Ubuntu has issued an advisory on May 31: http://www.ubuntu.com/usn/usn-1456-1/ Cauldron/Mageia 2 are also affected. This is fixed upstream in 2.6.4. Debian has a link to the fix here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675203
CC: (none) => thierry.vignaud
Mandriva has issued an advisory for this today (June 5): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087
Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated nut packages fix security vulnerability: Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters (CVE-2012-2944). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087 ======================== Updated packages in core/updates_testing: ======================== nut-2.6.0-2.1.mga1 libupsclient1-2.6.0-2.1.mga1 nut-server-2.6.0-2.1.mga1 nut-drivers-hal-2.6.0-2.1.mga1 nut-cgi-2.6.0-2.1.mga1 nut-devel-2.6.0-2.1.mga1 nut-2.6.1-1.1.mga2 libupsclient1-2.6.1-1.1.mga2 nut-server-2.6.1-1.1.mga2 nut-drivers-hal-2.6.1-1.1.mga2 nut-cgi-2.6.1-1.1.mga2 nut-devel-2.6.1-1.1.mga2 from SRPMS: nut-2.6.0-2.1.mga1.src.rpm nut-2.6.1-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Tested on mga2 x86_64. Installed nut-server and after configuring a dummy ups (see 'man dummy-ups') I could reproduce the bug using the method described here: http://alioth.debian.org/tracker/?func=detail&aid=313636 (after sending some zeros or random data upsd either crashed or became unresponsive so that 'upsc dummy' did not work any more and the daemon could only be killed by -9). After installing the updated packages from Testing (version 2.6.1-1.1.mga2) I could not crash upsd any more and in the debug output I see messages confirming the fix: addchar: discarding invalid character (0x00)!
CC: (none) => balatonWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK
Testing mga2 32 The man page is confusing for dummy-ups as it talks of using /etc/nut/ by default where we seem to use /etc/ups/ Followed the example here: http://www.networkupstools.org/docs/developer-guide.chunked/ar01s10.html Saved evolution500.seq as /etc/ups/evolution500.dev Altered /etc/ups/ups.conf adding the [dummy] section at the end. # upsdrvctl start dummy Network UPS Tools - UPS driver controller 2.6.1 Network UPS Tools - Device simulation and repeater driver 0.12 (2.6.1) # upsd Network UPS Tools upsd 2.6.1 listening on 127.0.0.1 port 3493 listening on ::1 port 3493 Connected to UPS [dummy]: dummy-ups-dummy # upsc dummy Shows the contents of the evolution500.dev file loaded. Before ------ Installed netcat and tested with the printf command line given in the testcase from comment 3. It hangs. # printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493 From another terminal tab.. # upsc dummy Error: Server disconnected # ps aux | grep upsd Shows it running but unresponsive. Killall upsd doesn't work so used killall -9 upsd Same results as Zoltan. After ----- # upsdrvctl stop dummy Network UPS Tools - UPS driver controller 2.6.1 # upsdrvctl start dummy Network UPS Tools - UPS driver controller 2.6.1 Network UPS Tools - Device simulation and repeater driver 0.12 (2.6.1) # upsd Network UPS Tools upsd 2.6.1 listening on 127.0.0.1 port 3493 listening on ::1 port 3493 Connected to UPS [dummy]: dummy-ups-dummy # upsc dummy battery.charge: 90 battery.charge.low: 30 etc. # printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493 ERR UNKNOWN-COMMAND From the 2nd tab # upsc dummy Shows settings as normal. Testing complete mga2 32
Hardware: i586 => AllWhiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK mga2-32-OK
Tested on Mageia 2 X86_64 with real ups server running, continues to work normally.
CC: (none) => deri
Testing complete x86_64 Mageia 1
Whiteboard: MGA1TOO MGA2-64-OK mga2-32-OK => MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK
I'll test Mageia 1 i586 using the dummy ups shortly.
CC: (none) => davidwhodgins
Testing complete Mageia 1 i586. Could someone from the sysadmin team push the srpm nut-2.6.1-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm nut-2.6.0-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated nut packages fix a security vulnerability: Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters (CVE-2012-2944). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:087 https://bugs.mageia.org/show_bug.cgi?id=6282
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK => MGA1TOO MGA2-64-OK mga2-32-OK mga1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0155
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED