Bug 28158 - guacd new security issue CVE-2020-11997
Summary: guacd new security issue CVE-2020-11997
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24509 27593
  Show dependency treegraph
 
Reported: 2021-01-18 17:03 CET by David Walser
Modified: 2021-06-23 19:14 CEST (History)
6 users (show)

See Also:
Source RPM: guacd-0.6.0-5.mga7.src.rpm
CVE: CVE-2018-1340, CVE-2020-9497, CVE-2020-9498, CVE-2020-11997
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-18 17:03:42 CET 
Apache has issued an advisory today (January 18):
https://www.openwall.com/lists/oss-security/2021/01/18/1

I'm not entirely sure whether the server, client, or both are affected.

guacd (server) is in Cauldron and Mageia 7, guacamole-client only in Mageia 7.

The issue is fixed upstream in 1.3.0.
David Walser 2021-01-18 17:03:54 CET

Status comment: (none) => Fixed upstream in 1.3.0
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-18 17:42:03 CET 
cauldron Freeze push asked.

CC: (none) => mageia

Comment 2 Aurelien Oudelet 2021-01-18 22:00:21 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => mageia

Comment 3 Nicolas Lécureuil 2021-01-19 09:23:19 CET 
fixed in cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 Nicolas Lécureuil 2021-02-15 15:50:15 CET 
new guacd available on mga 7 updates_testing.

It has 2 packages:

util-linux and ossp_uuid


They are nedeed because before the 2 were conflicting, now they are like in cauldron coinstallable.

( as guacd needs ossp_uuid ).
Nicolas Lécureuil 2021-02-15 15:50:34 CET

Assignee: mageia => qa-bugs

Comment 5 Nicolas Lécureuil 2021-02-15 15:52:12 CET 
sorry i only pushed 1.2.0.

I will look if i can push 1.3.0

Assignee: qa-bugs => mageia

Comment 6 Nicolas Lécureuil 2021-02-16 22:25:20 CET 
src:
guacd-1.3.0-1.mga7

Assignee: mageia => qa-bugs

David Walser 2021-02-16 22:29:19 CET

Blocks: (none) => 27593

Comment 7 David Walser 2021-02-16 22:31:47 CET 
What about guacamole-client?

Also, it looks like three packages (at least) and three bugs are involved.  We need more of an explanation of what all is being updated, as well as a package list.
Comment 8 Nicolas Lécureuil 2021-02-17 07:23:58 CET 
yes sorry it was on the other bugreport.


src:
    guacd-1.3.0-1.mga7
    util-linux-2.33.2-1.1.mga7
    ossp_uuid-1.6.2-21.1.mga7


rpms:
    guacd-1.3.0-1.mga7     
    libguac-client-kubernetes0-1.3.0-1.mga7 
    libguac-client-telnet0-1.3.0-1.mga7 
    libguac-devel-1.3.0-1.mga7
    libguac19-1.3.0-1.mga7 
    libguac-client-ssh0-1.3.0-1.mga7       
    libguac-client-vnc0-1.3.0-1.mga7
    libblkid1-2.33.2-1.1.mga7
    libmount1-2.33.2-1.1.mga7      
    libuuid1-2.33.2-1.1.mga7     
    uuidd-2.33.2-1.1.mga7
    libblkid-devel-2.33.2-1.1.mga7 
    libmount-devel-2.33.2-1.1.mga7     
    libuuid-devel-2.33.2-1.1.mga7
    libfdisk1-2.33.2-1.1.mga7       
    libsmartcols1-2.33.2-1.1.mga7      
    python-libmount-2.33.2-1.1.mga7
    libfdisk-devel-2.33.2-1.1.mga7
    libsmartcols-devel-2.33.2-1.1.mga7
    util-linux-2.33.2-1.1.mga7
    libossp_uuid16-1.6.2-21.1.mga7  
    libossp_uuid-devel-1.6.2-21.1.mga7  
    ossp_uuid-1.6.2-21.1.mga7  
    perl-OSSP-uuid-1.6.2-21.1.mga7


Advisory:
    This is an update of guacd to latest version to fix security issues.
    We also updated util-linux and ossp_uuid to make them co instalable as guacd requires ossp_uuid.



