Bug 15543 - librsync new security issue CVE-2014-8242
Summary: librsync new security issue CVE-2014-8242
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/637406/
Whiteboard: has_procedure advisory mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-20 19:03 CET by David Walser
Modified: 2015-04-15 11:02 CEST (History)
3 users (show)

See Also:
Source RPM: librsync-0.9.7-12.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-03-20 19:03:42 CET 
Fedora has issued an advisory on March 9:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152366.html

They fixed it by updating to librsync 1.0.0.

This is an incompatible change, and furthermore it appears to change the SONAME, so they had to rebuild rdiff-backup and duplicity:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152368.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152365.html

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-20 19:03:50 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Philippe Makowski 2015-03-22 18:08:43 CET 
rdiff-1.0.0-1.mga4.i586
librsync-debuginfo-1.0.0-1.mga4.x86_64
librsync1-1.0.0-1.mga4.i586
librsync-devel-1.0.0-1.mga4.i586
librsync-debuginfo-1.0.0-1.mga4.i586
lib64rsync1-1.0.0-1.mga4.x86_64
lib64rsync-devel-1.0.0-1.mga4.x86_64
rdiff-1.0.0-1.mga4.x86_64

from librsync-1.0.0-1.mga4.src

duplicity-debuginfo-0.6.22-5.1.mga4.x86_64
duplicity-0.6.22-5.1.mga4.i586
duplicity-0.6.22-5.1.mga4.x86_64
duplicity-debuginfo-0.6.22-5.1.mga4.i586

from duplicity-0.6.22-5.1.mga4.src

rdiff-backup-1.3.3-8.1.mga4.i586
rdiff-backup-debuginfo-1.3.3-8.1.mga4.i586
rdiff-backup-1.3.3-8.1.mga4.x86_64
rdiff-backup-debuginfo-1.3.3-8.1.mga4.x86_64

from rdiff-backup-1.3.3-8.1.mga4.src


Freeze push asked in Cauldron
Comment 2 David Walser 2015-03-23 23:44:50 CET 
Updated packages uploaded for Mageia 4 and Cauldron.  Thanks Philippe!

Package list in Comment 1.

Advisory:
========================

Updated librsync packages fix security vulnerability:

librsync before 1.0.0 used a truncated MD4 "strong" check sum to match
blocks. However, MD4 is not cryptographically strong. It's possible that an
attacker who can control the contents of one part of a file could use it to
control other regions of the file, if it's transferred using librsync/rdiff
(CVE-2014-8242).

The change to fix this is not backward compatible with older versions of
librsync. Backward compatibility can be obtained using the new `rdiff sig
--hash=md4` option or through specifying the "signature magic" in the API,
but this should not be used when either the old or new file contain
untrusted data.

Also, any applications that use the librsync library will need to be
recompiled against the updated library.  The duplicity and rdiff-backup
packages have been rebuilt for this reason.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152366.html

CC: (none) => makowski.mageia
Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-04-07 12:18:56 CEST 
Ahh, good catch, but it should *not* obsolete librsync1.
Comment 5 Oden Eriksson 2015-04-07 12:28:16 CEST 
It was to remove the faulty lib[64]rsync1-1.0.0-1 package. Less work for mga I think.
Comment 6 David Walser 2015-04-07 12:29:34 CEST 
The sysadmins have a script that automatically cleans out orphaned packages like old libs.
Comment 7 claire robinson 2015-04-07 18:02:41 CEST 
Is this one needing more work?
Comment 8 David Walser 2015-04-07 18:51:35 CEST 
(In reply to claire robinson from comment #7)
> Is this one needing more work?

Yep.  The work is done actually, just waiting for a freeze push in Cauldron.  Then I'll push an updated librsync-1.0.0-2.2.mga4 to updates_testing.

feedback'ing this one for now.

Whiteboard: (none) => feedback

Comment 9 David Walser 2015-04-09 17:00:03 CEST 
librsync rebuilt with Oden's fix.

librsync2-1.0.0-2.2.mga4
librsync-devel-1.0.0-2.2.mga4
rdiff-1.0.0-2.2.mga4

from librsync-1.0.0-2.2.mga4.src.rpm

Whiteboard: feedback => (none)

Comment 10 claire robinson 2015-04-14 12:31:05 CEST 
So current package list appears to be:

  librsync2-1.0.0-2.2.mga4
  librsync-devel-1.0.0-2.2.mga4
  rdiff-1.0.0-2.2.mga4

from librsync-1.0.0-2.2.mga4.src.rpm


  duplicity-0.6.22-5.1.mga4

from duplicity-0.6.22-5.1.mga4.src.rpm


  rdiff-backup-1.3.3-8.1.mga4

from rdiff-backup-1.3.3-8.1.mga4.src.rpm
Comment 11 claire robinson 2015-04-14 13:20:23 CEST 
Testing complete mga4 64

Using duplicity..

$ ls test
TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin

$ duplicity ~/test scp://192.168.100.5/test
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
GnuPG passphrase: 
Retype passphrase to confirm: 
No signatures found, switching to full backup.
--------------[ Backup Statistics ]--------------
StartTime 1429008439.62 (Tue Apr 14 11:47:19 2015)
EndTime 1429008439.63 (Tue Apr 14 11:47:19 2015)
ElapsedTime 0.01 (0.01 seconds)
SourceFiles 3
SourceFileSize 4608 (4.50 KB)
NewFiles 3
NewFileSize 4608 (4.50 KB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 3
RawDeltaSize 512 (512 bytes)
TotalDestinationSizeChange 287 (287 bytes)
Errors 0
-------------------------------------------------


Verify the backup..

$ duplicity verify scp://192.168.100.5/test ~/test
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Tue Apr 14 11:47:15 2015
GnuPG passphrase: 
Verify complete: 3 files compared, 0 differences found.


Accidentally delete the local files and replace them from the backup..

$ rm -rf test
$ ls test
ls: cannot access test: No such file or directory

Oops.. restoring from the backup..

$  duplicity restore scp://192.168.100.5/test ~/test
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Tue Apr 14 11:47:15 2015
GnuPG passphrase: 

$ ls test
TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin

Phew!


Using rdiff-backup...

rdiff-backup requires rdiff-backup to be installed on the remote machine so just testing it works with two local directories.

$ ls test
TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin
$ ls test2
ls: cannot access test2: No such file or directory

Backing up test into test2..

$ ls test
TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin
$ ls test2
rdiff-backup-data/  TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin

Accidentally delete test and restore it from the backup..

$ rm -rf ~/test
$ ls test
ls: cannot access test: No such file or directory

Oops!

$ rdiff-backup --restore-as-of now ~/test2 ~/test
$ ls test
TFPA-2014-002-less-oob.gif  TFPA-2014-002-less-oob-no-lesspipe.bin

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 12 claire robinson 2015-04-14 17:23:20 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2015-04-15 11:02:18 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0146.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.