Update for bip : "Bip package is updated to fix a remote buffer overlow, causing a potential crash by sending specifically crafted requests to a bip user". The package was sent to update-testing. I am not really satisfied by the advisory, but I have not yet managed to discuss with upstream for more information ( basically, bip crash if there is too much connexion ). To test, just follow the documentation https://projects.duckcorp.org/projects/bip/wiki/Bip. I have also asked for a way to check the problem to upstream.
bip-0.8.8-1.1.mga1.src.rpm is in updates_testing so let's go for the QA.
Assignee: bugsquad => qa-bugs
Upstream kindly gave me a script to test : 1) stop bip 2) type "ulimit -n 1200" 3) start bip on another console, you can use this script : #!/bin/bash for i in `seq 1 2000`; do nohup nc -d 127.0.0.1 7778 & done this should make bip crash ( not sure about the 7778 port, it should be the port set in bip config )
I've confirmed it kills bip with the release version. netstat -tapn|grep bip shows it is listening to 7778, not the default implied by the comments of 6667. I added the ulimit to /etc/init.d/bip, before starting bip. After running the script, nothing in the logs, but I get ... service bip status bip dead but subsys locked Now I'll try the updates testing version.
CC: (none) => davidwhodgins
During the install of the update, I get http://twiska.zarb.org/mageia/distrib/1/i586/media/core/updates_testing/bip-0.8.8-1.1.mga1.i586.rpm installing bip-0.8.8-1.1.mga1.i586.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################ 1/1: bip ################################################################################ /var/tmp/rpm-tmp.0TcJsv: line 1: fg: no job control warning: %postun(bip-0.8.8-1.mga1.i586) scriptlet failed, exit status 1 The error appears to me to be trying to use a macro %_pre_userdel, in an sh script. Note that this error is not a regression, as it's the uninstall of the release version that's generating the error, though the updates testing version contains the same error.
Testing complete on i586 for the srpm bip-0.8.8-1.1.mga1.src.rpm After installing the update, I again added the ulimit command to /etc/init.d/bip, and started the service. After running the script, as a regular user (same as pre-update testing), I get ... # service bip status bip (pid 16697) is running... I configured bip to connect to freenode, and have then created an irc account in opera, to connect to 127.0.0.1 with the password setup as per https://projects.duckcorp.org/projects/bip/repository/entry/README and, it works.
I guess i need to fix the %pre script too, will see tomorow.
I'll hold off testing until that's ready
Summary: Buffer overflow, CVE-2012-0806 => Buffer overflow in bip IRC proxy, CVE-2012-0806
Assigning misc. Please reassign to QA when you have had a chance to look at this. Thanks!
CC: (none) => qa-bugsAssignee: qa-bugs => misc
I pushed a new update ( -2mga2 ). Unfortuantely, this cannot fix the previously erronous package, so people will see the message on upgrade.
Testing complete on i586 for the srpm bip-0.8.8-1.2.mga1.src.rpm Confirmed the postun scriptlet is fixed by uninstalling bip after testing it using opera chat and #mageia on irc.freenode.net
I am still finding bip crashes using the script x86_64 with the updated package. $ cat bipcrash.sh #!/bin/bash for i in `seq 1 2000`; do nohup nc -d 127.0.0.1 7778 & done $ ulimit -n 1024 $ sh bipcrash.sh # service bip status bip dead but subsys locked # rpm -q bip bip-0.8.8-1.2.mga1 # ulimit -n 1200 Other than that it tests Ok and uninstall completes without the error message.
/var/log/bip/bip.log final line is 14-02-2012 15:15:08 FATAL: accept failed: Too many open files Previously it crashed with: 14-02-2012 14:57:57 ERROR: accept failed: Too many open files 14-02-2012 14:57:57 FATAL: Failed assetion in src/irc.c(2447): n Is this the intended behaviour?
I forgot to rerun the script while testing that bip works. On i586 it's now crashing too, so this is a regression since comment 5.
Upstream told me this is normal, and while that crash, there is no remote execution. And what should be test is with ulimit as a bigger value from what select can accept. I am not sure about what he meant, so I will check my logs ( and/or ask him to comment ).
Looking at the patch for this CVE: https://projects.duckcorp.org/attachments/56?type=sbs The log should say something like: too many client connected, close %d We are not always able to reproduce the crash if there is no public PoC, as with this. The updated package seems to work OK so I would say it is safe to validate if you don't have any working PoC. We can wait for you to check your logs though and use any PoC you find.
