Bug 918091 (CVE-2023-43616, CVE-2023-43617, CVE-2023-43618, CVE-2023-43619, CVE-2023-43620, CVE-2023-43621)

Summary:	<net-misc/croc-10.0.12: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	trivial	CC:	ajak, gentoo.qxrin, maintainer-needed, proxy-maint, zappel
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2023/09/08/2
See Also:	https://github.com/gentoo/gentoo/pull/35336 https://github.com/gentoo/gentoo/pull/38989
Whiteboard:	B2 [glsa?]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2023-11-23 17:58:03 UTC

CVE-2023-43616 (https://github.com/schollz/croc/issues/594):

An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.

CVE-2023-43617 (https://github.com/schollz/croc/issues/596):

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.

CVE-2023-43618 (https://github.com/schollz/croc/issues/597):

An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.

CVE-2023-43619 (https://github.com/schollz/croc/issues/593):

An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.

CVE-2023-43620 (https://github.com/schollz/croc/issues/595):

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

CVE-2023-43621 (https://github.com/schollz/croc/issues/598):

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

All unfixed upstream.

Comment 1 Larry the Git Cow gentoo-dev

2024-02-01 10:10:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78152d7c1255762e7a7623de16bee644f4aae414

commit 78152d7c1255762e7a7623de16bee644f4aae414
Author:     Armas Spann <zappel@simple-co.de>
AuthorDate: 2024-01-31 14:48:31 +0000
Commit:     Maciej Barć <xgqt@gentoo.org>
CommitDate: 2024-02-01 10:10:14 +0000

    net-misc/croc: drop 9.6.2, 9.6.4
    
    Bug: https://bugs.gentoo.org/918091
    Closes: https://bugs.gentoo.org/893980
    
    Signed-off-by: Armas Spann <zappel@simple-co.de>
    Closes: https://github.com/gentoo/gentoo/pull/35115
    Signed-off-by: Maciej Barć <xgqt@gentoo.org>

 net-misc/croc/Manifest          |  4 ----
 net-misc/croc/croc-9.6.2.ebuild | 50 -----------------------------------------
 net-misc/croc/croc-9.6.4.ebuild | 50 -----------------------------------------
 3 files changed, 104 deletions(-)

Comment 2 ZappeL 2024-02-03 01:30:43 UTC

I applogize for my late response on this - But I think we need to "partially" re-open this ticket. As I've updated croc to version 9.6.6 - but none of the bugs mentioned in here are yet closed, see:

https://github.com/schollz/croc/issues/593 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/594 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/595 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/598 - open (requested CVE update/clarification for 9.6.6)

https://github.com/schollz/croc/issues/596 - open: changed from "bug" to enhancement
https://github.com/schollz/croc/issues/597 - open: changed from "bug" to enhancement


From my PoV two of them were lowerd to beeing a "feature" instead a vulnerability, whilst the other 4 are still unfixed.

Please let me know how we should proceed.

Comment 3 John Helmert III archtester

2024-02-12 03:32:48 UTC

> I applogize for my late response on this - But I think we need to "partially" re-open this ticket.

Thanks for noticing! We'll keep this open until they're fixed, or we can split unfixed bugs into another bug once some of them are fixed in-tree.

Comment 4 ZappeL 2024-02-13 18:29:48 UTC

Thanks for your reply. I just saw the updates from 9.6.7 - 9.6.9 flew by since last week. 

I'll take care to update the ebuild as soon as possible and will inform you if they fixed it.

Comment 5 Hans de Graaff gentoo-dev

2024-02-14 13:40:52 UTC

I have updated the summary version to reflect that we don't have a version in the repository where all vulnerabilities are fixed yet.

Comment 6 Larry the Git Cow gentoo-dev

2024-10-14 18:20:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade17527c6ef959b7cde6698aeebb00a6b6a74c3

commit ade17527c6ef959b7cde6698aeebb00a6b6a74c3
Author:     Armas Spann <zappel@simple-co.de>
AuthorDate: 2024-10-14 16:57:10 +0000
Commit:     Maciej Barć <xgqt@gentoo.org>
CommitDate: 2024-10-14 18:20:27 +0000

    net-misc/croc: drop 9.6.15
    
    Removal off obsolete croc-9.6.15, which was the last version containing some
    known CVEs which are fixed in croc >=9.6.16.
    See https://github.com/schollz/croc/releases/tag/v9.6.16 as a reference.
    
    Bug: https://bugs.gentoo.org/918091
    Signed-off-by: Armas Spann <zappel@simple-co.de>
    Closes: https://github.com/gentoo/gentoo/pull/38989
    Signed-off-by: Maciej Barć <xgqt@gentoo.org>

 net-misc/croc/Manifest           |  2 --
 net-misc/croc/croc-9.6.15.ebuild | 47 ----------------------------------------
 2 files changed, 49 deletions(-)

Comment 7 ZappeL 2024-11-13 21:23:19 UTC

(In reply to Hans de Graaff from comment #5)
> I have updated the summary version to reflect that we don't have a version
> in the repository where all vulnerabilities are fixed yet.

All affected versions had been removed.