Bug 6282 - nut new security issue CVE-2012-2944
Summary: nut new security issue CVE-2012-2944
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/499822/
Whiteboard: MGA1TOO MGA2-64-OK mga2-32-OK mga1-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-06-01 21:49 CEST by David Walser
Modified: 2012-07-10 13:39 CEST (History)
6 users (show)

See Also:
Source RPM: nut-2.6.0-2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-01 21:49:20 CEST
Ubuntu has issued an advisory on May 31:
http://www.ubuntu.com/usn/usn-1456-1/

Cauldron/Mageia 2 are also affected.

This is fixed upstream in 2.6.4.  Debian has a link to the fix here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675203
David Walser 2012-06-01 21:49:56 CEST

CC: (none) => thierry.vignaud

Comment 1 David Walser 2012-06-05 15:13:29 CEST
Mandriva has issued an advisory for this today (June 5):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087
David Walser 2012-06-14 22:28:28 CEST

Version: 1 => Cauldron
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 2 David Walser 2012-06-14 23:55:15 CEST
Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated nut packages fix security vulnerability:

Buffer overflow in the addchar function in common/parseconf.c in upsd
in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to
execute arbitrary code or cause a denial of service (electric-power
outage) via a long string containing non-printable characters
(CVE-2012-2944).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087
========================

Updated packages in core/updates_testing:
========================
nut-2.6.0-2.1.mga1
libupsclient1-2.6.0-2.1.mga1
nut-server-2.6.0-2.1.mga1
nut-drivers-hal-2.6.0-2.1.mga1
nut-cgi-2.6.0-2.1.mga1
nut-devel-2.6.0-2.1.mga1
nut-2.6.1-1.1.mga2
libupsclient1-2.6.1-1.1.mga2
nut-server-2.6.1-1.1.mga2
nut-drivers-hal-2.6.1-1.1.mga2
nut-cgi-2.6.1-1.1.mga2
nut-devel-2.6.1-1.1.mga2

from SRPMS:
nut-2.6.0-2.1.mga1.src.rpm
nut-2.6.1-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2012-06-25 14:54:10 CEST

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 3 Zoltan Balaton 2012-06-25 15:23:21 CEST
Tested on mga2 x86_64.

Installed nut-server and after configuring a dummy ups (see 'man dummy-ups') I could reproduce the bug using the method described here:
http://alioth.debian.org/tracker/?func=detail&aid=313636
(after sending some zeros or random data upsd either crashed or became unresponsive so that 'upsc dummy' did not work any more and the daemon could only be killed by -9).

After installing the updated packages from Testing (version 2.6.1-1.1.mga2) I could not crash upsd any more and in the debug output I see messages confirming the fix:
addchar: discarding invalid character (0x00)!

CC: (none) => balaton
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 4 claire robinson 2012-07-07 17:43:31 CEST
Testing mga2 32

The man page is confusing for dummy-ups as it talks of using /etc/nut/ by default where we seem to use /etc/ups/

Followed the example here:
http://www.networkupstools.org/docs/developer-guide.chunked/ar01s10.html

Saved evolution500.seq as /etc/ups/evolution500.dev

Altered /etc/ups/ups.conf adding the [dummy] section at the end.

# upsdrvctl start dummy
Network UPS Tools - UPS driver controller 2.6.1
Network UPS Tools - Device simulation and repeater driver 0.12 (2.6.1)

# upsd
Network UPS Tools upsd 2.6.1
listening on 127.0.0.1 port 3493
listening on ::1 port 3493
Connected to UPS [dummy]: dummy-ups-dummy

# upsc dummy
Shows the contents of the evolution500.dev file loaded.

Before
------
Installed netcat and tested with the printf command line given in the testcase from comment 3. It hangs.
# printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493

From another terminal tab..
# upsc dummy
Error: Server disconnected

# ps aux | grep upsd
Shows it running but unresponsive.

Killall upsd doesn't work so used killall -9 upsd 

Same results as Zoltan.

After
-----

# upsdrvctl stop dummy
Network UPS Tools - UPS driver controller 2.6.1
# upsdrvctl start dummy
Network UPS Tools - UPS driver controller 2.6.1
Network UPS Tools - Device simulation and repeater driver 0.12 (2.6.1)

# upsd
Network UPS Tools upsd 2.6.1
listening on 127.0.0.1 port 3493
listening on ::1 port 3493
Connected to UPS [dummy]: dummy-ups-dummy
# upsc dummy
battery.charge: 90
battery.charge.low: 30
etc.

# printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493
ERR UNKNOWN-COMMAND

From the 2nd tab
# upsc dummy
Shows settings as normal.

Testing complete mga2 32

Hardware: i586 => All
Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK mga2-32-OK

Comment 5 Deri James 2012-07-07 22:49:07 CEST
Tested on Mageia 2 X86_64 with real ups server running, continues to work normally.

CC: (none) => deri

Comment 6 claire robinson 2012-07-09 17:27:57 CEST
Testing complete x86_64 Mageia 1
claire robinson 2012-07-09 17:28:15 CEST

Whiteboard: MGA1TOO MGA2-64-OK mga2-32-OK => MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK

Comment 7 Dave Hodgins 2012-07-10 01:51:47 CEST
I'll test Mageia 1 i586 using the dummy ups shortly.

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2012-07-10 02:23:00 CEST
Testing complete Mageia 1 i586.

Could someone from the sysadmin team push the srpm
nut-2.6.1-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
nut-2.6.0-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated nut packages fix a security vulnerability:

Buffer overflow in the addchar function in common/parseconf.c in
upsd in Network UPS Tools (NUT) before 2.6.4 allows remote
attackers to execute arbitrary code or cause a denial of service
(electric-power outage) via a long string containing non-printable
characters (CVE-2012-2944).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087

https://bugs.mageia.org/show_bug.cgi?id=6282

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK => MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK MGA1-32-OK

Comment 9 Thomas Backlund 2012-07-10 13:39:48 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0155

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.