Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180523133223.GB27451@localhost.localdomain>
Date: Wed, 23 May 2018 06:32:23 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - Procps-ng Audit Report

Hi all,

As a follow-up to our procps-ng advisory, below are the answers to some
frequently asked questions that you may find useful.

> - which is the first version with the fixes, does it include all of the
> fixes (and if not, what is it missing and are those missing fixes
> important to have?), and where to download it?

Procps-ng 3.3.15 has been released and includes most of our patches; it
is available at:

https://sourceforge.net/projects/procps-ng/

The patches that are missing from procps-ng 3.3.15 are:

- 7 low-priority patches (0120-0126), which have not yet been validated
  by upstream;

- most of our patches for top, which unfortunately have been reverted by
  top's author; for example:

https://gitlab.com/procps-ng/procps/commit/c5026787156d23512487ad9bbf540be7e3ee8de1
https://gitlab.com/procps-ng/procps/commit/c9dfcdebdc6b482ca2030c6ea3aa376c218232e9

> Can you let us know which patches the CVEs align with as it will
> make chasing all of this down a lot easier, thanks!

The patch for CVE-2018-1122 is:
0097-top-Do-not-default-to-the-cwd-in-configs_read.patch

The patch for CVE-2018-1123 is:
0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch

The patch for CVE-2018-1124 is:
0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch

The patch for CVE-2018-1125 is:
0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch

The patch for CVE-2018-1126 is:
0035-proc-alloc.-Use-size_t-not-unsigned-int.patch

The kernel patch for CVE-2018-1120 is:
https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830

There is currently no patch for CVE-2018-1121, because no satisfactory
solution (secure and efficient) has been found. Please feel free to
suggest ideas here!

> - which versions are vulnerable?

We did not try to track down the first vulnerable version, but we had a
quick look at procps 3.0.0 (from October 2002) and it was already
vulnerable to the 5 CVEs.

> - which version was audited?

We audited procps-ng 3.3.12 (the version used by many stable
distributions), but we probably ended up reading most of the master
branch too while writing the patches.

> what testing have you done?

Because procps-ng is a critical package, and because 126 patches
introduce significant changes, here is what we did to minimize the
risks:

- we were two to perform the audit, and we decided to both write the
  most important patches, independently; the final patches are the
  result of this double-work, which clearly avoided a few bugs;

- we ran procps-ng's test-suite ("make check") after each change;

- we manually ran some tests after each major change, to make sure that
  the code-path leading to the change is not broken, and to make sure
  that the change actually fixes the issue;

- we started sending our patches to upstream on March 30 (for reviewing
  and testing), long before we contacted linux-distros@;

- we contacted linux-distros@ on May 4, and were asked for an embargo
  extension (for more time to review and test the patches), so we set
  the Coordinated Release Date to May 17, 17:00 UTC (13 days -- almost
  the maximum embargo, but we wanted to avoid releasing on a Friday).

We are at your disposal for questions, comments, and further
discussions. We thank Solar Designer and Kurt Seifried for their help!
With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.