701756 – net-irc/limnoria math eval vulnerability (CVE-2019-19010)

Bug 701756 - net-irc/limnoria math eval vulnerability (CVE-2019-19010)

Summary: net-irc/limnoria math eval vulnerability (CVE-2019-19010)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/ProgVal/Limnoria/w...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2019-12-02 14:43 UTC by Adam Feldman
Modified:	2020-04-08 23:55 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Feldman gentoo-dev

2019-12-02 14:43:07 UTC

These three commands are based on the eval() function of Python, and heavily sanitize their input to try to prevent abuse. Everyone knows this is a bad idea, but it seemed good-enough so no one noticed.

On 2019-11-09, @b1tninja finally found a trick to bypass this sanitization, and I (@progval) have confirmed it can be used to read internal data and to cause a denial of service (bot gets stuck in an eval loop for a long time). It might also be possible to use it to execute arbitrary code, but I did not find a way to do it.

Reproducible: Always

Comment 1 Larry the Git Cow gentoo-dev

2019-12-02 17:24:12 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84ddc832856ebc27a4ec4d73de53b02d7c91a4d6

commit 84ddc832856ebc27a4ec4d73de53b02d7c91a4d6
Author:     NP-Hardass <NP-Hardass@gentoo.org>
AuthorDate: 2019-12-02 14:48:10 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-12-02 17:21:48 +0000

    net-irc/limnoria: Drop old
    
    CVE: CVE-2019-19010
    Closes: https://bugs.gentoo.org/701756
    Package-Manager: Portage-2.3.80, Repoman-2.3.16
    Signed-off-by: NP-Hardass <NP-Hardass@gentoo.org>
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 net-irc/limnoria/Manifest                 |  3 --
 net-irc/limnoria/limnoria-20150523.ebuild | 90 -------------------------------
 net-irc/limnoria/limnoria-20150829.ebuild | 90 -------------------------------
 net-irc/limnoria/limnoria-20171025.ebuild | 90 -------------------------------
 4 files changed, 273 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7be52f52d69834fb3d5b59fd75df09bf2b64aee3

commit 7be52f52d69834fb3d5b59fd75df09bf2b64aee3
Author:     NP-Hardass <NP-Hardass@gentoo.org>
AuthorDate: 2019-12-02 14:48:09 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-12-02 17:21:41 +0000

    net-irc/limnoria: Bump to 20191123 & EAPI 7, update PYCOMPAT
    
    CVE: CVE-2019-19010
    Bug: https://bugs.gentoo.org/701756
    Package-Manager: Portage-2.3.80, Repoman-2.3.16
    Signed-off-by: NP-Hardass <NP-Hardass@gentoo.org>
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 net-irc/limnoria/Manifest                 |  1 +
 net-irc/limnoria/limnoria-20191123.ebuild | 88 +++++++++++++++++++++++++++++++
 net-irc/limnoria/limnoria-99999999.ebuild | 12 ++---
 3 files changed, 94 insertions(+), 7 deletions(-)

Comment 2 Sam James archtester

2020-04-08 23:55:24 UTC

Noticed this when filing an unrelated bug for Limnoria: no need for 'Closes' tag in commits, just use 'Bug' to not close security bugs so we can tag it appropriately.

Thanks for doing it so quickly anyhow!