Bug 23370 - yum-utils new security issue CVE-2018-10897
Summary: yum-utils new security issue CVE-2018-10897
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2018-07-30 16:29 CEST by David Walser
Modified: 2018-10-15 23:21 CEST (History)
5 users (show)

See Also:
Source RPM: yum-utils-1.1.31-5.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-30 16:29:59 CEST
RedHat has issued an advisory today (July 30):
https://access.redhat.com/errata/RHSA-2018:2285

The RedHat bug has links to the commits that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1600221

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-30 16:30:24 CEST

Whiteboard: (none) => MGA6TOO
CC: (none) => ngompa13

Comment 1 Bruno Cornec 2018-07-30 17:46:39 CEST
Mageia Cauldron updated with the proposed patch into rev 1.1.31-6
rebuild in progress.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2018-07-30 17:52:25 CEST
Update also submitted for mga6 (1.1.31-5.1)
Comment 3 David Walser 2018-07-30 19:08:33 CEST
Advisory:
========================

Updated yum-utils packages fix security vulnerability:

A directory traversal issue was found in reposync, a part of yum-utils, where
reposync fails to sanitize paths in remote repository configuration files. If an
attacker controls a repository, they may be able to copy files outside of the
destination directory on the targeted system via path traversal. If reposync is
running with heightened privileges on a targeted system, this flaw could
potentially result in system compromise via the overwriting of critical system
files (CVE-2018-10897).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897
https://access.redhat.com/errata/RHSA-2018:2285
========================

Updated packages in core/updates_testing:
========================
yum-utils-1.1.31-5.1.mga6
yum-updateonboot-1.1.31-5.1.mga6
yum-plugin-changelog-1.1.31-5.1.mga6
yum-plugin-fastestmirror-1.1.31-5.1.mga6
yum-plugin-protectbase-1.1.31-5.1.mga6
yum-plugin-versionlock-1.1.31-5.1.mga6
yum-plugin-tsflags-1.1.31-5.1.mga6
yum-plugin-priorities-1.1.31-5.1.mga6
yum-plugin-refresh-updatesd-1.1.31-5.1.mga6
yum-plugin-merge-conf-1.1.31-5.1.mga6
yum-plugin-upgrade-helper-1.1.31-5.1.mga6
yum-plugin-aliases-1.1.31-5.1.mga6
yum-plugin-list-data-1.1.31-5.1.mga6
yum-plugin-filter-data-1.1.31-5.1.mga6
yum-plugin-tmprepo-1.1.31-5.1.mga6
yum-plugin-verify-1.1.31-5.1.mga6
yum-plugin-keys-1.1.31-5.1.mga6
yum-plugin-remove-with-leaves-1.1.31-5.1.mga6
yum-plugin-post-transaction-actions-1.1.31-5.1.mga6
yum-NetworkManager-dispatcher-1.1.31-5.1.mga6
yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6
yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6
yum-plugin-show-leaves-1.1.31-5.1.mga6
yum-plugin-local-1.1.31-5.1.mga6
yum-plugin-fs-snapshot-1.1.31-5.1.mga6
yum-plugin-ps-1.1.31-5.1.mga6
yum-plugin-puppetverify-1.1.31-5.1.mga6
yum-plugin-copr-1.1.31-5.1.mga6
yum-plugin-ovl-1.1.31-5.1.mga6

from yum-utils-1.1.31-5.1.mga6.src.rpm

CC: (none) => bruno
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: bruno => qa-bugs

Comment 4 Herman Viaene 2018-08-01 16:32:09 CEST
MGA6-32 MATE on IBM Thinkpad R5oe
Installation draws in a lot of other stuff and that results in error:
2 installation-transactions failed

Er is een fout opgetreden tijdens de installatie:

file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch

createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch

yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch

yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch

yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch

yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

Does this mean the updates cannot run on an installation which did not have yum before??
How would this affect a user which would try to install yum when those packages would be included in the normal repos???

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-08-01 17:18:28 CEST
@Herman, re comment 4:
Don't know how to answer your specific queries but I tried this installation on x86_64.

I took the precaution of installing yum first then the packages named in the update list.  There was a single conflict - lost the reference - but the rest succeeded.

Enabled updates testing and ran MageiaUpdate.  All the packages installed cleanly.
That is far as I have got.  Busy just now.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-08-01 17:26:55 CEST
re comment 5;
I take your point about yum not being pulled in by yum-utils.  Looks like it is a missing dependency.  Feedback?
Len Lawrence 2018-08-03 08:33:25 CEST

Keywords: (none) => feedback

Comment 7 Bruno Cornec 2018-08-14 09:39:05 CEST
Yes I'll fix that ASAP
Comment 8 Len Lawrence 2018-09-26 20:02:14 CEST
Mageia 6.1 new installation, x86_64

Before updating created a manifest from the listed packages and installed against that to create a 1.1.31.5 yum system.  This pulled in yum automatically so if we follow the correct procedure for QA testing, updating from a preinstalled system, then there is no problem.

