Bug 16584 - audit new security issue CVE-2015-5186
Summary: audit new security issue CVE-2015-5186
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/655000/
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-08-13 23:17 CEST by David Walser
Modified: 2015-08-30 16:29 CEST (History)
4 users (show)

See Also:
Source RPM: audit-2.4.3-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-08-13 23:17:06 CEST
A minor security issue in the audit package has been fixed and assigned a CVE:
http://openwall.com/lists/oss-security/2015/08/13/9

It will be fixed in the next version (2.4.4) and the upstream commit that fixes it is linked in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-13 23:17:15 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Shlomi Fish 2015-08-14 14:49:02 CEST
(In reply to David Walser from comment #0)
> A minor security issue in the audit package has been fixed and assigned a
> CVE:
> http://openwall.com/lists/oss-security/2015/08/13/9
> 
> It will be fixed in the next version (2.4.4) and the upstream commit that
> fixes it is linked in the message above.
> 
> Reproducible: 
> 
> Steps to Reproduce:

Hi,

can I just provide an upgraded package for the stable distros (to 2.4.4 which has already been released? This will ease maintenance into the future.

Regards,

-- Shlomi Fish
Comment 2 David Walser 2015-08-14 15:25:59 CEST
(In reply to Shlomi Fish from comment #1)
> can I just provide an upgraded package for the stable distros (to 2.4.4
> which has already been released? This will ease maintenance into the future.

For Mageia 5, you certainly can, as it's just a bugfix release over what we already have there, plus we need to update it for Mageia 5 anyway since tmb is getting ready to update the kernel.

For Mageia 4, it'd be preferable to patch if it's not to difficult to backport.
Comment 3 Shlomi Fish 2015-08-14 15:29:03 CEST
(In reply to David Walser from comment #2)
> (In reply to Shlomi Fish from comment #1)
> > can I just provide an upgraded package for the stable distros (to 2.4.4
> > which has already been released? This will ease maintenance into the future.
> 
> For Mageia 5, you certainly can, as it's just a bugfix release over what we
> already have there, plus we need to update it for Mageia 5 anyway since tmb
> is getting ready to update the kernel.
> 
> For Mageia 4, it'd be preferable to patch if it's not to difficult to
> backport.

I see - I will try doing that.
Comment 4 David Walser 2015-08-15 20:27:57 CEST
Thanks Shlomi!  I guess this is ready for QA.

Advisory:
========================

Updated audit packages fix security vulnerability:

When auditing the filesystem the names of files are logged. These filenames
can contain escape sequences, when viewed using the ausearch programs "-i"
option for example this can result in the escape sequences being processed
unsafely by the terminal program being used to view the data (CVE-2015-5186).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5186
http://openwall.com/lists/oss-security/2015/08/13/9
========================

Updated packages in core/updates_testing:
========================
audit-2.3.2-2.5.mga4
libaudit1-2.3.2-2.5.mga4
libaudit-devel-2.3.2-2.5.mga4
libauparse0-2.3.2-2.5.mga4
libauparse-devel-2.3.2-2.5.mga4
python-audit-2.3.2-2.5.mga4
audispd-plugins-2.3.2-2.5.mga4
audit-2.4.4-1.mga5
libaudit1-2.4.4-1.mga5
libaudit-devel-2.4.4-1.mga5
libauparse0-2.4.4-1.mga5
libauparse-devel-2.4.4-1.mga5
python-audit-2.4.4-1.mga5
audispd-plugins-2.4.4-1.mga5

from SRPMS:
audit-2.3.2-2.5.mga4.src.rpm
audit-2.4.4-1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 5 David Walser 2015-08-19 20:22:15 CEST
Fedora has issued an advisory for this on August 14:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164243.html

URL: (none) => http://lwn.net/Vulnerabilities/655000/

Comment 6 Herman Viaene 2015-08-25 16:37:08 CEST
MGA5-64 on HP Probook 6555b KDE.
No installation issues.
auditd service is running.
I tried to test it by adding the line:
-w /home/tester5/test -k TEST
to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing which of the  two applies), but I get no logging when creating/editing a file in the target map.

CC: (none) => herman.viaene

Comment 7 William Kenney 2015-08-25 20:03:39 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
audit libaudit1

default install of audit & libaudit1

[root@localhost wilcal]# urpmi audit
Package audit-2.3.2-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libaudit1
Package libaudit1-2.3.2-2.4.mga4.i586 is already installed

auditd is running in MCC -> Systems -> Manage systems services

Packages installed cleanly.

(In reply to Herman Viaene from comment #6)
> I tried to test it by adding the line:
> -w /home/tester5/test -k TEST
> to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing
> which of the  two applies), but I get no logging when creating/editing a
> file in the target map.

Share more info here. Do I have to create something here:
-w /home/tester5/test -k TEST

> to both audit.rules files (in /etc/audit and /etc/audit/rules.d
I could not fine either of these files in the test system

> which of the two applies), but I get no logging when creating/editing a
> file in the target map.

How do you demonstrate that it is logging and what is a "target map".

CC: (none) => wilcal.int

Comment 8 David Walser 2015-08-25 20:21:13 CEST
(In reply to Herman Viaene from comment #6)
> MGA5-64 on HP Probook 6555b KDE.
> No installation issues.
> auditd service is running.
> I tried to test it by adding the line:
> -w /home/tester5/test -k TEST
> to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing
> which of the  two applies), but I get no logging when creating/editing a
> file in the target map.

