Bug 22037 - shadowsocks-libev new security issue CVE-2017-15924
Summary: shadowsocks-libev new security issue CVE-2017-15924
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-15 23:26 CET by David Walser
Modified: 2017-12-02 00:14 CET (History)
4 users (show)

See Also:
Source RPM: shadowsocks-libev-2.4.3-5.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-11-15 23:26:41 CET 
Debian has issued an advisory on October 29:
https://www.debian.org/security/2017/dsa-4009

openSUSE has issued an advisory for this today (November 15):
https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html

Somehow I missed this before (I probably thought we didn't have this package).

Mageia 6 is also affected.
David Walser 2017-11-15 23:26:47 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Chris Denice 2017-11-16 11:21:25 CET 
Thanks guys for the assignment :)

I am ok to have a look, but the official maintainer is ovitters!

I am pushing an update on Cauldron, because the current version is old and not building anymore.

But for mga6, it would be better if Olav could have a look, I don't want to break too much stuff!

Let me know,
Cheers.

CC: (none) => olav

Comment 2 Chris Denice 2017-11-21 21:08:40 CET 
It seems that this is an orphan package on mga6:

urpmq --whatrequires shadowsocks-libev
shadowsocks-libev

urpmq --whatrequires  lib64shadowsocks1
lib64shadowsocks-devel
lib64shadowsocks1

Easiest way would be for me to push for mga6 the same version as the one I have pushed on Cauldron 3.0.1 + CVE patch, anyone seeing a problem?

Cheers.
Comment 3 Olav Vitters 2017-11-21 22:45:21 CET 
This is purely some leaf software to avoid restrictions on crappy networks. E.g. avoiding China firewall and so on. There's an app on Android that goes with it/

Please push same version!
Comment 4 Chris Denice 2017-11-24 22:01:11 CET 
Ok done, this is in update testing for mga6. An advisory follows. I have no idea how to test this package, so at least make sure that it installs correctly without any scriplet failing and without conflict with existing packages!





Advisory:
========================

Updated shadowsocks-libev packages to fix security vulnerability (CVE-2017-15924). An improper parsing could allow command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic.

References
==================
https://www.debian.org/security/2017/dsa-4009
https://lists.opensuse.org/opensuse-updates/2017-11/msg00045.html
https://security-tracker.debian.org/tracker/CVE-2017-15924

Updated packages in core/updates_testing:
========================
lib64shadowsocks2-3.1.0-1.mga6
lib64shadowsocks-devel-3.1.0-1.mga6
shadowsocks-libev-3.1.0-1.mga6

from SRPMS:
shadowsocks-libev-3.1.0-1.mga6

Assignee: eatdirt => qa-bugs
CC: (none) => eatdirt

David Walser 2017-11-24 22:07:46 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 Dave Hodgins 2017-11-30 19:14:13 CET 
Confirmed update installs cleanly on both arches. Advisory committed to svn.
Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2017-12-02 00:14:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0436.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.