Bug 28321 - connman new security issues CVE-2021-26675 and CVE-2021-26676
Summary: connman new security issues CVE-2021-26675 and CVE-2021-26676
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory
: 28381 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-02-08 16:39 CET by David Walser
Modified: 2021-04-14 17:15 CEST (History)
6 users (show)

See Also:
Source RPM: connman-1.37-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-02-08 16:39:38 CET
SUSE has announced security issues fixes upstream in connman:
https://www.openwall.com/lists/oss-security/2021/02/08/2

Mageia 7 is also affected.
David Walser 2021-02-08 16:39:50 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patches available from upstream

Comment 1 Aurelien Oudelet 2021-02-08 17:37:33 CET
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => geiger.david68210, jani.valimaa, ouaurelien
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2021-02-08 18:04:31 CET
Freeze push asked to added the two upstream patches!
Comment 3 David GEIGER 2021-02-10 04:24:51 CET
Done for both mga8 and mga7 in Core/updates_testing repo!
Comment 4 David Walser 2021-02-10 16:35:30 CET
Since we're apparently not allowed to fix anything else before the Mageia 8 release, this will have to wait and be re-pushed later.

Saving the Mageia 7 package list:
connman-1.37-1.1.mga7
connman-devel-1.37-1.1.mga7

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Status comment: Patches available from upstream => Patched in SVN

Comment 5 David GEIGER 2021-02-11 07:03:06 CET
If it is tested on mga8 it can be moved to Core/Release, so please if someone can test it, thanks in advance!
Comment 6 Thomas Backlund 2021-02-11 08:46:20 CET
things can still be fixed, but as we are past release freeze I demand atleast some actual testing to be done before allowing the changes in.

I'm trying to ensure a stable final release process

and you know just as well as me that just because something builds does not actually always mean it works, and I dont want to introduce more breakages in a stable tree at this point...

yes, there can still be some subtle bugs showing up, but atleast the most obvious issues should hopefylly show up with some testing
Comment 7 Aurelien Oudelet 2021-02-11 16:03:06 CET
M8 Plasma x86_64
Note that network OK over WiFi with existing net_applet.

need to disable it for this.
See: https://wiki.mageia.org/en/Switching_to_networkmanager for command on how to deactivate legacy network scripts and DO NOT install/activate NetworkManager.
Deactivate net_applet with right-click on it.

# urpmi connman 
connman-1.38-1.mga8 with core/release

# systemctl start connman.service

# connmanctl enable wifi
# connmanctl scan wifi
To list the available networks 

$ connmanctl
connmanctl> scan wifi
connmanctl> services
connmanctl> agent on
connmanctl> connect wifi_CENSORED_managed_psk

Agent RequestInput wifi_CENSORED_managed_psk
  Passphrase = [ Type=psk, Requirement=mandatory ]
  Passphrase?  

connmanctl> quit

# systemctl enable connman.service
# systemctl enable connman-wait-online.service

WiFi OK, running. Carrying over a reboot. WiFi OK

Then,
Use QA Repo to install connman-1.38-2.mga8.x86_64.rpm from 8/updates_testing
Install OK.

Same functionality. No errors.

Basic functionalities are OK.
Returning to the Security Vulnerability,
It was reported a remote (adjacent network) code execution flaw in
connman: a stack buffer overflow that can be used to execute code by network adjacent attackers ;
and a Remote stack information leak which can be used to help execute the first  reliably. 2 vulnerabilities. Beyond the scope of my understanding.
Fixes are publicly commited in kernel.org git.

So a OK on this, based on installing and updating.
Comment 8 David Walser 2021-02-11 17:15:47 CET
Thanks Aurélien.  Please comment on the freeze push/move request for this package on the dev ml that you've successfully tested it.
Comment 9 Thomas Backlund 2021-02-19 14:07:17 CET
*** Bug 28381 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 10 David Walser 2021-02-26 16:30:48 CET
Debian has issued an advisory for this on February 8:
https://www.debian.org/security/2021/dsa-4847
Comment 11 Nicolas Lécureuil 2021-02-27 01:10:02 CET
seems pushed on the BS

Status comment: Patched in SVN => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Comment 12 David Walser 2021-02-27 01:11:50 CET
In Cauldron?

Assignee: qa-bugs => pkg-bugs

Comment 13 Nicolas Lécureuil 2021-02-27 01:20:43 CET
sorry i was wrong.

Conman now pushed in cauldron/mga8

src:
    connman-1.38-2.mga8
    connman-1.37-1.1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 14 David Walser 2021-02-27 01:47:49 CET
Package list for Mageia 8:
connman-1.38-2.mga8
connman-devel-1.38-2.mga8

from connman-1.38-2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 15 David GEIGER 2021-02-27 04:56:07 CET
Already fixed and pushed for mga8 before mga8 released!
Comment 16 David Walser 2021-02-27 16:12:01 CET
That was the problem David.  We wipe updates_testing at release time.
Comment 17 David GEIGER 2021-03-01 15:11:01 CET
connman-1.38-2.mga8 was already tested and pushed to Core/Release before mga8 released!

So need just some test for mga7.

