Bug 908818 (CVE-2023-35789)

Summary:	<net-libs/rabbitmq-c-0.13.0: credentials passed on command line
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	ajak, maintainer-needed, prathamIN, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/alanxz/rabbitmq-c/issues/575
See Also:	https://github.com/gentoo/gentoo/pull/33249
Whiteboard:	B4 [glsa? cleanup]
Package list:		Runtime testing required:	---
Bug Depends on:	924320
Bug Blocks:

Description John Helmert III archtester

2023-06-19 02:44:15 UTC

CVE-2023-35789:

An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.

Patch: https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0

Comment 1 Larry the Git Cow gentoo-dev

2024-01-11 14:06:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2386f8510c14ce4692881c280dbf4491a5bb6528

commit 2386f8510c14ce4692881c280dbf4491a5bb6528
Author:     git-bruh <e817509a-8ee9-4332-b0ad-3a6bdf9ab63f@aleeas.com>
AuthorDate: 2023-10-08 13:37:13 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-01-11 13:51:36 +0000

    net-libs/rabbitmq-c: add 0.13.0
    
    Bug: https://bugs.gentoo.org/908818
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-libs/rabbitmq-c/Manifest                       |   1 +
 ...bitmq-c-0.13.0-read-credentials-from-file.patch | 127 +++++++++++++++++++++
 net-libs/rabbitmq-c/rabbitmq-c-0.13.0.ebuild       |  55 +++++++++
 3 files changed, 183 insertions(+)

Comment 2 John Helmert III archtester

2024-02-12 02:08:37 UTC

Thanks!