Bug 7803 - Webmin - Security Vulnerability
: Webmin - Security Vulnerability
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.kb.cert.org/vuls/id/788478
: mga2-32-ok mga2-64-ok
: validated_update
: 2317
: 3444
  Show dependency treegraph
 
Reported: 2012-10-15 17:59 CEST by Derek Jennings
Modified: 2013-05-02 19:08 CEST (History)
9 users (show)

See Also:
Source RPM: webmin
CVE:
Status comment:


Attachments
Perl Authen::Libwrap SRPM (21.98 KB, application/x-rpm)
2013-04-22 15:05 CEST, Sandro Cazzaniga
Details

Description Derek Jennings 2012-10-15 17:59:54 CEST
There are two security vulnerabilities for webmin 1.55 as shipped by Mageia

http://www.kb.cert.org/vuls/id/788478
http://www.webmin.com/security.html

Webmin 1.600 is available with these bugs fixed,


Because of Bug 3444 webmin does not work "out of the box" with Mageia. It would be nice if 3444 could be fixed at the same time as a security update. (The fix is real easy)
Comment 1 David Walser 2012-10-17 15:00:21 CEST
This package is unmaintained.  If you're interested, perhaps you could take it?
Comment 2 Derek Jennings 2012-10-18 07:48:26 CEST
Sure, I can probably handle a few other unmaintained packages too. 
How do I go about getting commit rights?
Comment 3 David Walser 2012-10-18 14:16:02 CEST
Great.  You just need to be mentored by one of the existing packagers.

We have an IRC channel #mageia-mentoring on freenode that you can get help in, and you can also announce on the mageia-dev mailing list that you're interested.

See these wiki pages for the most pertinent information:
https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
https://wiki.mageia.org/en/Packagers_Howto_start
Comment 5 David Walser 2012-12-14 21:47:10 CET
Updated packages uploaded for Mageia 2 and Cauldron.

The update has also been checked into Mageia 1 SVN.

Note to QA: I don't see a need to rush to validate this, as this package has been unmaintained and broken since being imported into Mageia, and there are a lot of changes here.  The main purpose of this update is to fix it so that it's actually functional, and the security issues are (IMO) secondary.  Please test thoroughly, and any other problems we find can also be fixed for Cauldron.

See Bug 3444 for a discussion of many of the issues that have been fixed.

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact
Webmin versions prior to 1.610 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983,
CVE-2012-4893, SA51201).

Additionally, several issues with Webmin module configurations and its usage
of urpmi for installing and upgrading packages have been fixed.  Modules that
are not relevant to Mageia systems have been removed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893
http://www.securelist.com/en/advisories/50512
http://secunia.com/advisories/51201/
http://www.webmin.com/security.html
http://www.webmin.com/updates.html
https://bugs.mageia.org/show_bug.cgi?id=3444
========================

Updated packages in core/updates_testing:
========================
webmin-1.610-1.mga2

from webmin-1.610-1.mga2.src.rpm
Comment 6 Dave Hodgins 2012-12-15 00:02:05 CET
I used webmin to install openvpn ...
Installing package(s) with command urpmi --force --auto openvpn ..

My understanding is that the use of --force, is a really bad idea.

WDYT?
Comment 7 claire robinson 2012-12-15 00:36:20 CET
It sounds bad Dave, it's misleading really.
Taken from the urpmi man page..

--force
           Assume yes on all questions.
Comment 8 David Walser 2012-12-15 02:41:02 CET
Yep, as Claire said, webmin can't handle urpmi being interactive, --force prevents that.
Comment 9 Dave Hodgins 2012-12-15 03:36:15 CET
Thanks.  I had the --force option confused with the --allow-force option.
Comment 10 Alfred Kretschmer 2012-12-17 22:51:53 CET
Just tested in MGA2 x86_64, no errors so far. There are 78 modules activated and all start w/o problems.
Comment 11 Mark Adams 2012-12-17 23:52:53 CET
As per https://forums.mageia.org/en/viewtopic.php?f=7&t=4023&sid=bbe1908c9750c2b1217e62455e0f59a1&p=28890#p28890

Webmin does not work out of the box under Mageia 2 3.3.8-desktop586-2.mga2 (for example, crontab module does not work) and upgrading it to the more current version does not resolve the issue.

Details are in the forum post linked above. Summary: I shutdown the Webmin service, enabled the Core/Updates_testing repository, uninstalled Webmin, installed from the repo and disabled the repo.  This resolved the issue.
Comment 12 David Walser 2012-12-18 00:30:10 CET
So the version in updates_testing does resolve your issue Mark?  Your first sentence said it didn't.  Even from reading the forum thread it's not clear if you're reporting that there are still issues or not.

