Debian-LTS has issued an advisory on November 10: https://www.debian.org/lts/security/2020/dla-2445 The issue is fixed upstream in 1.4.3. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Ubuntu has issued an advisory for this on November 12: https://ubuntu.com/security/notices/USN-4631-1
Severity: normal => major
This looks good for Guillaume.
Assignee: bugsquad => guillomovitch
I just submitted libmaxminddb-1.3.2-3.1 to updates/testing, with a backported patch that should fix the issue.
Advisory: ======================== Updated libmaxminddb packages fix security vulnerability: libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c (CVE-2020-28241). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28241 https://ubuntu.com/security/notices/USN-4631-1 ======================== Updated packages in core/updates_testing: ======================== libmaxminddb0-1.3.2-3.1.mga7 libmaxminddb-devel-1.3.2-3.1.mga7 from libmaxminddb-1.3.2-3.1.mga7.src.rpm
CC: (none) => guillomovitchVersion: Cauldron => 7Assignee: guillomovitch => qa-bugsWhiteboard: MGA7TOO => (none)
MGA7-64 MATE on Peaq C1011 No installation issues No previous updates, so hunting # urpmq --whatrequires lib64maxminddb0 lib64maxminddb-devel lib64maxminddb0 ntopng syslog-ng wireshark-tools Installed wireshark and wireshark-tools Traced a run of wireshark capturing and found stat("/root/.config/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory) stat("/usr/share/wireshark/maxmind_db_paths", 0x7ffd1891e3c0) = -1 ENOENT (No such file or directory) But in Wireshark I don't find any mention of handling maxmind files. This confirms me there is something, then checking the wireshark-tools commands: using capture file from wireshark $ mmdbresolve -f dora2.pcapng [init] db.0.path: dora2.pcapng db.0.status: ERROR The MaxMind DB file contains invalid metadata mmdbresolve.status: false # End init That could be expected $ strace -o maxmind.txt capinfos dora.pcapng File name: dora.pcapng File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: nanoseconds (9) etc .... but the trace file shows nothing like maxmind. Googled on maxmind, but that's all a separate carreer. Leavinf to someone else, unless there is agreement on clean install.
CC: (none) => herman.viaene
CC: (none) => zombie_ryushuCVE: (none) => CVE-2020-28241
Adding this to back up Herman's test. # strace -o ntopng.trace ntopng -i enp3s0 $ grep maxmind ntopng.trace process_vm_readv(19289, [{iov_base=" /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096 process_vm_readv(19289, [{iov_base=" /usr/lib64/libmaxmindd"..., iov_len=4096}], 1, [{iov_base=0x1ff0000, iov_len=4096}], 1, 0) = 4096 Updated the two packages. $ ntopng -i enp3s0 > monitor.eth0 $ cat monitor.eth0 18/Dec/2020 16:19:05 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8 18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0 18/Dec/2020 16:19:05 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0 18/Dec/2020 16:19:05 [NetworkDiscovery.cpp:44] ERROR: Unable to create pcap socket on enp3s0 [1/Operation not permitted] 18/Dec/2020 16:19:05 [main.cpp:239] ERROR: An exception occurred during enp3s0 interface creation[1]: Operation not permitted 18/Dec/2020 16: # ntopng -i enp3s0 > monitor.eth0 ^C # chown lcl:lcl monitor.eth0 $ cat monitor.eth0 18/Dec/2020 16:23:13 [Ntop.cpp:1902] Setting local networks to 127.0.0.0/8 18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0 18/Dec/2020 16:23:13 [Redis.cpp:127] Successfully connected to redis 127.0.0.1:6379@0 18/Dec/2020 16:23:13 [PcapInterface.cpp:93] Reading packets from interface enp3s0... 18/Dec/2020 16:23:13 [Ntop.cpp:1996] Registered interface enp3s0 [id: 1] 18/Dec/2020 16:23:13 [main.cpp:308] PID stored in file /var/run/ntopng/ntopng.pid 18/Dec/2020 16:23:13 [Utils.cpp:592] User changed to ntopng 18/Dec/2020 16:23:13 [HTTPserver.cpp:1198] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] 18/Dec/2020 16:23:13 [HTTPserver.cpp:1201] HTTP server listening on 3000 [...] 18/Dec/2020 16:24:25 [HTTPserver.cpp:1224] HTTP server terminated 18/Dec/2020 16:24:25 [NetworkInterface.cpp:590] Flushing host contacts for interface enp3s0 18/Dec/2020 16:24:25 [NetworkInterface.cpp:2606] Cleanup interface enp3s0 18/Dec/2020 16:24:25 [AddressResolution.cpp:61] Address resolution stats [1 resolved][0 failures] Giving this the go-ahead.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Thanks,validating Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
Source RPM: libmaxminddb-1.4.2-2.mga8.src.rpm => libmaxminddb-1.3.2-3.mga7.src.rpm
Fedora has issued an advisory for this today (December 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WUK4UCOB5FJVK36E22IRLEYGKMUWGBG/
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0471.html
Status: NEW => RESOLVEDResolution: (none) => FIXED