Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670856 (CVE-2018-19044, CVE-2018-19045, CVE-2018-19046, CVE-2018-19115) - <sys-cluster/keepalived-2.0.10: multiple vulnerabilities (CVE-2018-{19044,19045,19046,19115})
Summary: <sys-cluster/keepalived-2.0.10: multiple vulnerabilities (CVE-2018-{19044,190...
Status: RESOLVED FIXED
Alias: CVE-2018-19044, CVE-2018-19045, CVE-2018-19046, CVE-2018-19115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on: 655300
Blocks:
  Show dependency tree
 
Reported: 2018-11-10 21:16 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-10 02:18 UTC (History)
2 users (show)

See Also:
Package list:
sys-cluster/keepalived-2.0.10-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-11-10 21:16:23 UTC
CVE-2018-19115 (https://nvd.nist.gov/vuln/detail/CVE-2018-19115):
  keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP
  status codes resulting in DoS or possibly unspecified other impact, because
  extract_status_code in lib/html.c has no validation of the status code and
  instead writes an unlimited amount of data to the heap.

CVE-2018-19046 (https://nvd.nist.gov/vuln/detail/CVE-2018-19046):
  keepalived 2.0.8 didn't check for existing plain files when writing data to
  a temporary file upon a call to PrintData or PrintStats. If a local attacker
  had previously created a file with the expected name (e.g.,
  /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the
  attacker and write access for the keepalived process, then this potentially
  leaked sensitive information.

CVE-2018-19045 (https://nvd.nist.gov/vuln/detail/CVE-2018-19045):
  keepalived 2.0.8 used mode 0666 when creating new temporary files upon a
  call to PrintData or PrintStats, potentially leaking sensitive information.

CVE-2018-19044 (https://nvd.nist.gov/vuln/detail/CVE-2018-19044):
  keepalived 2.0.8 didn't check for pathnames with symlinks when writing data
  to a temporary file upon a call to PrintData or PrintStats. This allowed
  local users to overwrite arbitrary files if fs.protected_symlinks is set to
  0, as demonstrated by a symlink from /tmp/keepalived.data or
  /tmp/keepalived.stats to /etc/passwd.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-11-10 21:18:29 UTC
@ maintainer(s): Can we stabilize =sys-cluster/keepalived-2.0.9?
Comment 2 Tomáš Mózes 2018-11-11 08:48:36 UTC
I'll try to give it some more testing next week and report back.
Comment 3 Tomáš Mózes 2018-11-14 05:23:48 UTC
Another security bump to 2.0.10: https://github.com/gentoo/gentoo/pull/10415

I've tested on one of our clusters, it works fine, but there are reports that keepalived segfaults when using snmp: https://github.com/acassen/keepalived/issues/1061

I would suggest waiting for an upstream patch and apply it for 2.0.10. Seems like there are no other open bugs for 2.x.
Comment 4 Larry the Git Cow gentoo-dev 2018-11-14 13:27:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4385f352e5ace4ce12b29e1378f8b70b3bde597f

commit 4385f352e5ace4ce12b29e1378f8b70b3bde597f
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2018-11-14 05:17:14 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-14 13:25:20 +0000

    sys-cluster/keepalived: bump to 2.0.10
    
    Bug: https://bugs.gentoo.org/670856
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 sys-cluster/keepalived/Manifest                 |  1 +
 sys-cluster/keepalived/keepalived-2.0.10.ebuild | 72 +++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-11-14 13:31:08 UTC
Adjusting summary, while CVE-2018-19046 was already addresses in 2.0.9 according to changelog, fix was incomplete. From 2.0.10 changelog:

