Bug 32361 - cadence new security issues CVE-2023-4378[23]
Summary: cadence new security issues CVE-2023-4378[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-10-09 16:20 CEST by Nicolas Salguero
Modified: 2023-10-22 23:06 CEST (History)
7 users (show)

See Also:
Source RPM: cadence-0.9.1-7.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-10-09 16:20:50 CEST 
Hi,

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2023/10/05/4

They are fixed by patches provided in the above message.

Best regards,

Nico.
Nicolas Salguero 2023-10-09 16:21:19 CEST

Status comment: (none) => Patch available from upstream
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => cadence-0.9.1-7.mga9.src.rpm

Comment 1 Lewis Smith 2023-10-09 20:26:21 CEST 
The CVE link is well worth a read. Essentially it says that cadence is deprecated and should be moved away from; but is still necessary "when using the Jack audio system".

Various packagers have committed this, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-10-11 10:50:51 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cadence. (CVE-2023-43782)

Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrite files via a symlink attack. In some kernel configurations, code injection into the Wine registry is possible. (CVE-2023-43783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43783
https://www.openwall.com/lists/oss-security/2023/10/05/4
========================

Updated packages in 9/core/updates_testing:
========================
cadence-0.9.1-7.1.mga9
cadence-data-0.9.1-7.1.mga9
cadence-tools-0.9.1-7.1.mga9
catarina-0.9.1-7.1.mga9
catia-0.9.1-7.1.mga9
claudia-0.9.1-7.1.mga9

from SRPM:
cadence-0.9.1-7.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
cadence-0.9.1-3.1.mga8
cadence-data-0.9.1-3.1.mga8
cadence-tools-0.9.1-3.1.mga8
catarina-0.9.1-3.1.mga8
catia-0.9.1-3.1.mga8
claudia-0.9.1-3.1.mga8

from SRPM:
cadence-0.9.1-3.1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Patch available from upstream => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Comment 3 Marja Van Waes 2023-10-12 11:44:37 CEST 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed.

CC: (none) => marja11
Keywords: (none) => advisory

Comment 4 Herman Viaene 2023-10-14 15:18:51 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues
No previous updates, hunting for some tutorial is complicated by the fact that there is at least one other program with the same  name doing something completely different and is quite popular on Google.
This package seems to be some simulation of patching different sound in- and outputs, not exactly my  kind of expertise.
Anyway, in the front, I can start jack and bridge pulsaudio. Then there is a tools section and most of those do something that seems reasonable, except the claudia tool which throws an error. Info on the CLI:
/usr/bin/python3 /usr/share/cadence/src/claudia.py &
Using Tray Engine 'Qt'
Traceback (most recent call last):
  File "/usr/lib64/python3.10/site-packages/dbus/bus.py", line 173, in activate_name_owner
    return self.get_name_owner(bus_name)
  File "/usr/lib64/python3.10/site-packages/dbus/bus.py", line 348, in get_name_owner
    return self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
  File "/usr/lib64/python3.10/site-packages/dbus/connection.py", line 634, in call_blocking
    reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get owner of name 'org.ladish': no such name

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/cadence/src/claudia.py", line 2753, in <module>
    gDBus.ladish_control = gDBus.bus.get_object("org.ladish", "/org/ladish/Control")
  File "/usr/lib64/python3.10/site-packages/dbus/bus.py", line 237, in get_object
    return self.ProxyObjectClass(self, bus_name, object_path,
  File "/usr/lib64/python3.10/site-packages/dbus/proxies.py", line 250, in __init__
    self._named_service = conn.activate_name_owner(bus_name)
  File "/usr/lib64/python3.10/site-packages/dbus/bus.py", line 178, in activate_name_owner
    self.start_service_by_name(bus_name)
  File "/usr/lib64/python3.10/site-packages/dbus/bus.py", line 273, in start_service_by_name
    return (True, self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
  File "/usr/lib64/python3.10/site-packages/dbus/connection.py", line 634, in call_blocking
    reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.ladish was not provided by any .service files
Help !!!!

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2023-10-21 14:08:12 CEST 
Not my area either, Herman. I wouldn't have gotten as far as you have.

I'll set the feedback flag and ask for help on the ML.

Keywords: (none) => feedback
CC: (none) => andrewsfarm

Comment 6 christian barranco 2023-10-21 18:56:15 CEST 
Hi. I saw your note on the QA ML.
I gave it a try.
You need to be part of the group audio.
But the issue with Claudia is not because of this.

I have found: https://github.com/falkTX/Cadence/issues/319

Maybe a look at openSUSE package could help. Sorry, don't have time to do more right now.

CC: (none) => chb0

PC LX 2023-10-21 21:07:01 CEST

CC: (none) => mageia

Comment 7 Thomas Andrews 2023-10-22 20:10:07 CEST 
It looks like this is an ongoing problem with Cadence/Claudia. Christian's link was dated May 2021, but there is this from another post dated December 2017:

"For now you can package things and remove ladish as dependency.
There is no build-time dependency on time, so this is fine.
Claudia will refuse to start, but the rest of the cadence suite still works fine."

Since this is a security update and the Claudia issue apparently is not a new regression, it won't stop this update. Removing the feedback flag, and giving this an MGA9 OK based on comment 5 and comment 6.

Now we need a test on MGA8, and then it can be validated.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
Keywords: feedback => (none)

Comment 8 Thomas Andrews 2023-10-22 20:49:56 CEST 
MGA8-64 Plasma in VirtualBox.

Installed packages, made my user a member of the audio group, and ran Cadence from the CLI. Started Jack, bridged to pulseaudio, confirmed that the tools appear to work, except for Claudia.

Updated using Qarepo, with no installation issues. Ran it again, repeated the previous actions, with the same results, showing no new regressions that I can see.

Giving this an MGA8 OK, and validating.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2023-10-22 23:06:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0297.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.