PS - the systemctl errors in the forum thread you linked I believe would be solved by running "systemctl daemon-reload" first.
Comment 13 Mark Adams 2012-12-18 08:45:14 CET
Sorry to seem incoherent. Reporting bugs is not something I do. The Powers That Be at Mageia forums suggested I contribute here, and so here I am.

To be clear, the version installed from updates_testing DOES resolve the issue. 

The version that installed with the OS is broken. That version is, I believe, 1.5.x. This is not the most current version and updating to ver. 1.6.x via the link in Webmin does not resolve the issue. 

And thank you for clarifying that info about systemctl.
Comment 14 David Walser 2012-12-18 15:25:17 CET
systemctl issue fixed (it needed to call _post_service in %post).

Updating advisory.

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact
Webmin versions prior to 1.610 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983,
CVE-2012-4893, SA51201).

Additionally, several issues with Webmin module configurations and its usage
of urpmi for installing and upgrading packages have been fixed.  Modules that
are not relevant to Mageia systems have been removed.  When installed under
systemd, the webmin service should now be immediately usable.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893
http://www.securelist.com/en/advisories/50512
http://secunia.com/advisories/51201/
http://www.webmin.com/security.html
http://www.webmin.com/updates.html
https://bugs.mageia.org/show_bug.cgi?id=3444
========================

Updated packages in core/updates_testing:
========================
webmin-1.610-1.1.mga2

from webmin-1.610-1.1.mga2.src.rpm
Comment 15 William Kenney 2013-02-01 16:05:49 CET
I have created a new, updated 32-bit Mageia 2 install. I then installed
webmin 1.550 successfully. I then enabled updates_testing and then
executed an update to webmin 1.610. That was successful. I don't think
there's a 64-bit version of webmin.
Comment 16 David Walser 2013-02-07 21:44:44 CET
I've updated this again to 1.620, to fix a couple more security issues.

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact
Webmin versions prior to 1.620 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983,
CVE-2012-4893, SA51201).

Additionally, several issues with Webmin module configurations and its usage
of urpmi for installing and upgrading packages have been fixed.  Modules that
are not relevant to Mageia systems have been removed.  When installed under
systemd, the webmin service should now be immediately usable.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893
http://www.securelist.com/en/advisories/50512
http://secunia.com/advisories/51201/
http://www.webmin.com/security.html
http://www.webmin.com/updates.html
https://bugs.mageia.org/show_bug.cgi?id=3444
========================

Updated packages in core/updates_testing:
========================
webmin-1.620-1.mga2

from webmin-1.620-1.mga2.src.rpm
Comment 17 claire robinson 2013-02-12 14:39:23 CET
Testing mga2 32

It recognises Mageia now rather than showing a warning.

Installed some updates using webmin. It installs each one separately but completes ok.

Tested postgresql module. It's able to initialise the database and start the server ok. Used it in testing postgresql update, bug 8997.

I'll check some other modules before completing i586
Comment 18 claire robinson 2013-02-12 15:05:50 CET
The file manager module needs icedtea-web but there is no require for it.

Do you want to add one?
Comment 19 claire robinson 2013-02-12 15:07:12 CET
Sorry, ignore that. Icedtea-web is required in the browser viewing the server, I'm connecting to localhost.
Comment 20 claire robinson 2013-02-12 15:11:19 CET
The 'Perl Modules' module which shows installed and recommends to install two which it says are used by webmin.

The following Perl modules are recommended for installation by Webmin :

Authen::Libwrap (used by webmin configuration)
IO::Pty (used by Running Processes)
Comment 21 claire robinson 2013-02-12 15:15:19 CET
This and the above modules can be found under 'Others'

SA-Configurator module shows..

The configured ShopAdmin installation directory ../DBAdmin does not exist.
Comment 22 claire robinson 2013-02-12 15:17:04 CET
Under Networking => ADSL Client

There is a preconfigured sympatico.ca username. I suspect that is unintended.
Comment 23 claire robinson 2013-02-12 15:23:01 CET
All others seem ok. Use it to install and configure a selection of 'Unused modules'
Comment 24 David Walser 2013-02-12 19:52:02 CET
(In reply to comment #22)
> Under Networking => ADSL Client
> 
> There is a preconfigured sympatico.ca username. I suspect that is unintended.

I don't see sympatico anywhere in the source tree.  Is that maybe your ISP and it's being automatically filled in?
Comment 25 David Walser 2013-02-12 19:57:43 CET
(In reply to comment #21)
> This and the above modules can be found under 'Others'
> 
> SA-Configurator module shows..
> 
> The configured ShopAdmin installation directory ../DBAdmin does not exist.

