Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623150 (CVE-2017-7480) - <app-forensics/rkhunter-1.4.6: File download via http might lead to RCE
Summary: <app-forensics/rkhunter-1.4.6: File download via http might lead to RCE
Status: RESOLVED FIXED
Alias: CVE-2017-7480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-30 09:32 UTC by Agostino Sarubbo
Modified: 2018-06-21 11:41 UTC (History)
7 users (show)

See Also:
Package list:
=app-forensics/rkhunter-1.4.6
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-30 09:32:43 UTC
From ${URL} :

It was found that rkhunter download various files such as mirrors.dat by default over http using no signature and just a version verification. An attacker can inject a file with MITM which is then run 
in bash. This could lead to remote code execution.

References:

http://seclists.org/oss-sec/2017/q2/643


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2018-02-06 19:46:06 UTC
CCing treecleaners as it seems upstream won't fix it ever
Comment 2 James Le Cuirot gentoo-dev 2018-03-17 20:47:07 UTC
Admittedly I don't use this on Gentoo, only CentOS, but isn't the fix really trivial? It downloads from SourceForge and the whole thing is one giant bash script. You could probably fix it with sed.
Comment 3 Larry the Git Cow gentoo-dev 2018-03-17 23:54:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61e995b755727e286d140d8d721340959c434b6c

commit 61e995b755727e286d140d8d721340959c434b6c
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2018-03-17 23:52:36 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2018-03-17 23:53:43 +0000

    app-forensics/rkhunter: version bump 1.4.6
    
    Also, add a patch to disable insecure file downloads.
    
    Bug: https://bugs.gentoo.org/623150
    Closes: https://bugs.gentoo.org/645454
    Closes: https://bugs.gentoo.org/648470
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-forensics/rkhunter/Manifest                    |  1 +
 .../rkhunter/files/rkhunter-1.4.6-conf.patch       | 38 +++++++++++++
 .../files/rkhunter-1.4.6-no-insecure-web.patch     | 46 ++++++++++++++++
 app-forensics/rkhunter/rkhunter-1.4.6.ebuild       | 63 ++++++++++++++++++++++
 4 files changed, 148 insertions(+)}
Comment 4 Michael Palimaka (kensington) gentoo-dev 2018-03-17 23:59:55 UTC
I added a downstream patch to simply remove two options that download files. I don't think this will represent any significant loss.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 00:02:54 UTC
(In reply to Michael Palimaka (kensington) from comment #4)
> I added a downstream patch to simply remove two options that download files.
> I don't think this will represent any significant loss.

Thanks Michael, please call for stabilization when ready.
Comment 6 yves.caniou 2018-03-18 08:47:47 UTC
Hi

I just read this:
"- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask)
/usr/portage/profiles/package.mask:
# Pacho Ramos <pacho@gentoo.org> (17 Mar 2018)
# Security vulnerable, it seems it won't be fixed ever (#623150). Removal in
# a month.
"

From here,
	https://bugs.gentoo.org/623150
and the reference URL
	http://seclists.org/oss-sec/2017/q2/643
It talks about CVE-2017-7480 assigned by RH.
Leading to
	https://sourceforge.net/p/rkhunter/bugs/157/
where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4.

So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree, instead of having it masked?
Comment 7 Michael Palimaka (kensington) gentoo-dev 2018-03-20 11:07:35 UTC
(In reply to yves.caniou from comment #6)
> Hi
> 
> I just read this:
> "- app-forensics/rkhunter-1.4.2::gentoo (masked by: package.mask)
> /usr/portage/profiles/package.mask:
> # Pacho Ramos <pacho@gentoo.org> (17 Mar 2018)
> # Security vulnerable, it seems it won't be fixed ever (#623150). Removal in
> # a month.
> "
> 
> From here,
> 	https://bugs.gentoo.org/623150
> and the reference URL
> 	http://seclists.org/oss-sec/2017/q2/643
> It talks about CVE-2017-7480 assigned by RH.
> Leading to
> 	https://sourceforge.net/p/rkhunter/bugs/157/
> where it says the bug is closed from 2017-07-31, Rkhunter-v1.4.4.
> 
> So why not having 1.4.4, or even 1.4.6 replace 1.4.2 in portage tree,
> instead of having it masked?

From the upstream changelog:
> - Tighten up the input verification check on the mirror file to
>   ensure that only URL's are used as a mirror. (CVE-2017-7480)

This is nice, but rkhunter still downloads insecurely.

In any case, please sync - I've already pushed a new version with this feature disabled and dropped the mask (see previous comments).
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 14:55:43 UTC
@arches, please stabilize.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-25 20:59:46 UTC
ppc stable
Comment 10 Larry the Git Cow gentoo-dev 2018-03-29 02:01:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ddda12a6ee55acaba7275ca3f8be7f8d08154a4

commit 6ddda12a6ee55acaba7275ca3f8be7f8d08154a4
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-29 01:15:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-29 01:15:44 +0000

    app-forensics/rkhunter: amd64 stable
    
    Bug: https://bugs.gentoo.org/623150
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-forensics/rkhunter/rkhunter-1.4.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-03-29 14:54:21 UTC
x86 stable
Comment 12 Tobias Klausmann gentoo-dev 2018-03-31 10:12:20 UTC
Stable on alpha.
Comment 13 Michael Palimaka (kensington) gentoo-dev 2018-05-26 10:22:55 UTC
Cleanup done.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-26 14:18:51 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2018-05-26 15:51:54 UTC
This issue was resolved and addressed in
 GLSA 201805-11 at https://security.gentoo.org/glsa/201805-11
by GLSA coordinator Christopher Diaz Riveros (chrisadr).
Comment 16 James Le Cuirot gentoo-dev 2018-05-26 16:17:02 UTC
I should have said so sooner but I don't think this was fixed in the right way. It deals with the issue but you could have simply changed the download URL to use https. Not grabbing the updates is bad for security too.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2018-05-26 17:41:57 UTC
This issue was resolved and addressed in
 GLSA 201805-11 at https://security.gentoo.org/glsa/201805-11
by GLSA coordinator Christopher Diaz Riveros (chrisadr).
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-05-26 17:46:13 UTC
Excuse the double message, it was for testing purposes...

(In reply to James Le Cuirot from comment #16)
> I should have said so sooner but I don't think this was fixed in the right
> way. It deals with the issue but you could have simply changed the download
> URL to use https. Not grabbing the updates is bad for security too.

While this is true, as the workaround from the GLSA states, users should not trust HTTP based sources, but they may want to migrate to more secure sources and because of that fix the real problem which is beyond the tool. 

thanks,
Comment 19 Michael Palimaka (kensington) gentoo-dev 2018-06-21 11:41:37 UTC
(In reply to James Le Cuirot from comment #16)
> I should have said so sooner but I don't think this was fixed in the right
> way. It deals with the issue but you could have simply changed the download
> URL to use https. Not grabbing the updates is bad for security too.

At the time I checked, https was not available and upstream wasn't actually making any changes in that updates file.