Source RPM: connman-1.38-1.mga8.src.rpm => connman-1.37-1.mga7.src.rpm
Version: 8 => 7
Whiteboard: MGA7TOO => (none)

Comment 18 David Walser 2021-03-03 01:50:42 CET
Advisory:
========================

Updated connman packages fix security vulnerabilities:

A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, which could result in denial of
service or the execution of arbitrary code (CVE-2021-26675, CVE-2021-26676).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26676
https://www.debian.org/security/2021/dsa-4847
Comment 19 Herman Viaene 2021-03-25 11:13:59 CET
MGA 7-64 MATE on Peaq C1011.
Installation of connman works OK, but
# urpmi connman-devel
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64blkid-devel-2.33.2-1.mga7
lib64mount-devel-2.33.2-1.mga7
lib64glib2.0-devel-2.60.2-1.4.mga7
connman-devel-1.37-1.1.mga7

Continuing .....

CC: (none) => herman.viaene

Comment 20 Herman Viaene 2021-03-25 11:24:09 CET
# systemctl start connman.service
This disconnects the existing wifi connection

# systemctl -l status connman.service
● connman.service - Connection service
   Loaded: loaded (/usr/lib/systemd/system/connman.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-25 10:57:26 CET; 29s ago
 Main PID: 30779 (connmand)
    Tasks: 1 (limit: 2285)
   Memory: 5.1M
   CGroup: /system.slice/connman.service
           └─30779 /usr/sbin/connmand -n

Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: Could not read the UART name
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: lo {newlink} index 1 address 00:00:00:00:00:00 mtu 65536
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: lo {newlink} index 1 operstate 0 <UNKNOWN>
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {create} index 2 type 1 <ETHER>
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {RX} 4683 packets 5236772 bytes
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {TX} 3021 packets 346127 bytes
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {update} flags 36866 <DOWN>
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {newlink} index 2 address 80:A5:89:2E:7D:05 mtu 1500
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: wlan0 {newlink} index 2 operstate 2 <DOWN>
Mar 25 10:57:27 mach7.hviaene.thuis connmand[30779]: Adding interface wlan0 [ wifi ]

# connmanctl enable wifi
Enabled wifi
# connmanctl scan wifi
Scan completed for wifi
But it dies not show any scan results, is that to be expected??
# systemctl enable connman.service
Created symlink /etc/systemd/system/multi-user.target.wants/connman.service → /usr/lib/systemd/system/connman.service.
# systemctl enable connman-wait-online.service
Created symlink /etc/systemd/system/network-online.target.wants/connman-wait-online.service → /usr/lib/systemd/system/connman-wait-online.service.
 Then as normal user
$ connmanctl
connmanctl> scan wifi
Scan completed for wifi
connmanctl> services
This shows a list of possible wifi connections
connmanctl> agent on
Agent registered
connmanctl> connect <my-own-_managed_psk>
Agent RequestInput <my-own-_managed_psk>
  Passphrase = [ Type=psk, Requirement=mandatory, Alternates=[ WPS ] ]
  WPS = [ Type=wpspin, Requirement=alternate ]
Passphrase? <mypasswd>
Agent ReportError <my-own-_managed_psk>
  connect-failed

I had to use MCC- Setup a new network interface (accepting the values already defined, to get my wifi back alive.
Comment 21 Aurelien Oudelet 2021-03-30 17:42:41 CEST
(In reply to Aurelien Oudelet from comment #7)
> M8 Plasma x86_64
> Note that network OK over WiFi with existing net_applet.
> 
> need to disable it for this.
> See: https://wiki.mageia.org/en/Switching_to_networkmanager for command on
> how to deactivate legacy network scripts and DO NOT install/activate
> NetworkManager.
> Deactivate net_applet with right-click on it.
> 
> # urpmi connman 
> connman-1.38-1.mga8 with core/release
> 
> # systemctl start connman.service
> 
> # connmanctl enable wifi
> # connmanctl scan wifi
> To list the available networks 
> 
> $ connmanctl
> connmanctl> scan wifi
> connmanctl> services
> connmanctl> agent on
> connmanctl> connect wifi_CENSORED_managed_psk
> 
> Agent RequestInput wifi_CENSORED_managed_psk
>   Passphrase = [ Type=psk, Requirement=mandatory ]
>   Passphrase?  
> 
> connmanctl> quit
> 
> # systemctl enable connman.service
> # systemctl enable connman-wait-online.service
> 
> WiFi OK, running. Carrying over a reboot. WiFi OK
> 
> Then,
> Use QA Repo to install connman-1.38-2.mga8.x86_64.rpm from 8/updates_testing
> Install OK.
> 
> Same functionality. No errors.
> 
> Basic functionalities are OK.
> Returning to the Security Vulnerability,
> It was reported a remote (adjacent network) code execution flaw in
> connman: a stack buffer overflow that can be used to execute code by network
> adjacent attackers ;
> and a Remote stack information leak which can be used to help execute the
> first  reliably. 2 vulnerabilities. Beyond the scope of my understanding.
> Fixes are publicly commited in kernel.org git.
> 
> So a OK on this, based on installing and updating.

This is also OK on mageia 7 with an Intel AX200 WiFi 6 card. Adapting the correct rpm names.
Comment 22 Aurelien Oudelet 2021-04-14 17:15:05 CEST
Strange Herman you get errors.

I do not see any on my device.
Advisory committed.

Keywords: (none) => advisory


Note You need to log in before you can comment on or make changes to this bug.