Did you try either running "auditctl -R /etc/audit/audit.rules" or "systemctl restart auditd.service" after adding that line?
Comment 9 William Kenney 2015-08-25 20:30:55 CEST
(In reply to David Walser from comment #8)

> Did you try either running "auditctl -R /etc/audit/audit.rules" or
> "systemctl restart auditd.service" after adding that line?

Did the restart in MMC. Will fire up the test computer again later today.
Just trying to find something simple to prove this is installed and working.
Thanks David.
Comment 10 Herman Viaene 2015-08-26 15:18:19 CEST
To answer all questions above:
No, I did not run "systemctl restart auditd.service", well I tried it but this does not work. Instead I rebooted the PC completely.
I found info to test on http://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system.html
Running "auditctl -R /etc/audit/audit.rules" now gives at the end:
Error sending add rule data request (Invalid argument)
There was an error in line 14 of /etc/audit/audit.rules
That is the line I added. I checked the man page, but I don't see the problem.
Comment 11 David Walser 2015-08-27 21:30:01 CEST
(In reply to Herman Viaene from comment #10)
> To answer all questions above:
> No, I did not run "systemctl restart auditd.service", well I tried it but
> this does not work. Instead I rebooted the PC completely.
> I found info to test on
> http://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system.html
> Running "auditctl -R /etc/audit/audit.rules" now gives at the end:
> Error sending add rule data request (Invalid argument)
> There was an error in line 14 of /etc/audit/audit.rules
> That is the line I added. I checked the man page, but I don't see the
> problem.

It looks like the "permission" part is missing.  Try:
-w /home/tester5/test -p w -k TEST

or:
-w /home/tester5/test -p a -k TEST
Comment 12 William Kenney 2015-08-29 18:52:58 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
audit libaudit1 libauparse0 python-audit

default install of audit libaudit1 libauparse0 & python-audit

[root@localhost wilcal]# urpmi audit
Package audit-2.3.2-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libaudit1
Package libaudit1-2.3.2-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libauparse0
Package libauparse0-2.3.2-2.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.3.2-2.4.mga4.i586 is already installed

packages install without error

install audit libaudit1 libauparse0 & python-audit from updates_testing

[root@localhost wilcal]# urpmi audit
Package audit-2.3.2-2.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libaudit1
Package libaudit1-2.3.2-2.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libauparse0
Package libauparse0-2.3.2-2.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.3.2-2.5.mga4.i586 is already installed

packages update without error

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Comment 13 William Kenney 2015-08-29 19:09:47 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
audit lib64audit1 lib64auparse0 python-audit

default install of audit lib64audit1 lib64auparse0 & python-audit

[root@localhost wilcal]# urpmi audit
Package audit-2.3.2-2.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64audit1
Package lib64audit1-2.3.2-2.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64auparse0
Package lib64auparse0-2.3.2-2.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.3.2-2.4.mga4.x86_64 is already installed

packages install without error

install audit lib64audit1 lib64auparse0 & python-audit from updates_testing

[root@localhost wilcal]# urpmi audit
Package audit-2.3.2-2.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64audit1
Package lib64audit1-2.3.2-2.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64auparse0
Package lib64auparse0-2.3.2-2.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.3.2-2.5.mga4.x86_64 is already installed

packages update without error
William Kenney 2015-08-29 19:10:09 CEST

Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK

Comment 14 William Kenney 2015-08-29 19:23:19 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
audit libaudit1 libauparse0 python-audit

default install of audit libaudit1 libauparse0 & python-audit

[root@localhost wilcal]# urpmi audit
Package audit-2.4.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libaudit1
Package libaudit1-2.4.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libauparse0
Package libauparse0-2.4.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.4.1-1.mga5.i586 is already installed

packages install without error

install audit libaudit1 libauparse0 & python-audit from updates_testing

[root@localhost wilcal]# urpmi audit
Package audit-2.4.4-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libaudit1
Package libaudit1-2.4.4-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libauparse0
Package libauparse0-2.4.4-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.4.4-1.mga5.i586 is already installed

packages update without error

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 15 William Kenney 2015-08-29 19:37:47 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
audit lib64audit1 lib64auparse0 python-audit

default install of audit lib64audit1 lib64auparse0 & python-audit

[root@localhost wilcal]# urpmi audit
Package audit-2.4.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64audit1
Package lib64audit1-2.4.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64auparse0
Package lib64auparse0-2.4.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.4.1-1.mga5.x86_64 is already installed

packages install without error

install audit lib64audit1 lib64auparse0 & python-audit from updates_testing

[root@localhost wilcal]# urpmi audit
Package audit-2.4.4-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64audit1
Package lib64audit1-2.4.4-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64auparse0
Package lib64auparse0-2.4.4-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi python-audit
Package python-audit-2.4.4-1.mga5.x86_64 is already installed

packages update without error
William Kenney 2015-08-29 19:38:13 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 16 William Kenney 2015-08-29 19:39:11 CEST
This update updates cleanly works fine.
Testing complete for MGA4 & MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Rémi Verschelde 2015-08-30 13:03:28 CEST
Advisory uploaded.

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory

Comment 18 Mageia Robot 2015-08-30 16:29:02 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0333.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.