Bug 20865 - menu-cache new security issue CVE-2017-8933
Summary: menu-cache new security issue CVE-2017-8933
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory mga5-32-ok MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-16 00:11 CEST by David Walser
Modified: 2017-06-04 01:36 CEST (History)
5 users (show)

See Also:
Source RPM: menu-cache-1.0.0-5.mga5.src.rpm
CVE: CVE-2017-8933
Status comment:


Attachments

Description David Walser 2017-05-16 00:11:48 CEST
A security issue fixed upstream in menu-cache has been announced:
http://openwall.com/lists/oss-security/2017/05/15/3

Mageia 5 is probably also affected.
David Walser 2017-05-16 00:13:59 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Salguero 2017-05-16 09:31:13 CEST
Regarding Cauldron, menu-cache-1.0.2-3.mga6 and pcmanfm-1.2.5-2.mga6 already contain the fix.
Comment 2 Nicolas Salguero 2017-05-16 09:36:44 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability). (CVE-2017-8933)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8933
http://openwall.com/lists/oss-security/2017/05/15/3
========================

Updated packages in core/updates_testing:
========================
menu-cache-1.0.0-5.1.mga5
lib(64)menu-cache3-1.0.0-5.1.mga5
lib(64)menu-cache-devel-1.0.0-5.1.mga5
pcmanfm-1.2.3-2.3.mga5

from SRPMS:
menu-cache-1.0.0-5.1.mga5.src.rpm
pcmanfm-1.2.3-2.3.mga5.src.rpm

Whiteboard: MGA5TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Source RPM: menu-cache-1.0.2-3.mga6.src.rpm => menu-cache-1.0.0-5.mga5.src.rpm, pcmanfm-1.2.3-2.2.mga5.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 5
CVE: (none) => CVE-2017-8933

Comment 3 Nicolas Salguero 2017-05-16 10:33:16 CEST
Oops, I did not saw bug 20864 so I added pcmanfm-1.2.3-2.2.mga5.src.rpm to this one.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability). (CVE-2017-8933)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8933
http://openwall.com/lists/oss-security/2017/05/15/3
========================

Updated packages in core/updates_testing:
========================
menu-cache-1.0.0-5.1.mga5
lib(64)menu-cache3-1.0.0-5.1.mga5
lib(64)menu-cache-devel-1.0.0-5.1.mga5

from SRPMS:
menu-cache-1.0.0-5.1.mga5.src.rpm

CC: (none) => nicolas.salguero

Nicolas Salguero 2017-05-16 10:33:42 CEST

Source RPM: menu-cache-1.0.0-5.mga5.src.rpm, pcmanfm-1.2.3-2.2.mga5.src.rpm => menu-cache-1.0.0-5.mga5.src.rpm

Dave Hodgins 2017-05-21 02:59:24 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Brian Rockwell 2017-06-01 18:33:51 CEST
$ uname -a
Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 18:41:19 UTC 2017 i686 i686 i686 GNU/Linux


The following 3 packages are going to be installed:

- libmenu-cache-devel-1.0.0-5.1.mga5.i586
- libmenu-cache3-1.0.0-5.1.mga5.i586
- menu-cache-1.0.0-5.1.mga5.i586

6.1KB of additional disk space will be used.

68KB of packages will be retrieved.

Is it ok to continue?

---

running LXDE

---

Installed menu-cache and rebooted.  going through menu and applications things are working as expected.

CC: (none) => brtians1
Whiteboard: advisory => advisory mga5-32-ok

Comment 5 Lewis Smith 2017-06-02 21:39:03 CEST
Testing M5_64, LXDE
Updated menu-cache to:
 lib64menu-cache3-1.0.0-5.1.mga5
 menu-cache-1.0.0-5.1.mga5
Re-booted after the update, and tried every first & last menu & sub-menu ('more') item. All OK. Could see no way to use strace to see whether these two libraries are called during menu manipulations, so OKing the update.
Validating; advisory in place.

Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-04 01:36:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0155.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.