Ubuntu has issued an advisory on February 1: http://www.ubuntu.com/usn/usn-1354-1/ Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated usbmuxd packages fix security vulnerability: It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd or potentially execute arbitrary code as the 'usbmux' user (CVE-2012-0065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065 http://www.ubuntu.com/usn/usn-1354-1/ ======================== Updated packages in core/updates_testing: ======================== usbmuxd-1.0.7-1.1.mga1 libusbmuxd1-1.0.7-1.1.mga1 libusbmuxd-devel-1.0.7-1.1.mga1 usbmuxd-1.0.7-2.1.mga2 libusbmuxd1-1.0.7-2.1.mga2 libusbmuxd-devel-1.0.7-2.1.mga2 from SRPMS: usbmuxd-1.0.7-1.1.mga1.src.rpm usbmuxd-1.0.7-2.1.mga2.src.rpm
Colin, for Mageia 1 I also added the patch that you added in 1.0.7-2: Ensure the usbmux user can actually access the iDevice node. Please scream if this is wrong.
CC: (none) => mageiaWhiteboard: (none) => MGA1TOOSeverity: normal => major
For this one, you need an ipod or an iphone. Anyone at QA has this kind of device?
CC: (none) => stormi
Mail sent to mageia-discuss to ask for testers.
@David, seems correct, but I have neither Mageia 1 nor a iOS device these days so can't really help much with testing I'm afraid :s One issue I can spot, is that the udev run now runs setfacl, but actually nothing much (including usbmuxd) actually requires the acl package... might be worth adding a "Requires: acl" in there somewhere. Probably my fault originally. It's also a bit hacky to do this but meh, if it works :)
Indeed. It's only required by hal, which is going away. This is a good solution I think. Adding the requires. Colin, BTW, if you get a chance, could you look into why I had to add -DUSB_INCLUDE_DIR=/usr/include/libusb-1.0 to the cmake line in Cauldron? I shouldn't have had to do that, it should be able to find it itself. Maybe something wrong with the new libusbx?
Updating subrels in advisory. Note that 2317 is in effect now :o) Advisory: ======================== Updated usbmuxd packages fix security vulnerability: It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd or potentially execute arbitrary code as the 'usbmux' user (CVE-2012-0065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065 http://www.ubuntu.com/usn/usn-1354-1/ ======================== Updated packages in core/updates_testing: ======================== usbmuxd-1.0.7-1.2.mga1 libusbmuxd1-1.0.7-1.2.mga1 libusbmuxd-devel-1.0.7-1.2.mga1 usbmuxd-1.0.7-2.2.mga2 libusbmuxd1-1.0.7-2.2.mga2 libusbmuxd-devel-1.0.7-2.2.mga2 from SRPMS: usbmuxd-1.0.7-1.2.mga1.src.rpm usbmuxd-1.0.7-2.2.mga2.src.rpm
In Mageia 1, both usbmuxd and libusbmuxd1 show changes: [samuel@localhost rpm]$ rpmdiff -iT libusbmuxd1-1.0.7-1.mga1.i586.rpm libusbmuxd1-1.0.7-1.2.mga1.i586.rpm removed PROVIDES libusbmuxd1(x86-32) = 1.0.7-1.mga1 added PROVIDES libusbmuxd1(x86-32) = 1.0.7-1.2.mga1 S.5........ /usr/lib/libusbmuxd.so.1.0.7 [samuel@localhost rpm]$ rpmdiff -iT usbmuxd-1.0.7-1.mga1.i586.rpm usbmuxd-1.0.7-1.2.mga1.i586.rpm added REQUIRES acl removed PROVIDES usbmuxd(x86-32) = 1.0.7-1.mga1 added PROVIDES usbmuxd(x86-32) = 1.0.7-1.2.mga1 S.5........ /lib/udev/rules.d/85-usbmuxd.rules ..5........ /usr/sbin/usbmuxd
Here's the list of packages that depend on libusbmuxd1 in Mageia 1: [samuel@localhost rpm]$ urpmq --whatrequires-recursive libusbmuxd1 | sort -u amarok amarok-scripts banshee-ipod clementine exaile gecko-mediaplayer gnome-mplayer gpodder gtkpod gvfs-iphone kadu-module-mediaplayer_amarok2 kipi-plugins-ipodexport lastfm-player libgpod libgpod4 libgpod-devel libgpod-sharp libgtkpod1 libgtkpod-devel libimobiledevice libimobiledevice1 libimobiledevice-devel libusbmuxd1 libusbmuxd-devel python-gpod python-imobiledevice rhythmbox rhythmbox-mozilla rhythmbox-upnp usbmuxd So testing could be using an iPod or iPhone with amarok, gpodder, gtkpod, or other tool and check the lib is used and that it works. Who's got that kind of device?
I've confirmed the packages install cleanly on both arches, both releases. Without hardware to test it with, though, that's all I can do. The request for testers has not been answered, so I'm going ahead and validating this update. Could someone from the sysadmin team push the srpm usbmuxd-1.0.7-2.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm usbmuxd-1.0.7-1.2.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated usbmuxd packages fix security vulnerability: It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd or potentially execute arbitrary code as the 'usbmux' user (CVE-2012-0065). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065 http://www.ubuntu.com/usn/usn-1354-1/ https://bugs.mageia.org/show_bug.cgi?id=6945
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
I see reference to bug 2317 in comment 6 but no depcheck lists for mga1 and mga2 ??
CC: (none) => tmb
(In reply to comment #10) > I see reference to bug 2317 in comment 6 but no depcheck lists for mga1 and > mga2 ?? The "acl" package was added as a requires, so checking by hand, it looks like these would need linking: acl libacl1 libattr1
According to depcheck there's no linking required apparently.
Ok, thanks for checking... Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0228
Status: NEW => RESOLVEDResolution: (none) => FIXED