Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728696 (CVE-2019-13033, CVE-2020-13882) - app-forensics/lynis: Multiple vulnerabilities (CVE-2019-13033, CVE-2020-13882)
Summary: app-forensics/lynis: Multiple vulnerabilities (CVE-2019-13033, CVE-2020-13882)
Status: RESOLVED FIXED
Alias: CVE-2019-13033, CVE-2020-13882
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa]
Keywords:
: 730754 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-06-18 20:42 UTC by John Helmert III (ajak)
Modified: 2020-07-12 18:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-06-18 20:42:50 UTC
From https://cisofy.com/security/cve/cve-2019-13033/:

"Sander Bos discovered that the data upload routine in Lynis up to version 2.7.5 may leak information, which allows attackers to retrieve the license key by looking at the process listing.

When defined, the license key can be leaked during the period that a data upload occurs. A local user could monitor the process list to find the license key. The key is part of the parameters provided to cURL. This happens when the --upload is used to upload data to a central system. The specific call happens in the include/data_upload script.

Although the license key alone does not grant access to system information on a central server, it may be used to upload falsified data, waste system resources, or use up all upload credits.

Affected versions are 2.0.0 up to 2.7.5."

From: https://cisofy.com/security/cve/cve-2020-13882/:

"The symlink detection routine in Lynis before 3.0.0 could be bypassed, which allows local users to manipulate the data in both the log and report. The data manipulation can be used to perform a Denial of Service, retrieve additional system information, or even achieve privilege escalation.

To exploit the vulnerability, an attacker needs access to the system, and wait before another non-privileged user runs Lynis. If symlinks are not protected by the kernel (Linux: fs.protected_hardlinks or fs.protected_symlinks), a TOCTTOU race condition might grant access to the log and report file."

Maintainer(s): Please bump.
Comment 1 Jeroen Roovers gentoo-dev 2020-07-05 18:55:10 UTC
*** Bug 730754 has been marked as a duplicate of this bug. ***
Comment 2 Jesús P Rey (Chuso) 2020-07-06 17:48:41 UTC
Hi,

I had opened #730754 with a pull request to bump version of app-forensics/lynis to the latest and request to be the maintainer, but it was closed as a duplicate of this one, so I guess I will have to post it here: 

https://github.com/gentoo/gentoo/pull/16591
Comment 3 John Helmert III (ajak) 2020-07-12 18:26:11 UTC
Tree is clean:

commit a51e4e08b3ed6503b7b9bed9eaa57ad8c07dfb10
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Sat Jul 11 10:55:14 2020 -0400

    app-forensics/lynis: Version bump, remove old

    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 rename app-forensics/lynis/{lynis-2.7.5.ebuild => lynis-3.0.0.ebuild} (95%)