Bug 6329 - arpwatch new security issue CVE-2012-2653
Summary: arpwatch new security issue CVE-2012-2653
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/500144/
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK mga1-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-06-04 21:56 CEST by David Walser
Modified: 2012-06-27 16:31 CEST (History)
4 users (show)

See Also:
Source RPM: arpwatch-2.1a15-8.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-04 21:56:55 CEST
Debian has issued an advisory on June 2:
http://www.debian.org/security/2012/dsa-2481

The issue was caused by a RedHat patch that Debian borrowed, and we have borrowed this patch as well (arpwatch-2.1a13-drop_root.diff).

Cauldron/Mageia 2 are affected as well.

Here is the RedHat bug for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=825328
David Walser 2012-06-14 23:56:42 CEST

CC: (none) => ennael1

David Walser 2012-06-14 23:56:59 CEST

Version: 1 => Cauldron
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-06-15 19:37:23 CEST
I fixed this by updating the patch.  Fixed in Cauldron, Mageia 2, and Mageia 1.

Advisory:
========================

Updated arpwatch package fixes security vulnerability:

Steve Grubb from Red Hat discovered that a patch for arpwatch (as
shipped at least in Red Hat and Debian distributions) in order to
make it drop root privileges would fail to do so and instead add
the root group to the list of the daemon uses (CVE-2012-2653).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2653
http://www.debian.org/security/2012/dsa-2481
========================

Updated packages in core/updates_testing:
========================
arpwatch-2.1a15-8.1.mga1
arpwatch-2.1a15-9.1.mga2

from SRPMS:
arpwatch-2.1a15-8.1.mga1.src.rpm
arpwatch-2.1a15-9.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Zoltan Balaton 2012-06-24 16:56:16 CEST
Tested this on mga2-x86_64:

Before update:

$ grep ^[NUG] /proc/3220/status
Name:	arpwatch
Uid:	492	492	492	492
Gid:	487	487	487	487
Groups:	0

After update from Testing:

$ grep ^[NUG] /proc/3444/status
Name:	arpwatch
Uid:	492	492	492	492
Gid:	487	487	487	487
Groups:	487

CC: (none) => balaton

Comment 3 claire robinson 2012-06-24 17:22:36 CEST
Testing complete i586 Mageia 1

Thanks for testing Zoltan, adding the whiteboard keyword.

Before
------
Altered /etc/sysconfig/arpwatch as I don't have and active eth0

Started arpwatch service

# ps -e | grep arpwatch | grep -v grep
25670 ?        00:00:00 arpwatch

# grep ^[NUG] /proc/25670/status
Name:   arpwatch
Uid:    469     469     469     469
Gid:    412     412     412     412
Groups: 0 

# grep arpwatch /etc/passwd
arpwatch:x:469:412:system user for arpwatch:/var/lib/arpwatch:/bin/sh

# grep root /etc/group
root:x:0:

Shows it is using group 0 which is root.


After
-----
# rpm -q arpwatch
arpwatch-2.1a15-9.1.mga2

# service arpwatch restart
Restarting arpwatch (via systemctl):              [  OK  ]

# ps -e | grep arpwatch | grep -v grep
26452 ?        00:00:00 arpwatch

# grep ^[NUG] /proc/26452/status
Name:   arpwatch
Uid:    469     469     469     469
Gid:    412     412     412     412
Groups: 412 

Shows it is now using arpwatch group.

Hardware: i586 => All
Whiteboard: MGA1TOO => MGA1TOO mga2-32-OK mga2-64-OK

Comment 4 claire robinson 2012-06-24 17:23:21 CEST
testing was mageia 2 above not mageia 1 as stated
Comment 5 claire robinson 2012-06-24 17:39:40 CEST
Testing complete Mageia 1 64

tail /var/spool/mail/root shows new stations discovered, as it finds them.

Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK

Comment 6 claire robinson 2012-06-25 11:26:54 CEST
Testing complete Mageia 1 32

Validating

Updates for mga1 and mga2

See comment 1 for advisory and srpms

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK mga1-32-OK

Comment 7 Thomas Backlund 2012-06-27 16:31:48 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0129

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.