Bug 8937 - abrt/libreport new security issues CVE-2012-5659 and CVE-2012-5660
: abrt/libreport new security issues CVE-2012-5659 and CVE-2012-5660
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535717/
:
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-01 20:09 CET by David Walser
Modified: 2013-02-09 14:12 CET (History)
6 users (show)

See Also:
Source RPM: abrt, libreport
CVE:
Status comment:


Attachments

Description David Walser 2013-02-01 20:09:33 CET
RedHat has issued an advisory on January 31:
https://rhn.redhat.com/errata/RHSA-2013-0215.html

Judging by the commit dates, 5659 (abrt) may be fixed in Cauldron, but 5660 (libreport) wouldn't be.

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-01 23:55:05 CET
CVE-2012-5659 is indeed already fixed in the abrt version we have in Cauldron.

Patched libreport packages uploaded for Mageia 2 and Cauldron.

Patched abrt package uploaded for Mageia 2.

Advisory:
========================

Updated abrt and libreport packages fix security vulnerabilities:

It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user (CVE-2012-5659).

A race condition was found in the way ABRT handled the directories used to
store information about crashes. A local attacker with the privileges of
the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root (CVE-2012-5660).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5660
https://rhn.redhat.com/errata/RHSA-2013-0215.html
========================

Updated packages in core/updates_testing:
========================
libreport-2.0.8-5.1.mga2
libreport-abrt_dbus0-2.0.8-5.1.mga2
libreport-abrt_web0-2.0.8-5.1.mga2
libreport0-2.0.8-5.1.mga2
libreport-filesystem-2.0.8-5.1.mga2
libreport-devel-2.0.8-5.1.mga2
libreport-python-2.0.8-5.1.mga2
libreport-cli-2.0.8-5.1.mga2
libreport-newt-2.0.8-5.1.mga2
libreport-gtk-2.0.8-5.1.mga2
libreport-gtk0-2.0.8-5.1.mga2
libreport-gtk-devel-2.0.8-5.1.mga2
libreport-plugin-kerneloops-2.0.8-5.1.mga2
libreport-plugin-logger-2.0.8-5.1.mga2
libreport-plugin-mailx-2.0.8-5.1.mga2
libreport-plugin-bugzilla-2.0.8-5.1.mga2
libreport-plugin-bodhi-2.0.8-5.1.mga2
libreport-compat-2.0.8-5.1.mga2
libreport-plugin-reportuploader-2.0.8-5.1.mga2
abrt-2.0.7-3.2.mga2
libabrt0-2.0.7-3.2.mga2
libabrt-devel-2.0.7-3.2.mga2
abrt-gui-2.0.7-3.2.mga2
abrt-addon-ccpp-2.0.7-3.2.mga2
abrt-addon-kerneloops-2.0.7-3.2.mga2
abrt-addon-vmcore-2.0.7-3.2.mga2
abrt-addon-python-2.0.7-3.2.mga2
abrt-cli-2.0.7-3.2.mga2
abrt-desktop-2.0.7-3.2.mga2

from SRPMS:
libreport-2.0.8-5.1.mga2.src.rpm
abrt-2.0.7-3.2.mga2.src.rpm
Comment 2 Dave Hodgins 2013-02-02 03:43:35 CET
As with the previous abrt testing, I'm following the procedure at
https://fedoraproject.org/wiki/QA:Testcase_ABRT
but I am not getting the notification.

In the previous test, libreport was not installed, iirc.  Should
it be required by the abrt package?

Is there some other piece that needs to be installed to get
abrt and libreport working?
Comment 3 David Walser 2013-02-02 04:04:35 CET
rpm tells me that several of the abrt packages require libreport.so.0, so at least libreport0 should be installed.  You shouldn't be able to install the abrt packages without it.  As far as the other packages, a couple of them are explicitly required by some of the abrt subpackages, but we don't have quite as many explicit requires as Fedora's spec.  For "libreport" itself, Fedora's abrt-dbus subpackage (we don't have a subpackage by that name) requires it.  So, you can try installing it and the other libreport subpackages and see if it makes any difference.

Hopefully we can get some feedback from other developers.  I don't know much about abrt.
Comment 4 claire robinson 2013-02-02 19:48:09 CET
More testing info here https://fedorahosted.org/abrt/wiki/AbrtBasicFunctionality
Comment 5 claire robinson 2013-02-02 20:14:53 CET
Found that abrt-desktop is a meta package which should bring in all necessary bits, so installed that and several libreport bits

Problem with existing package, it appears not to be working anyway.

# service abrtd restart
Restarting abrtd (via systemctl):                        [  OK  ]

$ ps aux | grep abrt
root     19484  0.0  0.0  21500  1088 ?        Ss   19:06   0:00 /usr/sbin/abrtd

$ abrt-applet
ABRT service is not running
Comment 6 claire robinson 2013-02-02 20:17:52 CET
# rpm -qa | grep -e abrt -e report
lib64abrt0-2.0.7-3.1.mga2
libreport-gtk-2.0.8-5.mga2
libreport-filesystem-2.0.8-5.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
libreport-2.0.8-5.mga2
lib64report0-2.0.8-5.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
lib64report-gtk0-2.0.8-5.mga2
lib64report-abrt_dbus0-2.0.8-5.mga2
abrt-desktop-2.0.7-3.1.mga2
libreport-python-2.0.8-5.mga2
abrt-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
Comment 7 claire robinson 2013-02-09 10:57:48 CET
Should this be pushed in it's current form or shall we assign it back to you David until it can be fixed?
Comment 8 David Walser 2013-02-09 11:15:10 CET
Let's push this.  Thanks.
Comment 9 claire robinson 2013-02-09 11:41:06 CET
I'll create a new bug for it.

Validating

Advisory & srpm in comment 1


Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 10 claire robinson 2013-02-09 11:47:08 CET
Bug 9014 created for abrt
Comment 11 Thomas Backlund 2013-02-09 14:12:38 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0047

Note You need to log in before you can comment on or make changes to this bug.