Bug 20168 - libnl3 new security issues CVE-2017-0386 and CVE-2017-0553
Summary: libnl3 new security issues CVE-2017-0386 and CVE-2017-0553
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/712300/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-24 02:43 CET by David Walser
Modified: 2017-06-08 23:40 CEST (History)
4 users (show)

See Also:
Source RPM: libnl3-3.2.25-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-24 02:43:23 CET
Fedora has issued an advisory on January 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR5R2FSPYCLDAHTXQC2LKY74N5YW2PQQ/

However, both upstream and RedHat have concluded that this is not a security issue in libnl3 itself.

Patched package uploaded for Cauldron.  Patch checked into Mageia 5 SVN.

If we have any reason to update this package in the future, the fix will be included.
Comment 1 Marja van Waes 2017-01-24 13:04:54 CET
(In reply to David Walser from comment #0)
> Fedora has issued an advisory on January 22:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/JR5R2FSPYCLDAHTXQC2LKY74N5YW2PQQ/
> 
> However, both upstream and RedHat have concluded that this is not a security
> issue in libnl3 itself.
> 
> Patched package uploaded for Cauldron.  Patch checked into Mageia 5 SVN.
> 
> If we have any reason to update this package in the future, the fix will be
> included.

Assigning to the registered libnl3 maintainer, even if no action is needed now.
Comment 2 David Walser 2017-04-23 00:42:48 CEST
Fedora has issued an advisory today (April 22) for a similar issue:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KIHASXRQO2YTQPKVP4VGIB2XHPANG6YX/

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libnl3 packages fix security vulnerabilities:

An elevation of privilege vulnerability in the libnl library could enable a
local malicious application to execute arbitrary code within the context of a
privileged process (CVE-2017-0386).

An integer overflow vulnerability was found in nlmsg_reserve() triggered by
crafted @len argument resulting into reserving too few bytes (CVE-2017-0553).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR5R2FSPYCLDAHTXQC2LKY74N5YW2PQQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KIHASXRQO2YTQPKVP4VGIB2XHPANG6YX/
========================

Updated packages in core/updates_testing:
========================
libnl3_200-3.2.25-3.1.mga5
libnl-cli3_200-3.2.25-3.1.mga5
libnl-route3_200-3.2.25-3.1.mga5
libnl-genl3_200-3.2.25-3.1.mga5
libnl-nf3_200-3.2.25-3.1.mga5
libnl-idiag3_200-3.2.25-3.1.mga5
libnl3-devel-3.2.25-3.1.mga5
libnl3-config-3.2.25-3.1.mga5
libnl3-tools-3.2.25-3.1.mga5

from libnl3-3.2.25-3.1.mga5.src.rpm
Comment 3 Len Lawrence 2017-05-19 10:46:28 CEST
These libraries provide a netlink protocol API between applications and the kernel.  As far as PoCs are concerned there is no useful information for QA in the bug links so the best we can do is look at applications dependent on libnl.  There is a tools package which populates /sbin with nl-* files and documentation for these is accessed via the --help option.

Some applications which use the libraries are:
aircrack-ng          : complete suite of tools to assess WiFi network security
crda                 : udev helper for regulatory compliance
hostapd              : turn your network card into a wifi access point
iw                   ; configuration utility for wireless devices
keepalived           : routing software
kismet               : packet sniffer, etc.
knemo                : network monitor
networkmanager
ntrack               : track network online status changes
powertop             : tool to diagnose issues with power consumption and management
python-ethtool       : display or change ethernet settings
sssd                 : security services daemon
wireshark
wpa_supplicant       : wireless access management
Comment 4 Len Lawrence 2017-05-19 21:55:48 CEST
x86_64 on real hardware.

Updated the packages and used wireshark for functionality test.

Added user to wireshark group.
Ran wireshark under strace; chose IPv4 capture filter for ethernet interface and set it running without any packet limit.  Not familiar with network language but recognized addresses on the LAN, references to router and dropbox.  Clicked on a packet to examine it in a separate window - the information looked as if it made sense.Stopped it manually.  Goto packet highlighted the entry and allowed examination in popup window.  Saved the frame as a pcap file.  Closed wireshark and restarted it to load the capture file.  Looked at it frame by frame.  All good.

Checked the strace file:
$ cat wire.trace | grep libnl
open("/usr/lib64/libnl-route-3.so.200", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libnl-genl-3.so.200", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libnl-3.so.200", O_RDONLY|O_CLOEXEC) = 3
stat("/etc/libnl/classid", {st_mode=S_IFREG|0644, st_size=1130, ...}) = 0
open("/etc/libnl/classid", O_RDONLY)    = 3

That confirms that the updated libraries are in use.

Ran iw to see how it looked and noted that it has an option for netlink debugging.

Giving this an OK.  Not going to try vbox (i586).
Comment 5 Dave Hodgins 2017-06-07 05:22:32 CEST
Similar testing on i586 under vb. Validating the update.
Comment 6 Mageia Robot 2017-06-08 23:40:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0158.html

Note You need to log in before you can comment on or make changes to this bug.