22869 – beep new security issue CVE-2018-0492

Bug 22869 - beep new security issue CVE-2018-0492

Summary: beep new security issue CVE-2018-0492

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Shlomi Fish
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-03 23:43 CEST by David Walser
Modified:	2019-11-06 13:23 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	beep-1.3-7.mga6.src.rpm
CVE:
Status comment:	Fix incomplete and there are other issues, only affects SUID binaries which ours isn't

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-04-03 23:43:20 CEST

Debian has issued an advisory on April 2:
https://www.debian.org/security/2018/dsa-4163

We don't configure beep as setuid, so this is a very minor issue for us.

Mageia 5 and Mageia 6 are also affected (sort of, anyway).

Comment 1 Marja Van Waes 2018-04-04 10:43:42 CEST

Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-04-04 11:24:44 CEST

(In reply to David Walser from comment #0)
> Debian has issued an advisory on April 2:
> https://www.debian.org/security/2018/dsa-4163
> 
> We don't configure beep as setuid, so this is a very minor issue for us.
> 
> Mageia 5 and Mageia 6 are also affected (sort of, anyway).

Hi David!

According to https://www.mageia.org/en/support/ Mageia 5 was already end-of-lifed. Why do you still mention it?

Comment 3 Shlomi Fish 2018-04-04 11:51:37 CEST

Hi all! My link-fu is failing me - where can i find the patch fixing this - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 ?

Comment 4 Marja Van Waes 2018-04-04 12:15:11 CEST

(In reply to Shlomi Fish from comment #3)
> Hi all! My link-fu is failing me - where can i find the patch fixing this -
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 ?

I can't find the plain patch, but saw a file containing CVE-2018-0492.patch

https://release.debian.org/proposed-updates/stable_diffs/beep_1.3-4+deb9u1.debdiff



Btw, we're trying to keep Mageia 5 alive wrt security updates until the Mga5->6 upgrade path works.

Comment 5 David Walser 2018-04-04 13:47:36 CEST

I mention Mageia 5 for documentation purposes since it's not totally dead yet.  We're only fixing important packages so don't worry about it for this one.

Comment 6 David Walser 2018-04-04 14:50:29 CEST

beep-1.3-6.1.mga5
beep-1.3-7.1.mga6
beep-1.3-8.mga7

have been uploaded by Shlomi to fix this.

Version: Cauldron => 6

Comment 7 David Walser 2018-04-08 01:23:56 CEST

I am confused about this, based on these comments:
http://openwall.com/lists/oss-security/2018/04/06/1
http://openwall.com/lists/oss-security/2018/04/06/2

Is this vulnerability real?  Is the patch Shlomi got from Debian bad or good?

Comment 8 David Walser 2018-04-08 18:44:08 CEST

The vulnerability is real (but again, only when the binary is SUID root, which ours isn't by default), but the fix is incomplete and there are other issues:
http://openwall.com/lists/oss-security/2018/04/08/1

A good argument was made in the message above for dropping the package.

Comment 9 Shlomi Fish 2018-04-13 19:12:57 CEST

(In reply to David Walser from comment #8)
> The vulnerability is real (but again, only when the binary is SUID root,
> which ours isn't by default), but the fix is incomplete and there are other
> issues:
> http://openwall.com/lists/oss-security/2018/04/08/1
> 
> A good argument was made in the message above for dropping the package.

Can I add it to task-obsoletes then?

Comment 10 David Walser 2018-04-14 02:07:01 CEST

(In reply to Shlomi Fish from comment #9)
> Can I add it to task-obsoletes then?

I doubt anyone uses it anymore, so yes that should be fine.

David Walser 2018-05-04 08:32:39 CEST

Status comment: (none) => Fix incomplete and there are other issues, only affects SUID binaries which ours isn't

Comment 11 Mike Rambo 2019-11-06 13:23:45 CET

Mageia 6 is EOL.

Resolution: (none) => OLD
Status: NEW => RESOLVED
CC: (none) => mrambo

Note You need to log in before you can comment on or make changes to this bug.