[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Qualys Security Advisory - Procps-ng Audit Report
From: Qualys Security Advisory <qsa () qualys ! com>
Date: 2018-05-23 13:32:23
Message-ID: 20180523133223.GB27451 () localhost ! localdomain
[Download RAW message or body]
Hi all,
As a follow-up to our procps-ng advisory, below are the answers to some
frequently asked questions that you may find useful.
> - which is the first version with the fixes, does it include all of the
> fixes (and if not, what is it missing and are those missing fixes
> important to have?), and where to download it?
Procps-ng 3.3.15 has been released and includes most of our patches; it
is available at:
https://sourceforge.net/projects/procps-ng/
The patches that are missing from procps-ng 3.3.15 are:
- 7 low-priority patches (0120-0126), which have not yet been validated
by upstream;
- most of our patches for top, which unfortunately have been reverted by
top's author; for example:
https://gitlab.com/procps-ng/procps/commit/c5026787156d23512487ad9bbf540be7e3ee8de1
https://gitlab.com/procps-ng/procps/commit/c9dfcdebdc6b482ca2030c6ea3aa376c218232e9
> Can you let us know which patches the CVEs align with as it will
> make chasing all of this down a lot easier, thanks!
The patch for CVE-2018-1122 is:
0097-top-Do-not-default-to-the-cwd-in-configs_read.patch
The patch for CVE-2018-1123 is:
0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch
The patch for CVE-2018-1124 is:
0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch
The patch for CVE-2018-1125 is:
0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
The patch for CVE-2018-1126 is:
0035-proc-alloc.-Use-size_t-not-unsigned-int.patch
The kernel patch for CVE-2018-1120 is:
https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830
There is currently no patch for CVE-2018-1121, because no satisfactory
solution (secure and efficient) has been found. Please feel free to
suggest ideas here!
> - which versions are vulnerable?
We did not try to track down the first vulnerable version, but we had a
quick look at procps 3.0.0 (from October 2002) and it was already
vulnerable to the 5 CVEs.
> - which version was audited?
We audited procps-ng 3.3.12 (the version used by many stable
distributions), but we probably ended up reading most of the master
branch too while writing the patches.
> what testing have you done?
Because procps-ng is a critical package, and because 126 patches
introduce significant changes, here is what we did to minimize the
risks:
- we were two to perform the audit, and we decided to both write the
most important patches, independently; the final patches are the
result of this double-work, which clearly avoided a few bugs;
- we ran procps-ng's test-suite ("make check") after each change;
- we manually ran some tests after each major change, to make sure that
the code-path leading to the change is not broken, and to make sure
that the change actually fixes the issue;
- we started sending our patches to upstream on March 30 (for reviewing
and testing), long before we contacted linux-distros@;
- we contacted linux-distros@ on May 4, and were asked for an embargo
extension (for more time to review and test the patches), so we set
the Coordinated Release Date to May 17, 17:00 UTC (13 days -- almost
the maximum embargo, but we wanted to avoid releasing on a Friday).
We are at your disposal for questions, comments, and further
discussions. We thank Solar Designer and Kurt Seifried for their help!
With best regards,
--
the Qualys Security Advisory team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic