From ${URL} : It was found that rkhunter download various files such as mirrors.dat by default over http using no signature and just a version verification. An attacker can inject a file with MITM which is then run in bash. This could lead to remote code execution. References: http://seclists.org/oss-sec/2017/q2/643 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CCing treecleaners as it seems upstream won't fix it ever
Admittedly I don't use this on Gentoo, only CentOS, but isn't the fix really trivial? It downloads from SourceForge and the whole thing is one giant bash script. You could probably fix it with sed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61e995b755727e286d140d8d721340959c434b6c commit 61e995b755727e286d140d8d721340959c434b6c Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-03-17 23:52:36 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-03-17 23:53:43 +0000 app-forensics/rkhunter: version bump 1.4.6 Also, add a patch to disable insecure file downloads. Bug: https://bugs.gentoo.org/623150 Closes: https://bugs.gentoo.org/645454 Closes: https://bugs.gentoo.org/648470 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-forensics/rkhunter/Manifest | 1 + .../rkhunter/files/rkhunter-1.4.6-conf.patch | 38 +++++++++++++ .../files/rkhunter-1.4.6-no-insecure-web.patch | 46 ++++++++++++++++ app-forensics/rkhunter/rkhunter-1.4.6.ebuild | 63 ++++++++++++++++++++++ 4 files changed, 148 insertions(+)}
I added a downstream patch to simply remove two options that download files. I don't think this will represent any significant loss.
(In reply to Michael Palimaka (kensington) from comment #4) > I added a downstream patch to simply remove two options that download files. > I don't think this will represent any significant loss. Thanks Michael, please call for stabilization when ready.
Hi I just read this: "- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask) /usr/portage/profiles/package.mask: # Pacho Ramos <pacho@gentoo.org> (17 Mar 2018) # Security vulnerable, it seems it won't be fixed ever (#623150). Removal in # a month. " From here, https://bugs.gentoo.org/623150 and the reference URL http://seclists.org/oss-sec/2017/q2/643 It talks about CVE-2017-7480 assigned by RH. Leading to https://sourceforge.net/p/rkhunter/bugs/157/ where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4. So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree, instead of having it masked?
(In reply to yves.caniou from comment #6) > Hi > > I just read this: > "- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask) > /usr/portage/profiles/package.mask: > # Pacho Ramos <pacho@gentoo.org> (17 Mar 2018) > # Security vulnerable, it seems it won't be fixed ever (#623150). Removal in > # a month. > " > > From here, > https://bugs.gentoo.org/623150 > and the reference URL > http://seclists.org/oss-sec/2017/q2/643 > It talks about CVE-2017-7480 assigned by RH. > Leading to > https://sourceforge.net/p/rkhunter/bugs/157/ > where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4. > > So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree, > instead of having it masked? From the upstream changelog: > - Tighten up the input verification check on the mirror file to > ensure that only URL's are used as a mirror. (CVE-2017-7480) This is nice, but rkhunter still downloads insecurely. In any case, please sync - I've already pushed a new version with this feature disabled and dropped the mask (see previous comments).
@arches, please stabilize.
ppc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ddda12a6ee55acaba7275ca3f8be7f8d08154a4 commit 6ddda12a6ee55acaba7275ca3f8be7f8d08154a4 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-29 01:15:44 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-29 01:15:44 +0000 app-forensics/rkhunter: amd64 stable Bug: https://bugs.gentoo.org/623150 Package-Manager: Portage-2.3.26, Repoman-2.3.7 app-forensics/rkhunter/rkhunter-1.4.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
Stable on alpha.
Cleanup done.
GLSA request filed.
This issue was resolved and addressed in GLSA 201805-11 at https://security.gentoo.org/glsa/201805-11 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
I should have said so sooner but I don't think this was fixed in the right way. It deals with the issue but you could have simply changed the download URL to use https. Not grabbing the updates is bad for security too.
Excuse the double message, it was for testing purposes... (In reply to James Le Cuirot from comment #16) > I should have said so sooner but I don't think this was fixed in the right > way. It deals with the issue but you could have simply changed the download > URL to use https. Not grabbing the updates is bad for security too. While this is true, as the workaround from the GLSA states, users should not trust HTTP based sources, but they may want to migrate to more secure sources and because of that fix the real problem which is beyond the tool. thanks,
(In reply to James Le Cuirot from comment #16) > I should have said so sooner but I don't think this was fixed in the right > way. It deals with the issue but you could have simply changed the download > URL to use https. Not grabbing the updates is bad for security too. At the time I checked, https was not available and upstream wasn't actually making any changes in that updates file.
