2014-9220).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9220
http://www.openvas.org/OVSA20141128.html
http://openwall.com/lists/oss-security/2014/12/03/1
========================

Updated package in core/updates_testing:
========================
openvas-libraries-6.0.3-1.mga4
libopenvas6-6.0.3-1.mga4
libopenvas-devel-6.0.3-1.mga4
openvas-manager-4.0.6-1.mga4

from SRPMS:
openvas-libraries-6.0.3-1.mga4.src.rpm
openvas-manager-4.0.6-1.mga4.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 2 Herman Viaene 2014-12-29 11:16:53 CET
MGA4-64 on HP Probook 6555b KDE.
Installing these packages went OK. I was looking for a way to do a minimal test, but it seems this is not a complete installation of openvas. E.g. openvassd is missing. Is that OK for now?

CC: (none) => herman.viaene

Comment 3 William Kenney 2014-12-30 17:55:33 CET
(In reply to Herman Viaene from comment #2)

> MGA4-64 on HP Probook 6555b KDE.
> Installing these packages went OK. I was looking for a way to do a minimal
> test, but it seems this is not a complete installation of openvas. E.g.
> openvassd is missing. Is that OK for now?

Looking at what I can find of this package(s) the openvas.org project
looks more to me like a career then a test. Unless Clair thinks otherwise
this may be one of those cases where we insure that the package(s) install,
then updates from the package(s) in the update_testing repo install cleanly
rather then perform any kind of specific test.

I do not see an openvassd package anywhere in the repo.

CC: (none) => wilcal.int

Comment 4 David Walser 2014-12-30 18:26:42 CET
(In reply to William Kenney from comment #3)
> I do not see an openvassd package anywhere in the repo.

It's part of the openvas-scanner package (urpmf is your friend).
Comment 5 William Kenney 2014-12-30 18:45:48 CET
(In reply to David Walser from comment #4)

> It's part of the openvas-scanner package (urpmf is your friend).

Is there anykind of a simple command to make it do anything?
Just to make sure it works?

[root@localhost wilcal]# openvas-scanner
bash: openvas-scanner: command not found

openvas-scanner.service is there but not running and I can't
get it to run and do something.
Comment 6 claire robinson 2014-12-30 19:16:31 CET
Don't worry too much about it. It's unmaintained and it appear the install section of the spec doesn't create the conf correctly which prevents it from starting. There is no delay before restarting when it fails so it loops and is then retarded by systemd for restarting too quickly.

Even replacing the @@ variables in the conf, it still complains.

As long as this updates cleanly we can OK it.
Comment 7 William Kenney 2014-12-30 19:35:13 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
openvas-manager libopenvas6

default install of openvas-manager openvas-scanner & libopenvas6

[root@localhost wilcal]# urpmi openvas-manager
Package openvas-manager-4.0.2-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openvas-scanner
Package openvas-scanner-3.4.0-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libopenvas6
Package libopenvas6-6.0.0-2.mga4.i586 is already installed

openvas-manager openvas-scanner & libopenvas6 install without error.

install openvas-manager & libopenvas6 from updates_testing

[root@localhost wilcal]# urpmi openvas-manager
Package openvas-manager-4.0.6-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libopenvas6
Package libopenvas6-6.0.3-1.mga4.i586 is already installed

openvas-manager & libopenvas6 install without error.
No update to openvas-scanner

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
Comment 8 William Kenney 2014-12-30 19:36:53 CET
This is good to go.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2015-01-03 18:57:53 CET
Bug 14938 created for openvas-server
claire robinson 2015-01-03 18:58:21 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=14938

Comment 10 claire robinson 2015-01-03 18:59:23 CET
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 11 Mageia Robot 2015-01-05 17:31:01 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0001.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-06 21:54:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/628617/


Note You need to log in before you can comment on or make changes to this bug.