Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743391 - <net-libs/xrootd-4.12.4: potential secret-key leakage in HTTP mode
Summary: <net-libs/xrootd-4.12.4: potential secret-key leakage in HTTP mode
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-18 17:25 UTC by Marek Szuba
Modified: 2021-03-05 00:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba gentoo-dev 2020-09-18 17:25:43 UTC
See here: https://github.com/xrootd/xrootd/commit/fff97c2dc6703dc1ba8b28b1bf67eeb278ff3e22

In major version 5 this has already been fixed, in 5.0.2. For version 4, it looks like it will be safe to backport the patch.

Will have to fast-stabilise =net-libs/xrootd-4.12.3-r1 once I have pushed it into the tree (would rather not stabilise 5 just yet), it is not entirely backwards-compatible.
Comment 1 Marek Szuba gentoo-dev 2020-09-18 17:29:47 UTC
Correction to the stabilisation request: 4.12.4 has already been released so I'll patch that one before pushing it into the tree instead of revbumping 4.12.3.
Comment 2 Larry the Git Cow gentoo-dev 2020-09-18 17:43:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c29254e32859af457652108a47db8060cc325ce

commit 0c29254e32859af457652108a47db8060cc325ce
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-09-18 17:40:41 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-09-18 17:43:49 +0000

    net-libs/xrootd: remove old
    
    Bug: https://bugs.gentoo.org/743391
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/xrootd/Manifest            |   2 -
 net-libs/xrootd/xrootd-5.0.0.ebuild | 116 ------------------------------------
 net-libs/xrootd/xrootd-5.0.1.ebuild | 116 ------------------------------------
 3 files changed, 234 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2

commit 4a0003172e29b7c7d16a8dbffb7065c2cb1d72a2
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-09-18 17:38:21 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-09-18 17:43:45 +0000

    net-libs/xrootd: bump to 4.12.4
    
    Also includes the http-key-leakage patch backported from 5.0.2.
    
    Bug: https://bugs.gentoo.org/743391
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/xrootd/Manifest                           |  2 +-
 .../files/xrootd-4.12.4-http_secret_leakage.patch  | 41 ++++++++++++++++++++++
 .../{xrootd-4.12.3.ebuild => xrootd-4.12.4.ebuild} |  8 +++--
 3 files changed, 48 insertions(+), 3 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b4d25e3bdef5c85035f5c2c6b631eee30e4733c

commit 6b4d25e3bdef5c85035f5c2c6b631eee30e4733c
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-09-18 17:18:34 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-09-18 17:43:42 +0000

    net-libs/xrootd: bump to 5.0.2
    
    Among other things, this fixes potential secret-key leakage in HTTP
    mode.
    
    Bug: https://bugs.gentoo.org/743391
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/xrootd/Manifest            |   1 +
 net-libs/xrootd/xrootd-5.0.2.ebuild | 116 ++++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)
Comment 3 Marek Szuba gentoo-dev 2020-09-18 17:53:51 UTC
Following the bumps and the clean-up, 4.12.0 is now the only potentially vulnerable version in the tree. It will be removed once =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised.

[1] In theory net-libs/xrootd-ceph-4.10.0 should work with net-libs/xrootd-4.14.4 as long as they have both been built with the same g++ version, better to update them in sync though.
Comment 4 Sam James archtester gentoo-dev Security 2020-09-18 20:50:03 UTC
(In reply to Marek Szuba from comment #3)
> Following the bumps and the clean-up, 4.12.0 is now the only potentially
> vulnerable version in the tree. It will be removed once
> =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised.
> 
> [1] In theory net-libs/xrootd-ceph-4.10.0 should work with
> net-libs/xrootd-4.14.4 as long as they have both been built with the same
> g++ version, better to update them in sync though.

Excellent. Please use this bug for the stabilisation when you’re ready!
Comment 5 Sam James archtester gentoo-dev Security 2020-09-25 20:51:04 UTC
(In reply to Sam James from comment #4)
> (In reply to Marek Szuba from comment #3)
> > Following the bumps and the clean-up, 4.12.0 is now the only potentially
> > vulnerable version in the tree. It will be removed once
> > =net-libs/xrootd{,-ceph}-4.12.4 [1] have been stabilised.
> > 
> > [1] In theory net-libs/xrootd-ceph-4.10.0 should work with
> > net-libs/xrootd-4.14.4 as long as they have both been built with the same
> > g++ version, better to update them in sync though.
> 
> Excellent. Please use this bug for the stabilisation when you’re ready!

Ready?
Comment 6 Agostino Sarubbo gentoo-dev 2020-10-07 07:09:39 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-10-09 11:12:27 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 NATTkA bot gentoo-dev 2020-10-09 11:12:50 UTC Comment hidden (obsolete)
Comment 9 John Helmert III gentoo-dev Security 2020-12-27 07:25:46 UTC
Guess this was done some time ago:

commit 059cc5d6a7a5a6748dff01ce355c47dde1ccde69
Author: Marek Szuba <marecki@gentoo.org>
Date:   Fri Oct 16 12:49:59 2020 +0200

    net-libs/xrootd: remove old

    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 delete mode 100644 net-libs/xrootd/xrootd-4.12.0.ebuild


Still needs vote.
Comment 10 NATTkA bot gentoo-dev 2021-03-04 23:42:45 UTC
Unable to check for sanity:

> no match for package: net-libs/xrootd-4.12.4