openSUSE has issued an advisory on September 26: https://lists.opensuse.org/opensuse-updates/2019-09/msg00156.html The issue is fixed upstream in 7.80. Additionally, openSUSE fixed a regression from the previous fix (Bug 25262).
Status comment: (none) => Fixed upstream in 7.80
CC'ing Eliot who is starting to look at this. Proposed diff is here: https://paste.debian.net/1146833/ It looks good. I'd like to see the subrel line moved to immediately above the mkrel line, since the previous committer unfortunately didn't put it there. I'm looking at the openSUSE commit associated with this update: https://build.opensuse.org/request/show/732262 reached from here: https://build.opensuse.org/package/show/openSUSE:Leap:15.1:Update/nmap It looks like we had a totally different patch (patches actually) for CVE-2018-15173. Perhaps we should add these patches from openSUSE: nmap-7.70-CVE-2018-15173_pcre_limits.patch nmap-7.70-fix_infinite_loop.patch
CC: (none) => CheeseEBoi
Here is a better diff with all of the necessary patches applied: https://paste.debian.net/1146909/ It has all of the patches and formatting suggestions David mentioned.
Thanks Elliot! Committed and submitted to the build system.
Status comment: Fixed upstream in 7.80 => (none)
Now that a patched package has been submitted to core/updates_testing, there are a few patches to test: cve-2017-18594.patch: Create an SSH connection that is guaranteed to fail. There should be no "double free" nor a segfault. cve-2018-15173.patch: Run "nmap -sV" while experiencing a crafted TCP-based denial of service attack. This should not result in a segfault. infinite-loop.patch: Have a server force a protocol and not return TLS ALPN extension. This should no longer cause an infinite loop. References: 2017-18594 https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00075.html 2018-15173 https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00073.html https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00067.html https://code610.blogspot.com/2018/07/crashing-nmap-760.html https://code610.blogspot.com/2018/07/crashing-nmap-770.html infinite-loop https://github.com/nmap/nmap/commit/3b8b6516a7697d8b6d4cd87e253daa369fcdbf2a Updated packages in core/updates_testing: nmap-7.70-2.2.mga7.src.rpm nmap-7.70-2.2.mga7.x86_64.rpm nmap-debuginfo-7.70-2.2.mga7.x86_64.rpm nmap-debugsource-7.70-2.2.mga7.x86_64.rpm nmap-frontend-7.70-2.2.mga7.x86_64.rpm
Thanks again Elliot. For the advisory, it will usually describe the issues rather than the fix. I'll use yours as a starting point. The CVE-2018-15173 issue was supposed to be fixed in a previous Mageia bug, though I'm not sure why we and openSUSE patched completely different things for it. I'll leave it out for now. For CVE-2017-18594, I'll take the description from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1148742 For the package list, you don't need to include the debuginfo or debugsource. Advisory: ======================== Updated nmap packages fix security vulnerability: nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse (CVE-2017-18594). Also, when a server forced a protocol and did not return TLS ALPN extension, this caused an infinite loop. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18594 https://github.com/nmap/nmap/commit/3b8b6516a7697d8b6d4cd87e253daa369fcdbf2a https://lists.opensuse.org/opensuse-updates/2019-09/msg00156.html ======================== Updated packages in core/updates_testing: ======================== nmap-7.70-2.2.mga7 nmap-frontend-7.70-2.2.mga7 from nmap-7.70-2.2.mga7.src.rpm
Assignee: guillomovitch => qa-bugs
Installed and tested without issues. Various tests of the nmap CLI and GUI on the a LAN and a VPN. No issues noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep nmap nmap-frontend-7.70-2.2.mga7 nmap-7.70-2.2.mga7
CC: (none) => mageia
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25262 for testing. Run nmapfe (runs zenmap) as root, scanning this laptop as localhost and from it scanning also my desktop. Reporting services and ports as I would expect. Running xnmap does the same call to zenmap. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0216.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED