|
Message-ID: <20180523133223.GB27451@localhost.localdomain> Date: Wed, 23 May 2018 06:32:23 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - Procps-ng Audit Report Hi all, As a follow-up to our procps-ng advisory, below are the answers to some frequently asked questions that you may find useful. > - which is the first version with the fixes, does it include all of the > fixes (and if not, what is it missing and are those missing fixes > important to have?), and where to download it? Procps-ng 3.3.15 has been released and includes most of our patches; it is available at: https://sourceforge.net/projects/procps-ng/ The patches that are missing from procps-ng 3.3.15 are: - 7 low-priority patches (0120-0126), which have not yet been validated by upstream; - most of our patches for top, which unfortunately have been reverted by top's author; for example: https://gitlab.com/procps-ng/procps/commit/c5026787156d23512487ad9bbf540be7e3ee8de1 https://gitlab.com/procps-ng/procps/commit/c9dfcdebdc6b482ca2030c6ea3aa376c218232e9 > Can you let us know which patches the CVEs align with as it will > make chasing all of this down a lot easier, thanks! The patch for CVE-2018-1122 is: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch The patch for CVE-2018-1123 is: 0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch The patch for CVE-2018-1124 is: 0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch The patch for CVE-2018-1125 is: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch The patch for CVE-2018-1126 is: 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch The kernel patch for CVE-2018-1120 is: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 There is currently no patch for CVE-2018-1121, because no satisfactory solution (secure and efficient) has been found. Please feel free to suggest ideas here! > - which versions are vulnerable? We did not try to track down the first vulnerable version, but we had a quick look at procps 3.0.0 (from October 2002) and it was already vulnerable to the 5 CVEs. > - which version was audited? We audited procps-ng 3.3.12 (the version used by many stable distributions), but we probably ended up reading most of the master branch too while writing the patches. > what testing have you done? Because procps-ng is a critical package, and because 126 patches introduce significant changes, here is what we did to minimize the risks: - we were two to perform the audit, and we decided to both write the most important patches, independently; the final patches are the result of this double-work, which clearly avoided a few bugs; - we ran procps-ng's test-suite ("make check") after each change; - we manually ran some tests after each major change, to make sure that the code-path leading to the change is not broken, and to make sure that the change actually fixes the issue; - we started sending our patches to upstream on March 30 (for reviewing and testing), long before we contacted linux-distros@; - we contacted linux-distros@ on May 4, and were asked for an embargo extension (for more time to review and test the patches), so we set the Coordinated Release Date to May 17, 17:00 UTC (13 days -- almost the maximum embargo, but we wanted to avoid releasing on a Friday). We are at your disposal for questions, comments, and further discussions. We thank Solar Designer and Kurt Seifried for their help! With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.