Bug 6329 - arpwatch new security issue CVE-2012-2653
: arpwatch new security issue CVE-2012-2653
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/500144/
: MGA1TOO mga2-32-OK mga2-64-OK mga1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-04 21:56 CEST by David Walser
Modified: 2012-06-27 16:31 CEST (History)
4 users (show)

See Also:
Source RPM: arpwatch-2.1a15-8.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-04 21:56:55 CEST
Debian has issued an advisory on June 2:
http://www.debian.org/security/2012/dsa-2481

The issue was caused by a RedHat patch that Debian borrowed, and we have borrowed this patch as well (arpwatch-2.1a13-drop_root.diff).

Cauldron/Mageia 2 are affected as well.

Here is the RedHat bug for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=825328
Comment 1 David Walser 2012-06-15 19:37:23 CEST
I fixed this by updating the patch.  Fixed in Cauldron, Mageia 2, and Mageia 1.

Advisory:
========================

Updated arpwatch package fixes security vulnerability:

Steve Grubb from Red Hat discovered that a patch for arpwatch (as
shipped at least in Red Hat and Debian distributions) in order to
make it drop root privileges would fail to do so and instead add
the root group to the list of the daemon uses (CVE-2012-2653).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2653
http://www.debian.org/security/2012/dsa-2481
========================

Updated packages in core/updates_testing:
========================
arpwatch-2.1a15-8.1.mga1
arpwatch-2.1a15-9.1.mga2

from SRPMS:
arpwatch-2.1a15-8.1.mga1.src.rpm
arpwatch-2.1a15-9.1.mga2.src.rpm
Comment 2 Zoltan Balaton 2012-06-24 16:56:16 CEST
Tested this on mga2-x86_64:

Before update:

$ grep ^[NUG] /proc/3220/status
Name:	arpwatch
Uid:	492	492	492	492
Gid:	487	487	487	487
Groups:	0

After update from Testing:

$ grep ^[NUG] /proc/3444/status
Name:	arpwatch
Uid:	492	492	492	492
Gid:	487	487	487	487
Groups:	487
Comment 3 claire robinson 2012-06-24 17:22:36 CEST
Testing complete i586 Mageia 1

Thanks for testing Zoltan, adding the whiteboard keyword.

Before
------
Altered /etc/sysconfig/arpwatch as I don't have and active eth0

Started arpwatch service

# ps -e | grep arpwatch | grep -v grep
25670 ?        00:00:00 arpwatch

# grep ^[NUG] /proc/25670/status
Name:   arpwatch
Uid:    469     469     469     469
Gid:    412     412     412     412
Groups: 0 

# grep arpwatch /etc/passwd
arpwatch:x:469:412:system user for arpwatch:/var/lib/arpwatch:/bin/sh

# grep root /etc/group
root:x:0:

Shows it is using group 0 which is root.


After
-----
# rpm -q arpwatch
arpwatch-2.1a15-9.1.mga2

# service arpwatch restart
Restarting arpwatch (via systemctl):              [  OK  ]

# ps -e | grep arpwatch | grep -v grep
26452 ?        00:00:00 arpwatch

# grep ^[NUG] /proc/26452/status
Name:   arpwatch
Uid:    469     469     469     469
Gid:    412     412     412     412
Groups: 412 

Shows it is now using arpwatch group.
Comment 4 claire robinson 2012-06-24 17:23:21 CEST
testing was mageia 2 above not mageia 1 as stated
Comment 5 claire robinson 2012-06-24 17:39:40 CEST
Testing complete Mageia 1 64

tail /var/spool/mail/root shows new stations discovered, as it finds them.
Comment 6 claire robinson 2012-06-25 11:26:54 CEST
Testing complete Mageia 1 32

Validating

Updates for mga1 and mga2

See comment 1 for advisory and srpms

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 7 Thomas Backlund 2012-06-27 16:31:48 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0129

Note You need to log in before you can comment on or make changes to this bug.