Guacamole client can't be updated as it is in java and we don't have the required deps.
what about creating a metapackage with README.urpmi explaining ho to install it from guacamole website ?
Comment 9 David Walser 2021-02-17 08:12:00 CET 
Did you verify which package is actually affected by the CVE in this bug?
Comment 10 Nicolas Lécureuil 2021-02-17 09:05:45 CET 
this is guacd: https://security-tracker.debian.org/tracker/CVE-2020-11997
Comment 11 David Walser 2021-02-18 05:13:47 CET 
Will need a more fleshed out advisory, but this update will fix:
https://bugs.mageia.org/show_bug.cgi?id=24509
https://bugs.mageia.org/show_bug.cgi?id=27593
https://bugs.mageia.org/show_bug.cgi?id=28158

Summary: guacd / guacamole-client new security issue CVE-2020-11997 => guacd new security issue CVE-2020-11997
Status comment: Fixed upstream in 1.3.0 => (none)
Source RPM: guacd-1.2.0-1.mga8.src.rpm, guacamole-client-0.9.8-5.mga7.src.rpm => guacd-0.6.0-5.mga7.src.rpm

Comment 12 Herman Viaene 2021-02-18 11:48:03 CET 
MGA7-64 MATE on PeaqC1011
No installation issues.
At CLI:
# systemctl -l status guacd
● guacd.service - Guacamole proxy daemon
   Loaded: loaded (/usr/lib/systemd/system/guacd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:guacd(8)

# systemctl  start guacd
# systemctl -l status guacd
● guacd.service - Guacamole proxy daemon
   Loaded: loaded (/usr/lib/systemd/system/guacd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-18 11:27:18 CET; 5s ago
     Docs: man:guacd(8)
 Main PID: 13672 (guacd)
    Tasks: 1 (limit: 2285)
   Memory: 10.5M
   CGroup: /system.slice/guacd.service
           └─13672 /usr/sbin/guacd -f

Feb 18 11:27:18 mach7.hviaene.thuis systemd[1]: Started Guacamole proxy daemon.
Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: Guacamole proxy daemon (guacd) version 1.3.0 started
Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: guacd[13672]: INFO:        Guacamole proxy daemon (guacd) version 1.3.0 started
Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: guacd[13672]: INFO:        Listening on host 127.0.0.1, port 4822
Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: Listening on host 127.0.0.1, port 4822
 
Now trying to do something with it. Googled "tutorial guacd" and found
https://www.howtoforge.com/how-to-install-and-configure-guacamole-on-ubuntu-1804/
and
https://guacamole.apache.org/doc/gug/users-guide.html
I wish whoever wants to try this good luck.

CC: (none) => herman.viaene

Comment 13 Aurelien Oudelet 2021-02-19 10:33:43 CET Comment hidden (obsolete)

CVE: (none) => CVE-2020-11997

Comment 14 David Walser 2021-02-19 11:10:46 CET 
Suggested advisory is missing the CVE from this bug and an explanation for the other updated packages.
Comment 15 Aurelien Oudelet 2021-02-19 11:20:48 CET Comment hidden (obsolete)

CVE: CVE-2020-11997 => CVE-2018-1340, CVE-2020-9497, CVE-2020-9498, CVE-2020-11997

Comment 16 Nicolas Lécureuil 2021-02-19 12:13:22 CET 
not 

This is an update of guacd to latest version to fix security issues.
We also updated util-linux and ossp_uuid to make them co uninstallable as guacd
requires ossp_uuid.


but 

This is an update of guacd to latest version to fix security issues.
We also updated util-linux and ossp_uuid to make them co installable as guacd
requires ossp_uuid.



we want them "co installable"
Comment 17 Aurelien Oudelet 2021-02-19 13:20:19 CET 
Oh the messed up typo there... thanks pinpoint it!

Really fixing it now:


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340)

Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. 
(CVE-2020-9497).

Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. 
(CVE-2020-9498).

Apache Guacamole 1.2.0 and older do not consistently restrict access
to connection history based on user visibility. If multiple users
share access to the same connection, those users may be able to see
which other users have accessed that connection, as well as the IP
addresses from which that connection was accessed, even if those users
do not otherwise have permission to see other users. (CVE-2020-11997).

This is an update of guacd to latest version to fix security issues.
We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid.

