Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 705962 (CVE-2020-5202)

Summary: <net-misc/apt-cacher-ng-3.3.1_p1: Possible credentials leak when "AdminAuth" is enabled in /etc/apt-cacher-ng/security.conf (CVE-2020-5202)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, deb-tools+disabled, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://security-tracker.debian.org/tracker/CVE-2020-5202
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-01-20 15:31:54 UTC 
CVE-2020-5202 is reserved but details are available on the oss-security ml.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-20 15:33:31 UTC 
According to the [URL] <net-misc/apt-cacher-ng-3.3.1_p2 are vulnerable.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-20 15:38:48 UTC 
The changes in Debian patch level 2 concern mostly the runtime configuration files which the ebuilds do not install. Upstream is working toward[0] more general changes to mitigate the issue. I guess we'll have to wait for an official release.


[0] https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-20 15:49:11 UTC 
um, like that
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:25:12 UTC 
CVE-2020-5202 (https://nvd.nist.gov/vuln/detail/CVE-2020-5202):
  apt-cacher-ng through 3.3 allows local users to obtain sensitive information
  by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool
  program attempts to connect to apt-cacher-ng via TCP on localhost port 3142,
  even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line
  option is passed. The cron job /etc/cron.daily/apt-cacher-ng (which is
  active by default) attempts this periodically. Because 3142 is an
  unprivileged port, any local user can try to bind to this port and will
  receive requests from acngtool. There can be sensitive data in these
  requests, e.g., if AdminAuth is enabled in /etc/apt-cacher-ng/security.conf.
  This sensitive data can leak to unprivileged local users that manage to bind
  to this port before the apt-cacher-ng daemon can.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:49:15 UTC 
URL references commit 3b91874b, looks like we may be good here now?:

apt-cacher-ng $ git tag --contains=3b91874b
debian/3.3.1-1
debian/3.3.1-2
debian/3.3.1-2_bpo10+1
debian/3.3.1-2_bpo9+1
debian/3.4-1
debian/3.5-1
upstream/3.4
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 04:42:42 UTC 
(In reply to John Helmert III (ajak) from comment #5)
> URL references commit 3b91874b, looks like we may be good here now?:
> 
> apt-cacher-ng $ git tag --contains=3b91874b
> debian/3.3.1-1
> debian/3.3.1-2
> debian/3.3.1-2_bpo10+1
> debian/3.3.1-2_bpo9+1
> debian/3.4-1
> debian/3.5-1
> upstream/3.4

debian/3.3.1-1 was first in tree before this bug was filed and cleanup is long done. All done here.