Bug 27608 - libmaxminddb new security issue CVE-2020-28241
Summary: libmaxminddb new security issue CVE-2020-28241
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-14 23:10 CET by David Walser
Modified: 2020-12-28 20:10 CET (History)
6 users (show)

See Also:
Source RPM: libmaxminddb-1.3.2-3.mga7.src.rpm
CVE: CVE-2020-28241
Status comment:


Attachments

Description David Walser 2020-11-14 23:10:37 CET
Debian-LTS has issued an advisory on November 10:
https://www.debian.org/lts/security/2020/dla-2445

The issue is fixed upstream in 1.4.3.

Mageia 7 is also affected.
David Walser 2020-11-14 23:10:43 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-11-14 23:12:10 CET
Ubuntu has issued an advisory for this on November 12:
https://ubuntu.com/security/notices/USN-4631-1

Severity: normal => major

Comment 2 Lewis Smith 2020-11-15 19:55:22 CET
This looks good for Guillaume.

Assignee: bugsquad => guillomovitch

Comment 3 Guillaume Rousse 2020-11-22 16:49:12 CET
I just submitted libmaxminddb-1.3.2-3.1 to updates/testing, with a backported patch that should fix the issue.
Comment 4 David Walser 2020-11-22 18:55:39 CET
Advisory:
========================

Updated libmaxminddb packages fix security vulnerability:

libmaxminddb before 1.4.3 has a heap-based buffer over-read in
dump_entry_data_list in maxminddb.c (CVE-2020-28241).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28241
https://ubuntu.com/security/notices/USN-4631-1
========================

Updated packages in core/updates_testing:
========================
libmaxminddb0-1.3.2-3.1.mga7
libmaxminddb-devel-1.3.2-3.1.mga7

from libmaxminddb-1.3.2-3.1.mga7.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 7
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 5 Herman Viaene 2020-11-24 11:01:01 CET
MGA7-64 MATE on Peaq C1011
No installation issues
No previous updates, so hunting
# urpmq --whatrequires lib64maxminddb0
lib64maxminddb-devel
lib64maxminddb0
ntopng
syslog-ng
wireshark-tools
Installed wireshark and wireshark-tools
Traced a run of wireshark capturing and found

stat("/root/.config/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory)
stat("/usr/share/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory)
But in Wireshark I don't find any mention of handling maxmind files.
This confirms me there is something, then checking the wireshark-tools commands:
using capture file from wireshark
$ mmdbresolve -f dora2.pcapng 
[init]
db.0.path: dora2.pcapng
db.0.status: ERROR The MaxMind DB file contains invalid metadata
mmdbresolve.status: false
# End init
That could be expected
$ strace -o maxmind.txt capinfos dora.pcapng 
File name:           dora.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  nanoseconds (9)
etc ....
but the trace file shows nothing like maxmind.
Googled on maxmind, but that's all a separate carreer.
Leavinf to someone else, unless there is agreement on clean install.

CC: (none) => herman.viaene

Zombie Ryushu 2020-12-08 00:53:08 CET

CC: (none) => zombie_ryushu
CVE: (none) => CVE-2020-28241

Comment 6 Len Lawrence 2020-12-18 17:31:52 CET
Adding this to back up Herman's test.

# strace -o ntopng.trace ntopng -i enp3s0
$ grep maxmind ntopng.trace
process_vm_readv(19289, [{iov_base="          /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096
process_vm_readv(19289, [{iov_base="          /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096

Updated the two packages.

$ ntopng -i enp3s0 > monitor.eth0
$ cat monitor.eth0
18/Dec/2020 16:19:05 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8
18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:19:05 [NetworkDiscovery.cpp:44] ERROR: Unable to create pcap socket on enp3s0 [1/Operation not permitted]
18/Dec/2020 16:19:05 [main.cpp:239] ERROR: An exception occurred during enp3s0 interface creation[1]: Operation not permitted
18/Dec/2020 16:

# ntopng -i enp3s0 > monitor.eth0
^C
# chown lcl:lcl monitor.eth0
$ cat monitor.eth0
18/Dec/2020 16:23:13 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8
18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0
18/Dec/2020 16:23:13 [PcapInterface.cpp:93] Reading packets from interface enp3s0...
18/Dec/2020 16:23:13 [Ntop.cpp:1996] Registered interface enp3s0 [id: 1]
18/Dec/2020 16:23:13 [main.cpp:308] PID stored in file /var/run/ntopng/ntopng.pid
18/Dec/2020 16:23:13 [Utils.cpp:592] User changed to ntopng
18/Dec/2020 16:23:13 [HTTPserver.cpp:1198] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
18/Dec/2020 16:23:13 [HTTPserver.cpp:1201] HTTP server listening on 3000
[...]
18/Dec/2020 16:24:25 [HTTPserver.cpp:1224] HTTP server terminated
18/Dec/2020 16:24:25 [NetworkInterface.cpp:590] Flushing host contacts for interface enp3s0
18/Dec/2020 16:24:25 [NetworkInterface.cpp:2606] Cleanup interface enp3s0
18/Dec/2020 16:24:25 [AddressResolution.cpp:61] Address resolution stats [1 resolved][0 failures]

Giving this the go-ahead.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 7 Aurelien Oudelet 2020-12-19 16:42:00 CET
Thanks,validating
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Aurelien Oudelet 2020-12-22 11:42:48 CET

Source RPM: libmaxminddb-1.4.2-2.mga8.src.rpm => libmaxminddb-1.3.2-3.mga7.src.rpm

Comment 8 David Walser 2020-12-26 17:56:24 CET
Fedora has issued an advisory for this today (December 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WUK4UCOB5FJVK36E22IRLEYGKMUWGBG/
Comment 9 Mageia Robot 2020-12-28 20:10:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0471.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.