Bug 23561 - iniparser new security issue rhbz#1545824
Summary: iniparser new security issue rhbz#1545824
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-11 23:28 CEST by David Walser
Modified: 2018-11-11 22:10 CET (History)
8 users (show)

See Also:
Source RPM: iniparser-3.1-7.mga6.src.rpm
CVE:
Status comment:


Attachments
The example program I found (2.30 KB, text/x-csrc)
2018-11-03 16:15 CET, Brian Rockwell
Details

Description David Walser 2018-09-11 23:28:29 CEST
Fedora has issued an advisory today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/

The issue is fixed upstream in 4.1.

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-09-12 20:01:23 CEST
Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

Note that, after council's decision last night, this cannot be fixed in Mga5.

CC: (none) => geiger.david68210, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 zezinho 2018-09-23 19:54:11 CEST
My padawan arek is working on it.

Status: NEW => ASSIGNED
Assignee: pkg-bugs => lists.jjorge
CC: (none) => lists.jjorge

Comment 3 David GEIGER 2018-09-23 20:03:41 CEST
for an update in a release distro you should use "%define subrel" and not bump the rel.
Comment 4 zezinho 2018-09-23 21:45:48 CEST
(In reply to David GEIGER from comment #3)
> for an update in a release distro you should use "%define subrel" and not
> bump the rel.

Not in the case cauldron has an higher version of the software, as for here.
Comment 5 Arusekk K 2018-09-23 22:52:34 CEST
Advisory:
========================

Updated iniparser packages fix security vulnerability:

A flaw was found in iniparser version prior to 4.1. A stack buffer underflow in the function iniparser_load() in iniparser.c file which can be triggered by parsing a file that containing a zero-byte. This vulnerability may allow an attacker to cause a Denial of Service (DoS).

References:
https://github.com/ndevilla/iniparser/issues/68
https://bugzilla.redhat.com/show_bug.cgi?id=1545824
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/
========================

Updated packages in core/updates_testing:
========================
iniparser-3.1-8.mga6
libiniparser0-3.1-8.mga6
libiniparser-devel-3.1-8.mga6

from iniparser-3.1-8.mga6.src.rpm

CC: (none) => arusekk

Comment 6 David Walser 2018-09-24 04:45:38 CEST
(In reply to José Jorge from comment #4)
> (In reply to David GEIGER from comment #3)
> > for an update in a release distro you should use "%define subrel" and not
> > bump the rel.
> 
> Not in the case cauldron has an higher version of the software, as for here.

Incorrect.  You should use a subrel and not bump the rel, even in that case.
Comment 7 David Walser 2018-10-15 23:01:37 CEST
This never got assigned to QA.  Advisory and package list in Comment 5.

Assignee: lists.jjorge => qa-bugs

Comment 8 Brian Rockwell 2018-11-03 16:14:10 CET
$ uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



The following 2 packages are going to be installed:

- lib64iniparser-devel-3.1-8.mga6.x86_64
- lib64iniparser0-3.1-8.mga6.x86_64

-----------------------------

- I installed gcc
- found an example program that calls iniparser (see attached).

Compile and link via this command:

$ gcc iniexample.c -lm /usr/lib64/libiniparser.so.0 -o iniexamp

execute the program by

$ ./iniexamp

by default the program produces a file called example.ini.

You can cat the file by:

$ cat example.ini

I also tried it against an empty file

$ touch empty.ini

$ ./iniexamp empty.ini

It processes the empty file

I tried echo null to the file (need some input here oh echoing null)

$ echo $'\0' > empty.ini

Ran the program again - no issues

The library works

CC: (none) => brtians1
Whiteboard: (none) => MGA6_64_OK

Comment 9 Brian Rockwell 2018-11-03 16:15:38 CET
Created attachment 10447 [details]
The example program I found

I found the example at:  https://github.com/ndevilla/iniparser/blob/master/example/iniexample.c
Brian Rockwell 2018-11-03 16:16:16 CET

Whiteboard: MGA6_64_OK => MGA6-64-OK

Comment 10 Brian Rockwell 2018-11-08 22:15:15 CET
The following 2 packages are going to be installed:

- libiniparser-devel-3.1-8.mga6.i586
- libiniparser0-3.1-8.mga6.i586

37KB of additional disk space will be used.

26KB of packages will be retrieved.

Is it ok to continue?


------------

Compiled:

$ gcc iniexample.c -lm /usr/lib/libiniparser.so.0 -o iniexamp

Executed:

brian@localhost ~]$ ./iniexamp
[pizza]=UNDEF
[pizza:ham]=[yes]
[pizza:mushrooms]=[TRUE]
[pizza:capres]=[0]
[pizza:cheese]=[Non]
[wine]=UNDEF
[wine:grape]=[Cabernet Sauvignon]
[wine:year]=[1989]
[wine:country]=[Spain]
[wine:alcohol]=[12.5]
Pizza:
Ham:       [1]
Mushrooms: [1]
Capres:    [0]
Cheese:    [0]
Wine:
Grape:     [Cabernet Sauvignon]
Year:      [1989]
Country:   [Spain]
Alcohol:   [12.5]


Working in 32-bit

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 11 Thomas Andrews 2018-11-09 21:55:22 CET
I prefer sausage and pepperoni on my pizza, but we'll let that one go. Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Lewis Smith 2018-11-11 21:04:47 CET
Advisory done from comment 5. Note *no* CVE.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 13 Mageia Robot 2018-11-11 22:10:59 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0440.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.