| Summary: | <sys-process/procps-3.3.15: multiple vulnerabilities (qualys audit) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | base-system, david, nobrowser |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2018/05/17/1 | ||
| Whiteboard: | A1 [glsa+ cve] | ||
| Package list: |
sys-process/procps-3.3.15-r1
|
Runtime testing required: | --- |
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28eb1ec656863308d99790290560cdf2d15fd02 commit c28eb1ec656863308d99790290560cdf2d15fd02 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-05-20 18:48:50 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-05-20 18:49:10 +0000 sys-process/procps: Security bump to version 3.3.15 Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.38, Repoman-2.3.9 sys-process/procps/Manifest | 1 + sys-process/procps/procps-3.3.15.ebuild | 81 +++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) (In reply to Larry the Git Cow from comment #1) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=c28eb1ec656863308d99790290560cdf2d15fd02 > > commit c28eb1ec656863308d99790290560cdf2d15fd02 > Author: Lars Wendler <polynomial-c@gentoo.org> > AuthorDate: 2018-05-20 18:48:50 +0000 > Commit: Lars Wendler <polynomial-c@gentoo.org> > CommitDate: 2018-05-20 18:49:10 +0000 > > sys-process/procps: Security bump to version 3.3.15 > > Bug: https://bugs.gentoo.org/656022 > Package-Manager: Portage-2.3.38, Repoman-2.3.9 > > sys-process/procps/Manifest | 1 + > sys-process/procps/procps-3.3.15.ebuild | 81 > +++++++++++++++++++++++++++++++++ > 2 files changed, 82 insertions(+) ebuild can not apply patches properly, please revisit >>> Preparing source in /var/tmp/tmpfs/portage/sys-process/procps-3.3.15/work/procps-ng-3.3.15 ... * Applying procps-3.3.8-kill-neg-pid.patch ... 2 out of 2 hunks FAILED -- saving rejects to file skill.c.rej [ !! ] The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fbfaa56c2cefa7f97153efe097a003a9132ab05 commit 6fbfaa56c2cefa7f97153efe097a003a9132ab05 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-23 16:30:36 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-23 18:37:29 +0000 sys-process/procps: stable 3.3.15-r1 for sparc Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" sys-process/procps/procps-3.3.15-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90ff196c2b7b43b0ca9f1f43713cd90aff01573a commit 90ff196c2b7b43b0ca9f1f43713cd90aff01573a Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-05-23 19:03:42 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-23 19:03:48 +0000 sys-process/procps: stable 3.3.15-r1 for ia64, bug #656022 Bug: https://bugs.gentoo.org/656022 Package-Manager: Portage-2.3.38, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" sys-process/procps/procps-3.3.15-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ppc64 stable ppc stable x86 stable arm64 stable arm stable alpha stable/old killed GLSA Request filed This issue was resolved and addressed in GLSA 201805-14 at https://security.gentoo.org/glsa/201805-14 by GLSA coordinator Aaron Bauman (b-man). this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers that is confusing for users. Please, read upstream 3.3.15 release notes. Qualys analysis also clearly states what CVE's has the patches. https://gitlab.com/procps-ng/procps/tags/v3.3.15 The CVE fixed by version 3.3.15-r1 are: CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126 From Qualys audit: The kernel patch for CVE-2018-1120 is: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 There is currently no patch for CVE-2018-1121, because no satisfactory solution (secure and efficient) has been found. Please feel free to suggest ideas here! Hi Oleg, (In reply to Oleg from comment #13) > this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers > that is confusing for users. Please, read upstream 3.3.15 release notes. > Qualys analysis also clearly states what CVE's has the patches. > https://gitlab.com/procps-ng/procps/tags/v3.3.15 > > The CVE fixed by version 3.3.15-r1 are: > > CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126 > > From Qualys audit: > > > The kernel patch for CVE-2018-1120 is: > https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 > > There is currently no patch for CVE-2018-1121, because no satisfactory > solution (secure and efficient) has been found. Please feel free to > suggest ideas here! Thanks for spotting this issue, we are fixing the CVEs listed in said GLSA and will create a separate report to handle CVE-2018-1121. Thank you, |
See ${URL} @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.