Bug 6789 - mono new security issue CVE-2012-3382
: mono new security issue CVE-2012-3382
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506690/
: MGA1-32-OK MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-16 14:59 CEST by David Walser
Modified: 2012-08-23 09:55 CEST (History)
7 users (show)

See Also:
Source RPM: mono-2.10.1-1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-16 14:59:03 CEST
Debian has issued an advisory on July 12:
http://lwn.net/Alerts/506684/

Mageia 2 is not affected as it was fixed upstream in 2.10.9.

Debian's bugzilla has a link to the upstream fix:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681095
Comment 1 David Walser 2012-07-26 22:53:44 CEST
Ubuntu has issued an advisory for this on July 25:
http://www.ubuntu.com/usn/usn-1517-1/
Comment 2 Shlomi Fish 2012-08-11 18:18:36 CEST
(In reply to comment #0)
> Debian has issued an advisory on July 12:
> http://lwn.net/Alerts/506684/
> 
> Mageia 2 is not affected as it was fixed upstream in 2.10.9.
> 
> Debian's bugzilla has a link to the upstream fix:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681095

Patch applied and submitted in mono-2.10.1-1.1.mga1 that is now built in core/updates_testing of Mageia 1. Please test.

Regards,

-- Shlomi Fish
Comment 3 David Walser 2012-08-11 18:54:14 CEST
Thanks Shlomi!

Advisory:
========================

Updated mono packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function
in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8
and earlier allows remote attackers to inject arbitrary web script or HTML
via a file with a crafted name and a forbidden extension, which is not
properly handled in an error message (CVE-2012-3382).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382
http://www.debian.org/security/2012/dsa-2512
========================

Updated packages in core/updates_testing:
========================
mono-2.10.1-1.1.mga1
mono-doc-2.10.1-1.1.mga1
libmono0-2.10.1-1.1.mga1
libmono2.0_1-2.10.1-1.1.mga1
mono-data-sqlite-2.10.1-1.1.mga1
libmono-devel-2.10.1-1.1.mga1
mono-winfxcore-2.10.1-1.1.mga1
mono-web-2.10.1-1.1.mga1
mono-data-oracle-2.10.1-1.1.mga1
mono-data-2.10.1-1.1.mga1
mono-extras-2.10.1-1.1.mga1
mono-ibm-data-db2-2.10.1-1.1.mga1
mono-winforms-2.10.1-1.1.mga1
mono-locale-extras-2.10.1-1.1.mga1
mono-data-postgresql-2.10.1-1.1.mga1
mono-nunit-2.10.1-1.1.mga1
monodoc-core-2.10.1-1.1.mga1
mono-wcf-2.10.1-1.1.mga1

from mono-2.10.1-1.1.mga1.src.rpm
Comment 4 Dave Hodgins 2012-08-12 00:05:31 CEST
Trying to test this using the examples at
http://www.mono-project.com/Consuming_a_WebService

Looks like the documentation is out of date.

I replaced http://api.google.com/GoogleSearch.wsdl with
http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl
but compiling the sample code, spellchecker.cs, fails with

$ mcs /r:GoogleSearchService.dll spellchecker.cs
spellchecker.cs(11,17): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
spellchecker.cs(11,52): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
Compilation failed: 2 error(s), 0 warnings

Also I don't see anything on the google accounts page about getting a key.

Any link to a more suitable example, to use for testing?
Comment 5 Shlomi Fish 2012-08-17 13:26:26 CEST
Hi David,

(In reply to comment #4)
> Trying to test this using the examples at
> http://www.mono-project.com/Consuming_a_WebService
> 
> Looks like the documentation is out of date.
> 
> I replaced http://api.google.com/GoogleSearch.wsdl with
> http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl
> but compiling the sample code, spellchecker.cs, fails with
> 
> $ mcs /r:GoogleSearchService.dll spellchecker.cs
> spellchecker.cs(11,17): error CS0012: The type
> `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an
> assembly that is not referenced. Consider adding a reference to assembly
> `System.Web.Services, Version=2.0.0.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a'
> spellchecker.cs(11,52): error CS0012: The type
> `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an
> assembly that is not referenced. Consider adding a reference to assembly
> `System.Web.Services, Version=2.0.0.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a'
> Compilation failed: 2 error(s), 0 warnings
> 
> Also I don't see anything on the google accounts page about getting a key.
> 
> Any link to a more suitable example, to use for testing?

I'm not a Mono or .NET expert either, but you can try testing it by running Mono-based applications such as Banshee, Tomboy, or F-Spot, and seeing if they are mostly OK.
Comment 6 David Walser 2012-08-20 15:28:25 CEST
Mandriva has issued an advisory for this today (August 20):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:140
Comment 7 Dave Hodgins 2012-08-22 01:09:58 CEST
Testing complete on Mageia 1 i586.

Testing using f-spot and banshee with last-fm and the Internet Archive.

I'll test Mageia 1 x86-64 shortly.
Comment 8 Dave Hodgins 2012-08-22 01:29:15 CEST
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
mono-2.10.1-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mono packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function
in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8
and earlier allows remote attackers to inject arbitrary web script or HTML
via a file with a crafted name and a forbidden extension, which is not
properly handled in an error message (CVE-2012-3382).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382
http://www.debian.org/security/2012/dsa-2512

https://bugs.mageia.org/show_bug.cgi?id=6789
Comment 9 Thomas Backlund 2012-08-23 09:55:20 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0232

Note You need to log in before you can comment on or make changes to this bug.