References:
https://bugs.mageia.org/show_bug.cgi?id=28158
https://bugs.mageia.org/show_bug.cgi?id=24509
https://bugs.mageia.org/show_bug.cgi?id=27593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
https://www.openwall.com/lists/oss-security/2021/01/18/1
========================

Updated package in core/updates_testing:
========================
guacd-1.3.0-1.mga7     
libguac-client-kubernetes0-1.3.0-1.mga7 
libguac-client-telnet0-1.3.0-1.mga7 
libguac19-1.3.0-1.mga7 
libguac-client-ssh0-1.3.0-1.mga7       
libguac-client-vnc0-1.3.0-1.mga7
libblkid1-2.33.2-1.1.mga7
libmount1-2.33.2-1.1.mga7      
libuuid1-2.33.2-1.1.mga7     
uuidd-2.33.2-1.1.mga7
libblkid-devel-2.33.2-1.1.mga7 
libuuid-devel-2.33.2-1.1.mga7
libfdisk1-2.33.2-1.1.mga7       
libsmartcols1-2.33.2-1.1.mga7      
python-libmount-2.33.2-1.1.mga7
libfdisk-devel-2.33.2-1.1.mga7
libsmartcols-devel-2.33.2-1.1.mga7
util-linux-2.33.2-1.1.mga7
libossp_uuid16-1.6.2-21.1.mga7  
libossp_uuid-devel-1.6.2-21.1.mga7  
ossp_uuid-1.6.2-21.1.mga7  
perl-OSSP-uuid-1.6.2-21.1.mga7

from SRPM:
guacd-1.3.0-1.mga7
util-linux-2.33.2-1.1.mga7
ossp_uuid-1.6.2-21.1.mga7
Comment 18 Brian Rockwell 2021-03-18 16:09:51 CET 
I took a stab at this without successfully getting it to work.  Seems to be a major project.

Everything appeared to install - had to install a ton of stuff.  Note the guac tool requires tomcat and did not have a dependency.  I had to manually choose that.


installs, but I could not validate.

--- -

Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 16 packages are going to be installed:

- glibc-2.29-22.mga7.x86_64
- guacd-1.3.0-1.mga7.x86_64
- lib64blkid1-2.33.2-1.1.mga7.x86_64
- lib64guac-client-ssh0-1.3.0-1.mga7.x86_64
- lib64guac-client-telnet0-1.3.0-1.mga7.x86_64
- lib64guac-client-vnc0-1.3.0-1.mga7.x86_64
- lib64guac19-1.3.0-1.mga7.x86_64
- lib64mount1-2.33.2-1.1.mga7.x86_64
- lib64ossp_uuid16-1.6.2-21.1.mga7.x86_64
- lib64smartcols1-2.33.2-1.1.mga7.x86_64
- lib64telnet2-0.21-7.mga7.x86_64
- lib64uuid1-2.33.2-1.1.mga7.x86_64
- lib64vncserver1-0.9.13-1.mga7.x86_64
- ossp_uuid-1.6.2-21.1.mga7.x86_64
- perl-OSSP-uuid-1.6.2-21.1.mga7.x86_64
- util-linux-2.33.2-1.1.mga7.x86_64

1.7MB of additional disk space will be used.


Installed a bunch more for the server then added the following

The following 61 packages are going to be installed:

