Bug 24063 - keepalived new security issues CVE-2018-1904[4-6] and CVE-2018-19115
Summary: keepalived new security issues CVE-2018-1904[4-6] and CVE-2018-19115
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 21:16 CET by David Walser
Modified: 2018-12-30 00:25 CET (History)
5 users (show)

See Also:
Source RPM: keepalived-1.2.24-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-12-25 21:16:18 CET 
Fedora has issued an advisory on December 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YQ7NS6S7B7V2X5NEUJKMTNXL3YPD7H3/

The issues are fixed upstream in 2.0.10.
Comment 1 David GEIGER 2018-12-26 06:15:16 CET 
Fixed for mga6!

CC: (none) => geiger.david68210

Comment 2 Marja Van Waes 2018-12-26 07:52:29 CET 
Assigning to the registered maintainer

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 3 David Walser 2018-12-26 16:03:32 CET 
Advisory:
========================

Updated keepalived package fixes security vulnerabilities:

keepalived before version 2.0.9 didn't check for pathnames with symlinks when
writing data to a temporary file upon a call to PrintData or PrintStats. This
allowed local users to overwrite arbitrary files if fs.protected_symlinks is set
to 0, as demonstrated by a symlink from /tmp/keepalived.data or
/tmp/keepalived.stats to /etc/passwd (CVE-2018-19044).

keepalived before version 2.0.9 used mode 0666 when creating new temporary
files upon a call to PrintData or PrintStats, potentially leaking sensitive
information (CVE-2018-19045).

keepalived before version 2.0.10 didn't check for existing plain files when
writing data to a temporary file upon a call to PrintData or PrintStats. If a
local attacker had previously created a file with the expected name (e.g.,
/tmp/keepalived.data or /tmp/keepalived.stats), with read access for the
attacker and write access for the keepalived process, then this potentially
leaked sensitive information (CVE-2018-19046).

keepalived before version 2.0.9 has a heap-based buffer overflow when parsing
HTTP status codes resulting in DoS or possibly unspecified other impact,
because extract_status_code in lib/html.c has no validation of the status code
and instead writes an unlimited amount of data to the heap (CVE-2018-19115).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19115
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YQ7NS6S7B7V2X5NEUJKMTNXL3YPD7H3/
========================

Updated packages in core/updates_testing:
========================
keepalived-2.0.10-1.mga6

from keepalived-2.0.10-1.mga6.src.rpm

Assignee: mageia => qa-bugs

Comment 4 Herman Viaene 2018-12-27 14:23:51 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Only previous update I find is bug4084, I quote from it:
"For testing, at least three systems are needed. Two servers and a client."

I don't have that many systems available (laptops not fit for Vbox either), so I assured that no network connections are affected by the installation (NFS-mount, internet connection).
Leaving at that.

CC: (none) => herman.viaene

Comment 5 Lewis Smith 2018-12-28 10:54:30 CET 
@David
In the light of Herman's comment above, would you agree 'clean update' for this one?

CC: (none) => lewyssmith

Comment 6 David Walser 2018-12-28 14:40:58 CET 
That's probably fine.  Checking for the security issues could be done by just running it on one computer, but since we updated rather than patched it, I think we can trust that they're fixed.
Comment 7 Lewis Smith 2018-12-29 21:20:03 CET 
Thanks David. This is a big thing to drive, and the CVEs are several. It is a major version update.

Testing M6/64 clean update only

BEFORE update: keepalived-1.2.24-1.mga6
After installation:
 # systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor p
   Active: inactive (dead) since Sad 2018-12-29 20:53:17 CET; 3s ago
  Process: 4021 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited,
 Main PID: 4022 (code=exited, status=0/SUCCESS)

Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: IPVS: Pro
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: IPVS: Pro
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Using Lin
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin
Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin
Rha 29 20:53:12 localhost.localdomain Keepalived[4022]: pid 4024 exited with per
Rha 29 20:53:12 localhost.localdomain Keepalived[4022]: Stopping
 # systemctl stop keepalived

UPDATED without problem to: keepalived-2.0.10-1.mga6
 # systemctl status keepalived
O/P same as above except that here, the Process line is absent.

OKing & validating.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-12-30 00:25:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0494.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.