It looks like that'll only work if you have ShopAdmin installed.

I have no idea what that is.

Probably this thing for shopping carts on websites:
http://apsona.com/pages/ec/sa.html

A little Googling turns up exploits for ShopAdmin too...nice.

Anyway, probably not something to worry about.
Comment 26 David Walser 2013-02-12 20:05:54 CET
(In reply to comment #20)
> The 'Perl Modules' module which shows installed and recommends to install two
> which it says are used by webmin.
> 
> The following Perl modules are recommended for installation by Webmin :
> 
> Authen::Libwrap (used by webmin configuration)
> IO::Pty (used by Running Processes)

Does Webmin give you an easy way to install these when it finds such things?

Grepping the code shows several perl modules that it can optionally use:

Authen::Libwrap
Authen::PAM
Authen::SASL
Authen::SolarisRBAC
BER
Compress::Zlib
Crypt::Eksblowfish::Bcrypt
Crypt::UnixCrypt
DBD::mysql
DBD::Pg
DBI
Digest::MD5
Digest::SHA1
Filesys::Virtual::Plain
GD
HTTP::Headers
HTTP::Request
IO::Pty
IO::Stty
MD5
Module::Build
Mon::Client
NDBM_File
Net::DAV::Server
Net::DNS::SEC::Tools::dnssectools
Net::FTPSSL
Net::IMAP
Net::LDAP
Net::SNMP
Net::SSLeay
Net::XWhois
posix
POSIX
SDBM_File
SNMP_Session
Socket6
Sys::Hostname
Sys::Syslog
Time::HiRes
User::Utmp
Win32::Daemon
XML::Generator
XML::Parser

and probably some others (sometimes there's perl variables in the names that would get substituted in at runtime, not immediately clear what their values would be).
Comment 27 claire robinson 2013-02-16 23:51:26 CET
(In reply to comment #24)
> (In reply to comment #22)
> > Under Networking => ADSL Client
> > 
> > There is a preconfigured sympatico.ca username. I suspect that is unintended.
> 
> I don't see sympatico anywhere in the source tree.  Is that maybe your ISP and
> it's being automatically filled in?


Not my ISP, no. It could be some example data but then you'd think it would be in the code somewhere. No idea where it's come from.
Comment 28 claire robinson 2013-02-16 23:53:09 CET
How to cross reference perl modules to packages

https://wiki.mageia.org/en/QA_Tips_and_Tricks#Perl_Modules
Comment 29 claire robinson 2013-02-18 12:01:19 CET
(In reply to comment #26)
> (In reply to comment #20)
> > The 'Perl Modules' module which shows installed and recommends to install two
> > which it says are used by webmin.
> > 
> > The following Perl modules are recommended for installation by Webmin :
> > 
> > Authen::Libwrap (used by webmin configuration)
> > IO::Pty (used by Running Processes)
> 
> Does Webmin give you an easy way to install these when it finds such things?


It does, but it downloads them from cpan rather than installing our own packages.

It does have an extra step between downloading them and installing, to confirm the installation.

Module names 	IO::Tty 1.10
Authen::Libwrap 0.22
Source 	http://www.cpan.org/authors/id/T/TO/TODDR/IO-Tty-1.10.tar.gz
http://www.cpan.org/authors/id/D/DM/DMUEY/Authen-Libwrap-0.22.tar.gz
Pre-requisites 	Test::More (All installed)


Is it worth adding suggests?
Comment 30 claire robinson 2013-03-20 12:41:38 CET
Assigning David until this is ready

Please reassign to QA when you've had a chance to take a look

Thanks!
Comment 31 David Walser 2013-04-19 21:16:53 CEST
OK, after looking more closely at the code, I agree that IO::Tty and Authen::Libwrap should be required, but we don't have Authen::Libwrap packaged.

Jerome, would you mind importing perl-Authen-Libwrap to Mageia 2 and Cauldron?

I've added the require for IO::Tty in SVN, as well as fixing the config file used in the syslog configuration and the OS version detection.
Comment 32 David Walser 2013-04-19 23:39:44 CEST
Jerome, just FYI, Sandro volunteered to package Authen::Libwrap on Monday if you don't get to it by then.  Thanks.
Comment 33 Sandro Cazzaniga 2013-04-22 13:59:08 CEST
If jerome can do it faster than me, there's no problem. As I said, I'm encountering some difficulties.
Comment 34 Sandro Cazzaniga 2013-04-22 15:05:33 CEST
Created attachment 3785 [details]
Perl Authen::Libwrap SRPM
Comment 35 Sandro Cazzaniga 2013-04-22 15:06:46 CEST
I've attached my SRPM of Authen::Libwrap. As I said to jérôme on IRC, the only problem is that you have to hit enter to let the package build, and I'm affraid that it could block the build when we push it.
Comment 36 Sandro Cazzaniga 2013-04-22 15:17:58 CEST
Oh, I can automate it! Thanks Luigi, I commit it!

