Bug 6945 - usbmuxd missing update for CVE-2012-0065
: usbmuxd missing update for CVE-2012-0065
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/478710/
: MGA1TOO
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-03 21:55 CEST by David Walser
Modified: 2012-08-18 20:06 CEST (History)
5 users (show)

See Also:
Source RPM: usbmuxd-1.0.7-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-08-03 21:55:15 CEST
Ubuntu has issued an advisory on February 1:
http://www.ubuntu.com/usn/usn-1354-1/

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated usbmuxd packages fix security vulnerability:

It was discovered that usbmuxd did not correctly perform bounds checking
when processing the SerialNumber field of USB devices. An attacker with
physical access could use this to crash usbmuxd or potentially execute
arbitrary code as the 'usbmux' user (CVE-2012-0065).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065
http://www.ubuntu.com/usn/usn-1354-1/
========================

Updated packages in core/updates_testing:
========================
usbmuxd-1.0.7-1.1.mga1
libusbmuxd1-1.0.7-1.1.mga1
libusbmuxd-devel-1.0.7-1.1.mga1
usbmuxd-1.0.7-2.1.mga2
libusbmuxd1-1.0.7-2.1.mga2
libusbmuxd-devel-1.0.7-2.1.mga2

from SRPMS:
usbmuxd-1.0.7-1.1.mga1.src.rpm
usbmuxd-1.0.7-2.1.mga2.src.rpm
Comment 1 David Walser 2012-08-03 21:56:16 CEST
Colin, for Mageia 1 I also added the patch that you added in 1.0.7-2:
Ensure the usbmux user can actually access the iDevice node.

Please scream if this is wrong.
Comment 2 Samuel Verschelde 2012-08-04 09:16:37 CEST
For this one, you need an ipod or an iphone. Anyone at QA has this kind of device?
Comment 3 Samuel Verschelde 2012-08-04 09:23:52 CEST
Mail sent to mageia-discuss to ask for testers.
Comment 4 Colin Guthrie 2012-08-04 13:42:02 CEST
@David, seems correct, but I have neither Mageia 1 nor a iOS device these days so can't really help much with testing I'm afraid :s

One issue I can spot, is that the udev run now runs setfacl, but actually nothing much (including usbmuxd) actually requires the acl package... might be worth adding a "Requires: acl" in there somewhere. Probably my fault originally. It's also a bit hacky to do this but meh, if it works :)
Comment 5 David Walser 2012-08-04 20:45:18 CEST
Indeed.  It's only required by hal, which is going away.  This is a good solution I think.  Adding the requires.

Colin, BTW, if you get a chance, could you look into why I had to add -DUSB_INCLUDE_DIR=/usr/include/libusb-1.0 to the cmake line in Cauldron?  I shouldn't have had to do that, it should be able to find it itself.  Maybe something wrong with the new libusbx?
Comment 6 David Walser 2012-08-04 20:48:15 CEST
Updating subrels in advisory.  Note that 2317 is in effect now :o)

Advisory:
========================

Updated usbmuxd packages fix security vulnerability:

It was discovered that usbmuxd did not correctly perform bounds checking
when processing the SerialNumber field of USB devices. An attacker with
physical access could use this to crash usbmuxd or potentially execute
arbitrary code as the 'usbmux' user (CVE-2012-0065).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065
http://www.ubuntu.com/usn/usn-1354-1/
========================

Updated packages in core/updates_testing:
========================
usbmuxd-1.0.7-1.2.mga1
libusbmuxd1-1.0.7-1.2.mga1
libusbmuxd-devel-1.0.7-1.2.mga1
usbmuxd-1.0.7-2.2.mga2
libusbmuxd1-1.0.7-2.2.mga2
libusbmuxd-devel-1.0.7-2.2.mga2

from SRPMS:
usbmuxd-1.0.7-1.2.mga1.src.rpm
usbmuxd-1.0.7-2.2.mga2.src.rpm
Comment 7 Samuel Verschelde 2012-08-06 11:55:59 CEST
In Mageia 1, both usbmuxd and libusbmuxd1 show changes:

[samuel@localhost rpm]$ rpmdiff -iT libusbmuxd1-1.0.7-1.mga1.i586.rpm libusbmuxd1-1.0.7-1.2.mga1.i586.rpm
removed     PROVIDES libusbmuxd1(x86-32) = 1.0.7-1.mga1
added       PROVIDES libusbmuxd1(x86-32) = 1.0.7-1.2.mga1
S.5........ /usr/lib/libusbmuxd.so.1.0.7

[samuel@localhost rpm]$ rpmdiff -iT usbmuxd-1.0.7-1.mga1.i586.rpm usbmuxd-1.0.7-1.2.mga1.i586.rpm
added       REQUIRES acl
removed     PROVIDES usbmuxd(x86-32) = 1.0.7-1.mga1
added       PROVIDES usbmuxd(x86-32) = 1.0.7-1.2.mga1
S.5........ /lib/udev/rules.d/85-usbmuxd.rules
..5........ /usr/sbin/usbmuxd
Comment 8 Samuel Verschelde 2012-08-06 11:58:39 CEST
Here's the list of packages that depend on libusbmuxd1 in Mageia 1: 

[samuel@localhost rpm]$ urpmq --whatrequires-recursive libusbmuxd1 | sort -u
amarok
amarok-scripts
banshee-ipod
clementine
exaile
gecko-mediaplayer
gnome-mplayer
gpodder
gtkpod
gvfs-iphone
kadu-module-mediaplayer_amarok2
kipi-plugins-ipodexport
lastfm-player
libgpod
libgpod4
libgpod-devel
libgpod-sharp
libgtkpod1
libgtkpod-devel
libimobiledevice
libimobiledevice1
libimobiledevice-devel
libusbmuxd1
libusbmuxd-devel
python-gpod
python-imobiledevice
rhythmbox
rhythmbox-mozilla
rhythmbox-upnp
usbmuxd

So testing could be using an iPod or iPhone with amarok, gpodder, gtkpod, or other tool and check the lib is used and that it works. Who's got that kind of device?
Comment 9 Dave Hodgins 2012-08-14 02:00:52 CEST
I've confirmed the packages install cleanly on both arches, both releases.

Without hardware to test it with, though, that's all I can do.  The
request for testers has not been answered, so I'm going ahead and
validating this update.

Could someone from the sysadmin team push the srpm
usbmuxd-1.0.7-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
usbmuxd-1.0.7-1.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated usbmuxd packages fix security vulnerability:

It was discovered that usbmuxd did not correctly perform bounds checking
when processing the SerialNumber field of USB devices. An attacker with
physical access could use this to crash usbmuxd or potentially execute
arbitrary code as the 'usbmux' user (CVE-2012-0065).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0065
http://www.ubuntu.com/usn/usn-1354-1/

https://bugs.mageia.org/show_bug.cgi?id=6945
Comment 10 Thomas Backlund 2012-08-18 10:24:19 CEST
I see reference to bug 2317 in comment 6 but no depcheck lists for mga1 and mga2 ??
Comment 11 David Walser 2012-08-18 16:05:36 CEST
(In reply to comment #10)
> I see reference to bug 2317 in comment 6 but no depcheck lists for mga1 and
> mga2 ??

The "acl" package was added as a requires, so checking by hand, it looks like these would need linking:
acl
libacl1
libattr1
Comment 12 Samuel Verschelde 2012-08-18 17:33:25 CEST
According to depcheck there's no linking required apparently.
Comment 13 Thomas Backlund 2012-08-18 20:06:59 CEST
Ok, thanks for checking...

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0228

Note You need to log in before you can comment on or make changes to this bug.