Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 415415 (CVE-2012-2320) - <net-misc/connman-1.0-r1 : Multiple Vulnerabilities (CVE-2012-{2320,2321,2322})
Summary: <net-misc/connman-1.0-r1 : Multiple Vulnerabilities (CVE-2012-{2320,2321,2322})
Status: RESOLVED FIXED
Alias: CVE-2012-2320
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/49033/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: 410611
  Show dependency tree
 
Reported: 2012-05-10 17:59 UTC by Agostino Sarubbo
Modified: 2012-05-20 23:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-05-10 17:59:00 UTC
From secunia security advisory at $URL:

Description
Some vulnerabilities have been reported in ConnMan, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) An error within the "dhcpv6_get_option()" function (gdhcp/client.c) when parsing certain responses can be exploited to trigger an infinite loop and cause a crash by sending specially crafted DHCP packets.

2) An error when parsing netlink messages can be exploited to cause a crash.

3) An error when handling hostnames does not strip or escape shell meta-characters when processing responses from a DHCP server and can be exploited to submit shell commands.

The vulnerabilities are reported in versions prior to 0.85.


Solution
Update to version 0.85.
Comment 1 Tony Vroon gentoo-dev 2012-05-10 21:37:00 UTC
Use 1.0 and proceed to emergency stable please.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-10 22:03:20 UTC
Arches, please test and mark stable:
=net-misc/connman-1.0
Target keywords : "amd64 x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-10 23:00:49 UTC
amd64: compiles and runs

can we hide/fix unknown dependencies ?

   net-misc/connman/connman-1.0.ebuild: DEPEND: !=sys-apps/systemd-37-r1
Comment 4 Tony Vroon gentoo-dev 2012-05-10 23:19:45 UTC
(In reply to comment #3)
> can we hide/fix unknown dependencies ?
>    net-misc/connman/connman-1.0.ebuild: DEPEND: !=sys-apps/systemd-37-r1

+*connman-1.0-r1 (10 May 2012)
+
+  10 May 2012; Tony Vroon <chainsaw@gentoo.org> -connman-1.0.ebuild,
+  +connman-1.0-r1.ebuild:
+  Can not allow an experimental dependency to interfere with security stabling.
+  As per arch testing by Elijah "Armageddon" El Lazkani in bug #415415.

Arches, please note updated target and retest.
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-11 06:22:36 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-05-11 07:16:38 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-11 07:18:06 UTC
@security go ahead with glsa


@Chainsaw, removed old and vulnerable version.
Comment 8 Sean Amoss gentoo-dev Security 2012-05-11 12:39:20 UTC
GLSA draft ready.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-05-15 22:19:18 UTC
This issue was resolved and addressed in
 GLSA 201205-02 at http://security.gentoo.org/glsa/glsa-201205-02.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-05-20 23:30:07 UTC
CVE-2012-2322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2322):
  Integer overflow in the dhcpv6_get_option function in gdhcp/client.c in
  ConnMan before 0.85 allows remote attackers to cause a denial of service
  (infinite loop and crash) via an invalid length value in a DHCP packet.

CVE-2012-2321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2321):
  The loopback plug-in in ConnMan before 0.85 allows remote attackers to
  execute arbitrary commands via shell metacharacters in the (1) host name or
  (2) domain name in a DHCP reply.

CVE-2012-2320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2320):
  ConnMan before 0.85 does not ensure that netlink messages originate from the
  kernel, which allows remote attackers to bypass intended access restrictions
  and cause a denial of service via a crafted netlink message.