> This should fully resolve CVE-2018-19046.
Comment 6 Tomáš Mózes 2018-11-14 14:03:23 UTC
Upstream added those fixes for snmp crashes, if we can wait until tomorrow, i'll test them and create a pr for a new revision.
Comment 7 Rolf Eike Beer 2018-11-14 22:01:11 UTC
sparc done
Comment 8 Tomáš Mózes 2018-11-15 10:01:26 UTC
SNMP crash fix during shutdown: https://github.com/gentoo/gentoo/pull/10422
Comment 9 Larry the Git Cow gentoo-dev 2018-11-15 13:49:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb99b23e3f30a44d4880944ff42731297a0c5e3e

commit bb99b23e3f30a44d4880944ff42731297a0c5e3e
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2018-11-15 09:58:16 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-11-15 13:49:01 +0000

    sys-cluster/keepalived: fix crash during shutdown
    
    Bug: https://bugs.gentoo.org/670856
    Bug: https://github.com/acassen/keepalived/issues/1061
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/10422
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>

 .../files/keepalived-2.0.10-snmp-crash-fix.patch   | 122 +++++++++++++++++++++
 sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild |  76 +++++++++++++
 2 files changed, 198 insertions(+)
Comment 10 Tomáš Mózes 2018-11-15 14:20:01 UTC
I know 2.0.10 was stabilized on sparc yesterday, but please stabilize 2.0.10-r1 instead. Then we'll clean all versions <2.0.10-r1. Thanks.
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-11-15 15:08:06 UTC
We will move keywords.
Comment 12 Larry the Git Cow gentoo-dev 2018-11-15 15:49:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc2e9877ba742c36e2ff5da6f23db956dfad930

commit efc2e9877ba742c36e2ff5da6f23db956dfad930
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-15 15:49:48 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-15 15:49:48 +0000

    sys-cluster/keepalived: move keywords
    
    Bug: https://bugs.gentoo.org/670856
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild |  2 +-
 sys-cluster/keepalived/keepalived-2.0.10.ebuild    | 72 ----------------------
 2 files changed, 1 insertion(+), 73 deletions(-)
Comment 13 Thomas Deutschmann gentoo-dev Security 2018-11-15 15:50:55 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2018-11-16 16:16:53 UTC
I'm still hitting the sandbox issue described in bug 655300
Comment 15 Agostino Sarubbo gentoo-dev 2018-11-22 11:34:32 UTC
amd64 stable
Comment 16 Sergei Trofimovich gentoo-dev 2018-11-24 11:10:10 UTC
ia64 stable
Comment 17 Larry the Git Cow gentoo-dev 2018-11-28 21:22:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=824dd937195207bd78b66ed8143bb8441fa4ef36

commit 824dd937195207bd78b66ed8143bb8441fa4ef36
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 21:21:38 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 21:21:38 +0000

    sys-cluster/keepalived-2.0.10-r1: alpha stable
    
    Bug: http://bugs.gentoo.org/670856
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 18 Tobias Klausmann gentoo-dev 2018-11-28 21:23:31 UTC
Stable on alpha.
Comment 19 Sergei Trofimovich gentoo-dev 2018-12-26 14:03:25 UTC
ppc stable
Comment 20 Sergei Trofimovich gentoo-dev 2018-12-26 20:13:44 UTC
ppc64 stable
Comment 21 Larry the Git Cow gentoo-dev 2019-01-07 16:53:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78694bbb35225a0e2e39d686456563d492bfe81c

commit 78694bbb35225a0e2e39d686456563d492bfe81c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-01-07 16:49:58 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-01-07 16:52:52 +0000

    sys-cluster/keepalived: security cleanup
    
    Bug: https://bugs.gentoo.org/670856
    Package-Manager: Portage-2.3.54, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 sys-cluster/keepalived/Manifest                |  2 -
 sys-cluster/keepalived/files/keepalived.confd  |  6 ---
 sys-cluster/keepalived/files/keepalived.init   | 33 ------------
 sys-cluster/keepalived/keepalived-1.4.3.ebuild | 69 --------------------------
 sys-cluster/keepalived/keepalived-1.4.5.ebuild | 69 --------------------------
 5 files changed, 179 deletions(-)
Comment 22 Thomas Deutschmann gentoo-dev Security 2019-01-07 16:54:17 UTC
New GLSA request filed.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 02:18:04 UTC
This issue was resolved and addressed in
 GLSA 201903-01 at https://security.gentoo.org/glsa/201903-01
by GLSA coordinator Aaron Bauman (b-man).