Fedora has issued an advisory on November 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/ Mageia 5 is also affected. The issue was fixed upstream in 1.6.3. The RedHat bug contains a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1506523#c7
Whiteboard: (none) => MGA5TOO
Assigning to the registered apr maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Updated RPM pushed to core/updates_testing for MGA5 and MGA6. apr-1.5.1-3.1.mga5 apr-1.5.2-2.1.mga6
CC: (none) => smelror
Advisory: ======================== Updated apr packages fix security vulnerability: An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak (CVE-2017-12613). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/ ======================== Updated packages in core/updates_testing: ======================== libapr1_0-1.5.1-3.1.mga5 libapr-devel-1.5.1-3.1.mga5 libapr1_0-1.5.2-2.1.mga6 libapr-devel-1.5.2-2.1.mga6 from SRPMS: apr-1.5.1-3.1.mga5.src.rpm apr-1.5.2-2.1.mga6.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
Mageia 6 on x86_64 apr seems to be used by apache, anjuta and some SVN applications and tools which all have learning curves. The simplest application to test is hydra. Installed that and tried it out against a local machine. Updated the apr libraries and tried it again. $ strace hydra -l lcl -p Rapunzel ftp://192.168.1.3 2> trace Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-15 17:30:08 [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ftp on port 21 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-15 17:30:11 [lcl@belexeuli qa]$ cat trace | grep apr open("/lib64/libapr-1.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3 Tried this with a valid password and it succeeded. Also restarted apache to make sure httpd still functions. This looks OK. No regressions.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Mageia 5 on X86_64 Installed hydra then updated the apr libraries. Tried accessing another machine on the network with valid user and a mixture of false and one real password. $ hydra -l lcl -p shibboleth ftp://192.168.1.156 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-16 10:44:21 [DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task [DATA] attacking service ftp on port 21 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 10:44:23 $ hydra -l lcl -P psswdz ftp://192.168.1.156 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-16 10:46:04 [DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 192.168.1.156 login: lcl password: <whatever> 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 10:46:06 OK for 64 bits.
Mageia 5 on i586 in virtualbox Ran the password cracking trials using hydra as reported in previous comments. $ strace hydra -l lcl -p Rapunzel ftp://192.168.1.156 2> trace $ cat trace | grep apr open("/lib/libapr-1.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3 $ hydra -l lcl -P psswdz ftp://192.168.1.156 ...... [DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 192.168.1.156 login: lcl password: <..........> 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 11:25:22 OK for 32 bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
Mageia 6 on i586 in virtualbox Installed hydra and ran the updates on libapr1_0 and libapr-devel. Mounted a pseudo ftp attack across the LAN as before. That worked as expected. Good for 32 bits.
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK MGA6-32-OK
Validating this on the basis of the four OKs.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Adding one URL to the references. Advisory: ======================== Updated apr packages fix security vulnerability: An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak (CVE-2017-12613). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613 http://www.apache.org/dist/apr/Announcement1.x.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0417.html
Status: NEW => RESOLVEDResolution: (none) => FIXED