Bug 8800 - sleuthkit new security issue CVE-2012-5619
: sleuthkit new security issue CVE-2012-5619
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/533735/
: MGA2-64-OK, MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-23 21:51 CET by David Walser
Modified: 2013-02-06 23:10 CET (History)
3 users (show)

See Also:
Source RPM: sleuthkit-3.2.3-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-01-23 21:51:10 CET
Fedora has issued an advisory on January 7:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097293.html

Cauldron is not affected as this was fixed upstream in 4.0.1.
Comment 1 Malo Deniélou 2013-01-23 22:22:22 CET
I will provide an update to 4.0.1 for mageia 2 then.
Comment 2 Malo Deniélou 2013-01-26 00:28:15 CET
I have uploaded an updated package for Mageia 2, just like fedora did.

To test this, please have a look at the first link. 

Suggested advisory:
========================

Updated sleuthkit packages fix security vulnerabilities:

A security flaw was found in the way the Sleuth Kit (TSK), a collection of UNIX-based command line tools allowing to investigate a computer, performed management of '.' (dotfile) file system entry. An attacker could use this flaw to evade detection by forensic analysis (hide certain files not to be scanned) by renaming the file in question it to be '.' file system entry.

The original reports speaks about this attack vector to be present when scanning FAT (File Allocation Table) file system. It is possible though, the flaw to be present on other file systems, which do not reserve usage of '.' entry for special purpose, too.

References:
http://www.openwall.com/lists/oss-security/2012/12/01/2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5619
https://bugzilla.redhat.com/show_bug.cgi?id=883330
========================

Updated packages in core/updates_testing:
========================
sleuthkit-4.0.1-1.mga2
lib(64)tsk3_9-4.0.1-1.mga2
lib64tsk3-devel-4.0.1-1.mga2

Source RPM: 
sleuthkit-4.0.1-1.mga2
Comment 4 Marc Lattemann 2013-02-05 21:10:36 CET
tested on x86_64 using the PoC from Claire:

before update:
[root@MGA2_64 marc]# fls -V
The Sleuth Kit ver 3.2.3
[root@MGA2_64 marc]# fls -a empty.img
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles
[root@MGA2_64 marc]# fls -a file.img 
r/r 3:	FILE.TXT
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles
[root@MGA2_64 marc]# fls -a dot.img 
r/d 2:	.
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles


after update:
[root@MGA2_64 marc]# fls -V
The Sleuth Kit ver 4.0.1
[root@MGA2_64 marc]# fls -a empty.img
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles
[root@MGA2_64 marc]# fls -a file.img
r/r 3:	FILE.TXT
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles
[root@MGA2_64 marc]# fls -a dot.img
r/d 2:	.
v/v 1612675:	$MBR
v/v 1612676:	$FAT1
v/v 1612677:	$FAT2
d/d 1612678:	$OrphanFiles

I do not see any differences and cannot interpret the result ;) Is that good, or not?
Comment 5 Marc Lattemann 2013-02-05 21:27:46 CET
same results for i586. If this is fine, than package can be validated...
Comment 6 David Walser 2013-02-05 21:34:53 CET
Strange, looks to me like you got the good/desired output from both.
Comment 7 Marc Lattemann 2013-02-05 22:03:56 CET
Since after major version jump the new version is not vulnerable I will validate this package:

Please see Comment 2 for advisory and SRPMS.

Can sysadmin push package to update? Thanks.
Comment 8 Thomas Backlund 2013-02-06 23:10:54 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0031

Note You need to log in before you can comment on or make changes to this bug.