Since there is no explicit procedure posted for reproducing CVE-2018-10897 shall skip straight to updating.

Wrong about that.  There is a problem still. as Herman reported.
    http://ftp.klid.dk/ftp/mageia/distrib/6/x86_64/media/core/updates_testing/yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm
installing lib64gamin1_0-0.1.10-17.mga6.x86_64.rpm python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Installation failed:	file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch
 
Looks like this is basically dnf.

$ yum check
$ yum check-update
Mageia 6 - x86_64                               2.0 MB/s |  33 MB     00:16    
Mageia 6 - x86_64 - Updates                     4.7 MB/s |  33 MB     00:07    
Last metadata expiration check: 0:00:09 ago on Wed 26 Sep 2018 18:50:58 BST.
$ yum deplist vlc
Last metadata expiration check: 0:02:47 ago on Wed 26 Sep 2018 18:53:55 BST.
package: vlc-3.0.0-0.git.19.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
  dependency: libc.so.6(GLIBC_2.14)(64bit)
   provider: glibc-6:2.22-29.mga6.x86_64
[...]
   provider: lib64vlc5-3.0.2-0.1.mga6.x86_64
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64

package: vlc-3.0.2-0.1.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
[...]
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64
$ sudo yum reinstall celestia
Last metadata expiration check: 0:08:20 ago on Wed 26 Sep 2018 18:50:58 BST.
Dependencies resolved.
================================================================================
 Package         Arch          Version               Repository            Size
================================================================================
Reinstalling:
 celestia        x86_64        1.6.1-18.mga6         mageia-x86_64         33 M
Transaction Summary
================================================================================
Total download size: 33 M
Is this ok [y/N]: y
Downloading Packages:
celestia-1.6.1-18.mga6.x86_64.rpm               2.1 MB/s |  33 MB     00:15    
--------------------------------------------------------------------------------
Total                                           2.0 MB/s |  33 MB     00:16     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Reinstalling     : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Erasing          : celestia-1.6.1-18.mga6.x86_64                          2/2 
  Running scriptlet: celestia-1.6.1-18.mga6.x86_64                          2/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          2/2 
Reinstalled:
  celestia.x86_64 1.6.1-18.mga6                                                 
Complete!

It looks OK so far.
Comment 9 Len Lawrence 2018-09-26 20:07:18 CEST
The man pages show this for yum-utils:
debuginfo-install - install debuginfo packages and their dependencies
package-cleanup - manage package cleanup, duplicates, orphaned packages and outstanding dependency problems
repo-graph - outputs a full package dependency list in dot format
repo-rss - generates an RSS feed from one or more repositories
repoclosure - reads metadata of repositories, checks dependencies and displays list of unresolved dependencies
repodiff - takes two or more repositories, returns a list of added, removed or changed packages
repomanage - manages a directory of rpm packages, returns a list of newest or oldest packages in a directory
repoquery - query yum repositories and get additional information on the them
reposync - synchronize a remote yum repository to a local directory using yum to retrieve packages
repotrack - track packages and its dependencies and downloads them
yum-builddep - installs missing dependencies to build a specified package
yum-complete-transaction - finds incomplete or aborted yum transactions and attempts to complete them
yum-installed - print a compact package list making use of comps groups
yumdownloader - downloads packages from yum repositories including source RPMs

Investigating.
Comment 10 Len Lawrence 2018-09-26 21:57:57 CEST
$ cd /bin
$ ls -1 repo*
repoclosure-deprecated*
repodiff-deprecated*
repo-graph-deprecated*
repomanage-deprecated*
repoquery-deprecated*
repo-rss-deprecated*
reposync-deprecated*
repotrack-deprecated*
$ ls -1 yum*
yum-builddep-deprecated*
yum-config-manager-deprecated*
yum-debug-dump-deprecated*
yum-debug-restore-deprecated*
yum-deprecated*
yumdownloader-deprecated*
yum-groups-manager-deprecated*

So most utilities are deprecated and others are missing.
Better leave this at that point.
Comment 11 Marja Van Waes 2018-10-03 08:41:12 CEST
On IRC in QA chan, Neal mantioned last night that he couldn't comment in bug 23370 (this bug) since he couldn't remember his password

He then mentioned that the 

       
                 reposync-deprecated


command is what should be tested for this.
And that in Mageia, /usr/bin/reposync is normally provided by dnf-utils rather than yum-utils.

CC: (none) => marja11
Keywords: feedback => (none)

Comment 12 Marja Van Waes 2018-10-03 08:43:25 CEST
Oops, the feedback keyword was set for something else, sorry, setting it again.

Keywords: (none) => feedback

Comment 13 David Walser 2018-10-15 23:21:38 CEST
Fedora has issued an advisory for this on September 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YI7EHWQR75S5AV7RAV4VGWO535PTZAO/

Note You need to log in before you can comment on or make changes to this bug.