- aopalliance-1.0-16.mga7.noarch
- apache-commons-codec-1.11-2.mga7.noarch
- atinject-1-21.20100611svn86.6.mga7.noarch
- bea-stax-api-1.2.0-16.mga7.noarch
- bytelist-1.0.8-14.mga7.noarch
- cglib-3.2.4-4.mga7.noarch
- freemarker-2.3.28-2.mga7.noarch
- geronimo-annotation-1.0-21.mga7.noarch
- geronimo-interceptor-1.0.1-17.mga7.noarch
- geronimo-validation-1.1-17.mga7.noarch
- glassfish-fastinfoset-1.2.13-8.mga7.noarch
- glassfish-gmbal-3.2.0-0.9.b006.mga7.noarch
- glassfish-jaxb-api-2.2.12-8.mga7.noarch
- glassfish-jaxb-core-2.2.11-8.mga7.noarch
- glassfish-jaxb-runtime-2.2.11-8.mga7.noarch
- glassfish-jaxb-txw2-2.2.11-8.mga7.noarch
- glassfish-management-api-3.2.1-0.3.b005.mga7.noarch
- glassfish-pfl-3.2.0-0.10.b004.mga7.noarch
- glassfish-servlet-api-3.1.0-13.mga7.noarch
- google-guice-4.1-9.mga7.noarch
- grizzly-2.3.24-3.mga7.noarch
- guacamole-0.9.8-5.mga7.noarch
- guava20-20.0-3.mga7.noarch
- guice-servlet-4.1-9.mga7.noarch
- hibernate-jpa-2.0-api-1.0.1-20.mga7.noarch
- httpcomponents-client-4.5.5-1.1.mga7.noarch
- httpcomponents-core-4.4.10-1.mga7.noarch
- istack-commons-runtime-2.21-7.mga7.noarch
- jackson-1.9.11-14.mga7.noarch
- jakarta-commons-httpclient-3.1-26.mga7.noarch
- jboss-el-2.2-api-1.0.2-7.mga7.noarch
- jcodings-1.0.9-12.mga7.noarch
- jersey1-1.19-10.mga7.noarch
- jersey1-contribs-1.19-10.mga7.noarch
- jettison-1.3.7-5.mga7.noarch
- joda-time-2.9.9-3.tzdata2017b.1.mga7.noarch
- jquery-1.12.4-1.mga6.noarch
- jsr-311-1.1.1-14.mga7.noarch
- liblog4j12-java-1.2.17-19.mga7.noarch
- logback-1.1.7-3.mga7.noarch
- mimepull-1.9.6-5.mga7.noarch
- objectweb-asm-6.2.1-4.mga7.noarch
- objectweb-asm3-3.3.1-15.mga7.noarch
- publicsuffix-list-20190417-1.mga7.noarch
- relaxngDatatype-2011.1-6.mga7.noarch
- slf4j-1.7.25-1.mga7.noarch
- slf4j-jcl-1.7.25-1.mga7.noarch
- springframework-3.2.18-2.mga7.noarch
- springframework-aop-3.2.18-2.mga7.noarch
- springframework-beans-3.2.18-2.mga7.noarch
- springframework-context-3.2.18-2.mga7.noarch
- springframework-expression-3.2.18-2.mga7.noarch
- springframework-web-3.2.18-2.mga7.noarch
- stax-ex-1.7.7-8.mga7.noarch
- stax2-api-4.0.0-1.mga7.noarch
- web-assets-filesystem-5-4.mga7.noarch
- xalan-j2-2.7.1-35.mga7.noarch
- xerces-j2-2.11.0-29.mga7.noarch
- xml-commons-resolver-1.2-22.mga7.noarch
- xmlstreambuffer-1.5.4-7.mga7.noarch
- xsom-0-15.20110809svn.3.mga7.noarch

CC: (none) => brtians1
Whiteboard: (none) => feedback

Comment 19 Dave Hodgins 2021-03-19 05:19:47 CET 
I also finally got around to starting testing ...
On M7 i586
libossp_uuid-devel-1.6.2-21.mga7.i586 (due to conflicts with libuuid-devel-2.33.2-1.mga7.i586)

On M7 x86_64
A requested package cannot be installed:
lib64ossp_uuid-devel-1.6.2-21.mga7.x86_64 (due to conflicts with lib64uuid-devel-2.33.2-1.mga7.x86_64)

CC: (none) => davidwhodgins

Comment 20 David Walser 2021-03-19 05:37:45 CET 
Those are supposed to conflict.  Remove whichever one you have installed.
Comment 21 Nicolas Lécureuil 2021-03-19 09:39:14 CET 
(In reply to David Walser from comment #20)
> Those are supposed to conflict.  Remove whichever one you have installed.

they were, this is supposed to be fixed.
Comment 22 Dave Hodgins 2021-03-19 10:18:26 CET 
Just realized the error I found was while I was installing the pre-update
packages in preparation for ensuring a clean update.

I'll force the packages to install and then test the update later today
after I get some sleep. Sorry for the mistake.
Comment 23 David Walser 2021-06-21 21:28:03 CEST 
Not sure why feedback is still on here, this looks like it should be pushed.

Whiteboard: feedback => (none)

Comment 24 Aurelien Oudelet 2021-06-22 22:09:16 CEST 
(In reply to David Walser from comment #23)
> Not sure why feedback is still on here, this looks like it should be pushed.

Validating.

Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-06-22 22:09:26 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Aurelien Oudelet 2021-06-22 22:09:58 CEST

Blocks: (none) => 24509

Comment 25 Mageia Robot 2021-06-23 19:14:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0272.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.