SUSE has issued an advisory on July 30: http://lists.suse.com/pipermail/sle-security-updates/2018-July/004358.html http://lists.suse.com/pipermail/sle-security-updates/2018-July/004359.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
openSUSE has issued an advisory for this on August 7: https://lists.opensuse.org/opensuse-updates/2018-08/msg00044.html
Fedora has issued an advisory for this today (August 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3VH333EONOEEGKOLHHFXCJYHCYMHJ4KK/
The latest build fixes this issue with the following patch taken from Fedora (August 30): https://svnweb.mageia.org/packages/cauldron/libcgroup/current/SOURCES/libcgroup-0.41-fedora-CVE-2018-14348.patch?revision=1255790&view=markup
CC: (none) => arusekk
CC: (none) => lists.jjorgeAssignee: lists.jjorge => qa-bugsVersion: Cauldron => 6
I have submitted Arusekk work to Mageia 6 Updates Testing.
Status: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)
Advisory: ======================== Updated libcgroup packages fix security vulnerability: The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with world readable and writable permissions (0o666) due to a reset of the file mode creation mask (umask(0)) in the daemon/cgrulesengd.c:cgre_start_daemon() function (CVE-2018-14348). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14348 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3VH333EONOEEGKOLHHFXCJYHCYMHJ4KK/ ======================== Updated packages in core/updates_testing: ======================== cgroup-0.41-1.1.mga6 pam_cgroup-0.41-1.1.mga6 libcgroup1-0.41-1.1.mga6 libcgroup-devel-0.41-1.1.mga6 from libcgroup-0.41-1.1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues MCC tells me "The tools to manipulate, control, administrate and monitor control groups and the associated controllers." Tried display commands $ lscgroup net_cls:/ cpu,cpuacct:/ devices:/ devices:/user.slice devices:/init.scope devices:/system.slice devices:/system.slice/var-lib-nfs-rpc_pipefs.mount devices:/system.slice/sys-kernel-debug.mount devices:/system.slice/tmp.mount devices:/system.slice/alsa-state.service and a load more $ lssubsys cpuset cpu,cpuacct blkio devices freezer net_cls Looks sensible without studying all about it.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Mageia 6, x86_64 Started the cgred service successfully then tried some of the commands from the man pages hoping to trigger logging for cgred (working entirely in the dark here) with a view to checking permissions on the log files before updating (CVE-2018-14348). Like Herman - no wish to undertake a course of study. # modprobe cls_cgroup # mkdir /sys/fs/cgroup/net_cls mkdir: cannot create directory ‘/sys/fs/cgroup/net_cls’: File exists # mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls mount: net_cls is already mounted or /sys/fs/cgroup/net_cls busy # mkdir /sys/fs/cgroup/net_cls/foobar mkdir: cannot create directory ‘/sys/fs/cgroup/net_cls/foobar’: File exists # echo 0x10002 > /sys/fs/cgroup/net_cls/foobar/net_cls.classid No cgred directory appears under /var/log so cannot check permissions. Updated the four packages. lscgroup and lssubsys returned the same sort of information which Herman saw, comment #7.
CC: (none) => tarazed25Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Looks OK to me, as far as I can tell. Validating. Suggested advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0380.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED