Bug 7674 - inn new security issue CVE-2012-3523
: inn new security issue CVE-2012-3523
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/518325/
: MGA1TOO MGA1-64-OK MGA1-32-OK has_pro...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-02 12:48 CEST by David Walser
Modified: 2012-10-29 00:43 CET (History)
5 users (show)

See Also:
Source RPM: inn-2.5.2-5.mga2.src.rpm
CVE:
Status comment:


Attachments
Procedure used for testing (1.77 KB, text/plain)
2012-10-19 03:00 CEST, Dave Hodgins
Details
Procdure used for testing (1.75 KB, text/plain)
2012-10-19 03:47 CEST, Dave Hodgins
Details
Procedure used for testing (1.74 KB, text/plain)
2012-10-23 01:34 CEST, Dave Hodgins
Details
Procedure used for testing (1.74 KB, text/plain)
2012-10-23 01:36 CEST, Dave Hodgins
Details

Description David Walser 2012-10-02 12:48:19 CEST
Mandriva has issued an advisory today (October 2):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156

Mageia 1 and Mageia 2 are also affected.
Comment 1 David Walser 2012-10-03 18:25:29 CEST
Oden has fixed this in Cauldron by upgrading to 2.5.3.
Comment 2 David Walser 2012-10-09 23:26:41 CEST
Oden, is this change you made in Cauldron correct?

-         --with-berkeleydb=/usr/include/db4 \
+         --with-berkeleydb=%{_prefix} \
Comment 3 David Walser 2012-10-10 00:03:39 CEST
Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated inn packages fix security vulnerability:

The STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted sessions
by sending a cleartext command that is processed after TLS is in place,
related to a plaintext command injection attack, a similar issue to
CVE-2011-0411 (CVE-2012-3523).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523
https://www.isc.org/software/inn/2.5.3article
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156
========================

Updated packages in core/updates_testing:
========================
inn-2.5.3-1.mga1
inn-devel-2.5.3-1.mga1
inews-2.5.3-1.mga1
inn-2.5.3-1.mga2
inn-devel-2.5.3-1.mga2
inews-2.5.3-1.mga2

from SRPMS:
inn-2.5.3-1.mga1.src.rpm
inn-2.5.3-1.mga2.src.rpm
Comment 4 Dave Hodgins 2012-10-18 20:18:25 CEST
Testing Mageia 1 shortly.
Comment 5 Dave Hodgins 2012-10-18 23:25:37 CEST
After installing, "inncheck -f -perm | /bin/sh" has to be run, to fix
the permissions, such as making /usr/bin/innbind suid, and correcting
the ownership of various other files.  Either the permissions and
ownership should be fixed, or the script run as a postinstall scriptlet.

On 64 bit systems, /etc/init.d/innd has the line
[ -d /usr/lib/news ] || exit 0
Either the check should be removed, or changed to
[ -d /usr/lib64/news ] || exit 0


The scripts in /usr/bin/, such as news.daily have
. /usr/lib64/inn/news/innshellvars

The innshellvars script is in /usr/bin.  Either all 14 of the scripts should
be fixed, or the directory /usr/lib64/inn/news created, with a symlink in it
to /usr/bin/innshellvars.

These bugs are not regressions, and are not blocking the update.  I'm just
making a note of them, for now, as I run into them.
Comment 6 Dave Hodgins 2012-10-18 23:52:12 CEST
In /usr/bin, so inncheck doesn't report errors,
ln -s /etc/rc.news

The inn package should suggest or require inews, to avoid error messages
when running inncheck.
Comment 7 Dave Hodgins 2012-10-19 02:59:09 CEST
Testing complete on Mageia 1 i586 and x86-64.

I set up inn on both, with each other as peers, added a newsgroup to
both, setup a usenet client for each, posted an article on each, and
read the article from both servers.

I'll append a text file with the procedure used.
Comment 8 Dave Hodgins 2012-10-19 03:00:44 CEST
Created attachment 2964 [details]
Procedure used for testing

Note that I manually fixed the problems identified in Comment 5.
Comment 9 Dave Hodgins 2012-10-19 03:14:23 CEST
Be careful using attachment 2964 [details]. Somehow some of the double quotes
are showing up as “ when viewed in a browser, instead of as ".
Comment 10 Dave Hodgins 2012-10-19 03:47:40 CEST
Created attachment 2965 [details]
Procdure used for testing

I've edited the file using mc, replacing all of the double quotes.

Hopefully they will now show up correctly in a web browser.
Comment 11 Dave Hodgins 2012-10-22 20:46:29 CEST
Testing Mageia 2 shortly.
Comment 12 Dave Hodgins 2012-10-22 23:16:15 CEST
Bug 7876 opened for the problems listed in comment 5.
Comment 13 Dave Hodgins 2012-10-23 01:34:37 CEST
Created attachment 2978 [details]
Procedure used for testing

Corrected the access/newsgroups setting.
Comment 14 Dave Hodgins 2012-10-23 01:36:28 CEST
Created attachment 2979 [details]
Procedure used for testing

Fixed more of the quotes.
Comment 15 Dave Hodgins 2012-10-23 01:42:47 CEST
Testing complete on Mageia 2 i586 and x86-64.

Testing using the same procedure as in comment 14, but using
i2v and x2v (Mageia 2 i586 vb guest and Mageia 2 x86-64 vb guests).

Could someone from the sysadmin team push the srpm
inn-2.5.3-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
inn-2.5.3-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated inn packages fix security vulnerability:

The STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted sessions
by sending a cleartext command that is processed after TLS is in place,
related to a plaintext command injection attack, a similar issue to
CVE-2011-0411 (CVE-2012-3523).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523
https://www.isc.org/software/inn/2.5.3article
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156

https://bugs.mageia.org/show_bug.cgi?id=7674
Comment 16 Thomas Backlund 2012-10-29 00:43:15 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0305

Note You need to log in before you can comment on or make changes to this bug.