Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 656022 (CVE-2018-1120, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126) - <sys-process/procps-3.3.15: multiple vulnerabilities (qualys audit)
Summary: <sys-process/procps-3.3.15: multiple vulnerabilities (qualys audit)
Status: RESOLVED FIXED
Alias: CVE-2018-1120, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-18 14:10 UTC by Agostino Sarubbo
Modified: 2018-10-15 16:11 UTC (History)
3 users (show)

See Also:
Package list:
sys-process/procps-3.3.15-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-05-18 14:10:10 UTC
See ${URL}



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2018-05-20 18:49:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28eb1ec656863308d99790290560cdf2d15fd02

commit c28eb1ec656863308d99790290560cdf2d15fd02
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-05-20 18:48:50 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-05-20 18:49:10 +0000

    sys-process/procps: Security bump to version 3.3.15
    
    Bug: https://bugs.gentoo.org/656022
    Package-Manager: Portage-2.3.38, Repoman-2.3.9

 sys-process/procps/Manifest             |  1 +
 sys-process/procps/procps-3.3.15.ebuild | 81 +++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
Comment 2 Jory A. Pratt gentoo-dev 2018-05-20 23:03:46 UTC
(In reply to Larry the Git Cow from comment #1)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=c28eb1ec656863308d99790290560cdf2d15fd02
> 
> commit c28eb1ec656863308d99790290560cdf2d15fd02
> Author:     Lars Wendler <polynomial-c@gentoo.org>
> AuthorDate: 2018-05-20 18:48:50 +0000
> Commit:     Lars Wendler <polynomial-c@gentoo.org>
> CommitDate: 2018-05-20 18:49:10 +0000
> 
>     sys-process/procps: Security bump to version 3.3.15
>     
>     Bug: https://bugs.gentoo.org/656022
>     Package-Manager: Portage-2.3.38, Repoman-2.3.9
> 
>  sys-process/procps/Manifest             |  1 +
>  sys-process/procps/procps-3.3.15.ebuild | 81
> +++++++++++++++++++++++++++++++++
>  2 files changed, 82 insertions(+)

ebuild can not apply patches properly, please revisit 

>>> Preparing source in /var/tmp/tmpfs/portage/sys-process/procps-3.3.15/work/procps-ng-3.3.15 ...
 * Applying procps-3.3.8-kill-neg-pid.patch ...
2 out of 2 hunks FAILED -- saving rejects to file skill.c.rej            [ !! ]
Comment 3 Larry the Git Cow gentoo-dev 2018-05-23 18:37:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fbfaa56c2cefa7f97153efe097a003a9132ab05

commit 6fbfaa56c2cefa7f97153efe097a003a9132ab05
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-23 16:30:36 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-23 18:37:29 +0000

    sys-process/procps: stable 3.3.15-r1 for sparc
    
    Bug: https://bugs.gentoo.org/656022
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 sys-process/procps/procps-3.3.15-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Larry the Git Cow gentoo-dev 2018-05-23 19:03:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90ff196c2b7b43b0ca9f1f43713cd90aff01573a

commit 90ff196c2b7b43b0ca9f1f43713cd90aff01573a
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-23 19:03:42 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-23 19:03:48 +0000

    sys-process/procps: stable 3.3.15-r1 for ia64, bug #656022
    
    Bug: https://bugs.gentoo.org/656022
    Package-Manager: Portage-2.3.38, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 sys-process/procps/procps-3.3.15-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Matt Turner gentoo-dev 2018-05-25 03:46:56 UTC
ppc64 stable
Comment 6 Matt Turner gentoo-dev 2018-05-25 04:13:44 UTC
ppc stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-05-26 00:01:55 UTC
x86 stable
Comment 8 Mart Raudsepp gentoo-dev 2018-05-26 10:08:41 UTC
arm64 stable
Comment 9 Markus Meier gentoo-dev 2018-05-29 04:41:54 UTC
arm stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-05-29 09:56:03 UTC
alpha stable/old killed
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-29 13:22:51 UTC
GLSA Request filed
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2018-05-30 14:05:14 UTC
This issue was resolved and addressed in
 GLSA 201805-14 at https://security.gentoo.org/glsa/201805-14
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Oleh 2018-10-14 12:44:42 UTC
this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers that is confusing for users. Please, read upstream 3.3.15 release notes. 
Qualys analysis also clearly states what CVE's has the patches.
https://gitlab.com/procps-ng/procps/tags/v3.3.15

The CVE fixed by version 3.3.15-r1 are:

CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126

From Qualys audit:


The kernel patch for CVE-2018-1120 is:
https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830

There is currently no patch for CVE-2018-1121, because no satisfactory
solution (secure and efficient) has been found. Please feel free to
suggest ideas here!
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-10-15 16:04:18 UTC
Hi Oleg,

(In reply to Oleg from comment #13)
> this is wrongly handled GLSA by terms that it has *incorrect* CVE's numbers
> that is confusing for users. Please, read upstream 3.3.15 release notes. 
> Qualys analysis also clearly states what CVE's has the patches.
> https://gitlab.com/procps-ng/procps/tags/v3.3.15
> 
> The CVE fixed by version 3.3.15-r1 are:
> 
> CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126
> 
> From Qualys audit:
> 
> 
> The kernel patch for CVE-2018-1120 is:
> https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830
> 
> There is currently no patch for CVE-2018-1121, because no satisfactory
> solution (secure and efficient) has been found. Please feel free to
> suggest ideas here!


Thanks for spotting this issue, we are fixing the CVEs listed in said GLSA and will create a separate report to handle CVE-2018-1121.

Thank you,