PS. Please assign to QA again when you've had a look :)
Putting OK on the whiteboard, because it is evident the assignee has been working on this but
CC: (none) => marja11Whiteboard: (none) => OK
Assignee: misc => bugsquadWhiteboard: OK => (none)
It doesn't look like the patch for this went into Cauldron, so the vulnerability made it into Mageia 2 :o(
CC: (none) => luigiwalser
URL: (none) => http://lwn.net/Vulnerabilities/477199/Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
I have added the patch to Mageia 2 and Cauldron. It's the same patch that was used by both Debian and Fedora to fix this, so this should be sufficient to push this. Advisory: ======================== Updated bip package fixes security vulnerability: Buffer overflow in Bip 0.8.8 and earlier might allow remote authenticated users to execute arbitrary code via vectors involving a series of TCP connections that triggers use of many open file descriptors (CVE-2012-0806). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0806 http://www.debian.org/security/2012/dsa-2393 ======================== Updated packages in core/updates_testing: ======================== bip-0.8.8-1.2.mga1 bip-0.8.8-5.1.mga2 from SRPMS: bip-0.8.8-1.2.mga1.src.rpm bip-0.8.8-5.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Component: RPM Packages => Security
Testing Mageia 2 x86_64 Before ------ Installed and configured /etc/bip.conf https://wiki.mageia.org/en/QA_procedure:Bip Didn't bother creating a certificate for it with client_side_ssl commented. Connected to it and used it online. Caused it to crash with : # ulimit -n 1200 $ for i in `seq 1 1200`; do nohup nc 127.0.0.1 7778 & done It requires netcat to be installed In /var/log/bip/bip.log 10-09-2012 16:38:06 ERROR: accept failed: Too many open files After ----- There is a problem with %postun, is there a way to prevent this? # urpmi bip installing bip-0.8.8-5.1.mga2.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ######################################################### 1/1: bip ######################################################### /var/tmp/rpm-tmp.f70M5e: line 1: fg: no job control warning: %postun(bip-0.8.8-5.mga2.x86_64) scriptlet failed, exit status 1 See also comment 4 It still crashes with the same error: 10-09-2012 16:46:57 FATAL: accept failed: Too many open files This seems to be ulimit -n not working, it does say in the man page that most systems don't allow this value to be set. I think this may be what is preventing us from properly testing the CVE. It does connect and I can connect to it after the update though, so apart from the %postun and possibly %preun scripts there are no obvious regressions. Could you take another look at this David please. Thanks
Whiteboard: MGA1TOO => MGA1TOO feedback
%pre rather as in comment 6
# urpme bip removing bip-0.8.8-5.1.mga2.x86_64 removing package bip-0.8.8-5.1.mga2.x86_64 warning: /etc/bip.conf saved as /etc/bip.conf.rpmsave /var/tmp/rpm-tmp.voM92S: line 1: fg: no job control warning: %postun(bip-0.8.8-5.1.mga2.x86_64) scriptlet failed, exit status 1
Thanks, I added misc's fix for the %postun issue to the mga2 and Cauldron packages. Advisory: ======================== Updated bip package fixes security vulnerability: Buffer overflow in Bip 0.8.8 and earlier might allow remote authenticated users to execute arbitrary code via vectors involving a series of TCP connections that triggers use of many open file descriptors (CVE-2012-0806). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0806 http://www.debian.org/security/2012/dsa-2393 ======================== Updated packages in core/updates_testing: ======================== bip-0.8.8-1.2.mga1 bip-0.8.8-5.2.mga2 from SRPMS: bip-0.8.8-1.2.mga1.src.rpm bip-0.8.8-5.2.mga2.src.rpm
Whiteboard: MGA1TOO feedback => MGA1TOO
Testing Mga1 x86_64 Still get the error installing the update David. I'll retest mga2 aswell in a moment. # urpmi bip 1/1: bip ############################################ /var/tmp/rpm-tmp.MhFQTS: line 1: fg: no job control warning: %postun(bip-0.8.8-1.mga1.x86_64) scriptlet failed, exit status 1
Testing Mga2 x86_64 Same problem David, sorry. It doesn't loko like the patch fixes it.. # urpmi bip 1/1: bip ######################################################### /var/tmp/rpm-tmp.oHI7RU: line 1: fg: no job control warning: %postun(bip-0.8.8-5.mga2.x86_64) scriptlet failed, exit status 1
Apart from this issue though everything seems fine on both I tested.
If you check the errors closer you see: %postun(bip-0.8.8-1.mga1.x86_64) %postun(bip-0.8.8-5.mga2.x86_64) Now those are failing postun scripts in the packages installed before the update, wich can not be resolved in an update as such for the already installed ones... but if you try to uninstall the updated packages there should be no %postun error message.
CC: (none) => tmb
I noticed that yes.I was under the impression it could be worked around but if there is no way to work around it then we'll have to live with it. Uninstalling gives no error message so the updated packages are Ok.
Whiteboard: MGA1TOO => MGA1TOO mga1-64-OK mga2-64-OK
Testing complete mga1 32
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK => MGA1TOO mga1-32-OK mga1-64-OK mga2-64-OK
Testing complete Mageia 2 i586. Could someone from the sysadmin team push the srpm bip-0.8.8-5.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm bip-0.8.8-1.2.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated bip package fixes security vulnerability: Buffer overflow in Bip 0.8.8 and earlier might allow remote authenticated users to execute arbitrary code via vectors involving a series of TCP connections that triggers use of many open file descriptors (CVE-2012-0806). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0806 http://www.debian.org/security/2012/dsa-2393 https://bugs.mageia.org/show_bug.cgi?id=4319
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO mga1-32-OK mga1-64-OK mga2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0265
Status: NEW => RESOLVEDResolution: (none) => FIXED