Bug 623150 (CVE-2017-7480)

Summary:	<app-forensics/rkhunter-1.4.6: File download via http might lead to RCE
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	chewi, forensics+obsolete, kensington, moixa, neil, powerman-asdf
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1466359
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=837167
Whiteboard:	B2 [glsa+ cve]
Package list:	=app-forensics/rkhunter-1.4.6	Runtime testing required:	No

Description Agostino Sarubbo gentoo-dev

2017-06-30 09:32:43 UTC

From ${URL} :

It was found that rkhunter download various files such as mirrors.dat by default over http using no signature and just a version verification. An attacker can inject a file with MITM which is then run 
in bash. This could lead to remote code execution.

References:

http://seclists.org/oss-sec/2017/q2/643


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Pacho Ramos gentoo-dev

2018-02-06 19:46:06 UTC

CCing treecleaners as it seems upstream won't fix it ever

Comment 2 James Le Cuirot gentoo-dev

2018-03-17 20:47:07 UTC

Admittedly I don't use this on Gentoo, only CentOS, but isn't the fix really trivial? It downloads from SourceForge and the whole thing is one giant bash script. You could probably fix it with sed.

Comment 3 Larry the Git Cow gentoo-dev

2018-03-17 23:54:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61e995b755727e286d140d8d721340959c434b6c

commit 61e995b755727e286d140d8d721340959c434b6c
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2018-03-17 23:52:36 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2018-03-17 23:53:43 +0000

    app-forensics/rkhunter: version bump 1.4.6
    
    Also, add a patch to disable insecure file downloads.
    
    Bug: https://bugs.gentoo.org/623150
    Closes: https://bugs.gentoo.org/645454
    Closes: https://bugs.gentoo.org/648470
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-forensics/rkhunter/Manifest                    |  1 +
 .../rkhunter/files/rkhunter-1.4.6-conf.patch       | 38 +++++++++++++
 .../files/rkhunter-1.4.6-no-insecure-web.patch     | 46 ++++++++++++++++
 app-forensics/rkhunter/rkhunter-1.4.6.ebuild       | 63 ++++++++++++++++++++++
 4 files changed, 148 insertions(+)}

Comment 4 Michael Palimaka (kensington) gentoo-dev

2018-03-17 23:59:55 UTC

I added a downstream patch to simply remove two options that download files. I don't think this will represent any significant loss.

Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-18 00:02:54 UTC

(In reply to Michael Palimaka (kensington) from comment #4)
> I added a downstream patch to simply remove two options that download files.
> I don't think this will represent any significant loss.

Thanks Michael, please call for stabilization when ready.

Comment 6 yves.caniou 2018-03-18 08:47:47 UTC

Hi

I just read this:
"- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask)
/usr/portage/profiles/package.mask:
# Pacho Ramos <pacho@gentoo.org> (17 Mar 2018)
# Security vulnerable, it seems it won't be fixed ever (#623150). Removal in
# a month.
"

From here,
	https://bugs.gentoo.org/623150
and the reference URL
	http://seclists.org/oss-sec/2017/q2/643
It talks about CVE-2017-7480 assigned by RH.
Leading to
	https://sourceforge.net/p/rkhunter/bugs/157/
where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4.

So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree, instead of having it masked?

Comment 7 Michael Palimaka (kensington) gentoo-dev

2018-03-20 11:07:35 UTC

(In reply to yves.caniou from comment #6)
> Hi
> 
> I just read this:
> "- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask)
> /usr/portage/profiles/package.mask:
> # Pacho Ramos <pacho@gentoo.org> (17 Mar 2018)
> # Security vulnerable, it seems it won't be fixed ever (#623150). Removal in
> # a month.
> "
> 
> From here,
> 	https://bugs.gentoo.org/623150
> and the reference URL
> 	http://seclists.org/oss-sec/2017/q2/643
> It talks about CVE-2017-7480 assigned by RH.
> Leading to
> 	https://sourceforge.net/p/rkhunter/bugs/157/
> where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4.
> 
> So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree,
> instead of having it masked?

From the upstream changelog:
> - Tighten up the input verification check on the mirror file to
>   ensure that only URL's are used as a mirror. (CVE-2017-7480)

This is nice, but rkhunter still downloads insecurely.

In any case, please sync - I've already pushed a new version with this feature disabled and dropped the mask (see previous comments).

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 14:55:43 UTC

@arches, please stabilize.

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-25 20:59:46 UTC

ppc stable

Comment 10 Larry the Git Cow gentoo-dev

2018-03-29 02:01:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ddda12a6ee55acaba7275ca3f8be7f8d08154a4

commit 6ddda12a6ee55acaba7275ca3f8be7f8d08154a4
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-29 01:15:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-29 01:15:44 +0000

    app-forensics/rkhunter: amd64 stable
    
    Bug: https://bugs.gentoo.org/623150
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-forensics/rkhunter/rkhunter-1.4.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-29 14:54:21 UTC

x86 stable

Comment 12 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-31 10:12:20 UTC

Stable on alpha.

Comment 13 Michael Palimaka (kensington) gentoo-dev

2018-05-26 10:22:55 UTC

Cleanup done.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2018-05-26 14:18:51 UTC

GLSA request filed.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2018-05-26 15:51:54 UTC

This issue was resolved and addressed in
 GLSA 201805-11 at https://security.gentoo.org/glsa/201805-11
by GLSA coordinator Christopher Diaz Riveros (chrisadr).

Comment 16 James Le Cuirot gentoo-dev

2018-05-26 16:17:02 UTC

I should have said so sooner but I don't think this was fixed in the right way. It deals with the issue but you could have simply changed the download URL to use https. Not grabbing the updates is bad for security too.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2018-05-26 17:41:57 UTC

This issue was resolved and addressed in
 GLSA 201805-11 at https://security.gentoo.org/glsa/201805-11
by GLSA coordinator Christopher Diaz Riveros (chrisadr).

Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-05-26 17:46:13 UTC

Excuse the double message, it was for testing purposes...

(In reply to James Le Cuirot from comment #16)
> I should have said so sooner but I don't think this was fixed in the right
> way. It deals with the issue but you could have simply changed the download
> URL to use https. Not grabbing the updates is bad for security too.

While this is true, as the workaround from the GLSA states, users should not trust HTTP based sources, but they may want to migrate to more secure sources and because of that fix the real problem which is beyond the tool. 

thanks,

Comment 19 Michael Palimaka (kensington) gentoo-dev

2018-06-21 11:41:37 UTC

(In reply to James Le Cuirot from comment #16)
> I should have said so sooner but I don't think this was fixed in the right
> way. It deals with the issue but you could have simply changed the download
> URL to use https. Not grabbing the updates is bad for security too.

At the time I checked, https was not available and upstream wasn't actually making any changes in that updates file.