I let you do the work on webmin.
Comment 37 David Walser 2013-04-22 15:32:40 CEST
Thanks Sandro.  Freeze pushes have been requested for Cauldron.

Now we just need someone to tell us how to import Authen::Libwrap to mga2 :o)
Comment 38 Sandro Cazzaniga 2013-04-22 16:05:30 CEST
It's in core/updates_testing in mageia 2, I just asked for a new push for cauldron.
Comment 39 David Walser 2013-04-22 16:05:54 CEST
OK it's imported, but it (perl-Authen-Libwrap) needs to be deleted from Mageia 2 updates_testing so that it can be resubmitted with the proper release tag (1).  Sysadmins, please remove it.
Comment 40 Sandro Cazzaniga 2013-04-22 16:06:39 CEST
no need to, I synced the release number.
Comment 41 David Walser 2013-04-22 16:12:12 CEST
(In reply to Sandro Cazzaniga from comment #40)
> no need to, I synced the release number.

Just to be clear, this still needs removed from mga2/updates_testing.  The release tags have been reset to 1 in SVN.  Thanks.
Comment 42 David Walser 2013-04-22 16:30:30 CEST
OK, perl-Authen-Libwrap has been removed and resubmitted.
Comment 43 David Walser 2013-04-22 16:39:20 CEST
OK, fixes pushed to updates_testing.  Let's get this released :D

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact
Webmin versions prior to 1.620 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983,
CVE-2012-4893, SA51201).

Additionally, several issues with Webmin module configurations and its usage
of urpmi for installing and upgrading packages have been fixed.  Modules that
are not relevant to Mageia systems have been removed.  When installed under
systemd, the webmin service should now be immediately usable.

The Authen::Libwrap perl module used by Webmin is also being provided.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893
http://www.securelist.com/en/advisories/50512
http://secunia.com/advisories/51201/
http://www.webmin.com/security.html
http://www.webmin.com/updates.html
https://bugs.mageia.org/show_bug.cgi?id=3444
========================

Updated packages in core/updates_testing:
========================
perl-Authen-Libwrap-0.220.0-1.mga2
webmin-1.620-1.1.mga2

from SRPMS:
perl-Authen-Libwrap-0.220.0-1.mga2.src.rpm
webmin-1.620-1.1.mga2.src.rpm
Comment 44 claire robinson 2013-04-25 17:41:21 CEST
Testing complete mga2 32

Confirmed the added requires. Until bug 2317 is fully tested (tainted/nonfree asap) and urpmi/perl-URPM update (bug 9737) pushed we should still add links.

Perl Modules => Suggested modules, now only shows DBD::mysql which it says is used by 'mysql database server' module but the mysql module seems to work well enough without it.


The following packages will require linking:

perl-Authen-SASL-2.150.0-3.mga1 (Core Release)
perl-Convert-ASN1-0.220.0-2.mga1 (Core Release)
perl-Digest-HMAC-1.30.0-2.mga2 (Core Release)
perl-Digest-SHA1-2.130.0-6.mga2 (Core Release)
perl-IO-Tty-1.100.0-4.mga2 (Core Release)
perl-ldap-0.400.100-4.mga2 (Core Release)
Comment 45 claire robinson 2013-05-02 17:31:29 CEST
Testing mga2 64
Comment 46 claire robinson 2013-05-02 17:57:44 CEST
Testing complete mga2 64

Validating

Advisory and SRPM's in comment 43

The following packages will require linking for bug 2317:

perl-Authen-SASL-2.150.0-3.mga1 (Core Release)
perl-Convert-ASN1-0.220.0-2.mga1 (Core Release)
perl-Digest-HMAC-1.30.0-2.mga2 (Core Release)
perl-Digest-SHA1-2.130.0-6.mga2 (Core Release)
perl-IO-Tty-1.100.0-4.mga2 (Core Release)
perl-ldap-0.400.100-4.mga2 (Core Release)

Could sysadmin please push from core/updates_testing to core/updates and make the links please.

Thanks!
Comment 47 Thomas Backlund 2013-05-02 19:08:53 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0125

Note You need to log in before you can comment on or make changes to this bug.