Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736094 (CVE-2020-15112, CVE-2020-15113, CVE-2020-15114, CVE-2020-15115, CVE-2020-15136) - <dev-db/etcd-{3.3.23, 3.4.10}: Multiple vulnerabilities (CVE-2020-{15112,15113,15114,15115,15136})
Summary: <dev-db/etcd-{3.3.23, 3.4.10}: Multiple vulnerabilities (CVE-2020-{15112,1511...
Status: RESOLVED FIXED
Alias: CVE-2020-15112, CVE-2020-15113, CVE-2020-15114, CVE-2020-15115, CVE-2020-15136
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-06 02:39 UTC by John Helmert III (ajak)
Modified: 2020-08-15 04:12 UTC (History)
1 user (show)

See Also:
Package list:
=dev-db/etcd-3.3.23
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2020-08-06 02:39:38 UTC
CVE-2020-15112 (https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93):

In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

CVE-2020-15113 (https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92):

etcd creates certain directory paths (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.



Patched versions according to advisories are 3.4.10 and 3.3.23. Maintainer, please bump
Comment 1 Larry the Git Cow gentoo-dev 2020-08-06 07:01:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2040677801db87d8f1e546fef6f99d9d08f6a063

commit 2040677801db87d8f1e546fef6f99d9d08f6a063
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-08-06 07:00:26 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-08-06 07:01:34 +0000

    dev-db/etcd: Bump to version 3.4.10
    
    Bug: https://bugs.gentoo.org/736094
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-db/etcd/Manifest           |  1 +
 dev-db/etcd/etcd-3.4.10.ebuild | 80 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b63d5c005243af05c3080feb36ce154d5843724b

commit b63d5c005243af05c3080feb36ce154d5843724b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-08-06 06:13:56 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-08-06 07:01:34 +0000

    dev-db/etcd: Bump to version 3.3.23
    
    Bug: https://bugs.gentoo.org/736094
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-db/etcd/Manifest           |  1 +
 dev-db/etcd/etcd-3.3.23.ebuild | 87 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
Comment 2 John Helmert III (ajak) gentoo-dev Security 2020-08-06 19:33:25 UTC
Thanks Zac. It appears we have two supported branches in-tree now, can you add slots to differentiate them?
Comment 3 Zac Medico gentoo-dev 2020-08-06 20:38:32 UTC
(In reply to John Helmert III (ajak) from comment #2)
> Thanks Zac. It appears we have two supported branches in-tree now, can you
> add slots to differentiate them?

I wouldn't recommend co-installation of multiple etcd versions. The 3.3 branch is there just there in case someone is not prepared to upgrade to 3.4 for some reason.
Comment 4 John Helmert III (ajak) gentoo-dev Security 2020-08-07 01:18:51 UTC
A few more, no whiteboard change, same versions affected.

CVE-2020-15114 (https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224):

The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

CVE-2020-15115 (https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh):

etcd does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users’ passwords with little computational effort.

CVE-2020-15136 (https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q):

When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.
Comment 5 Sam James archtester gentoo-dev Security 2020-08-11 08:32:31 UTC
Ready to stable?
Comment 6 Zac Medico gentoo-dev 2020-08-11 16:37:45 UTC
Yes, please stabilize.
Comment 7 Sam James archtester gentoo-dev Security 2020-08-11 17:49:14 UTC
Thanks!
Comment 8 Sam James archtester gentoo-dev Security 2020-08-15 03:56:41 UTC
amd64 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-15 04:04:00 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-08-15 04:09:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b091a013ac656766c08cd4d30654b3daab4b4f6

commit 7b091a013ac656766c08cd4d30654b3daab4b4f6
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-08-15 04:08:21 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-08-15 04:09:27 +0000

    dev-db/etcd: Remove vulnerable #736094
    
    Bug: https://bugs.gentoo.org/736094
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-db/etcd/Manifest           |  8 ----
 dev-db/etcd/etcd-3.3.17.ebuild | 78 --------------------------------------
 dev-db/etcd/etcd-3.3.18.ebuild | 78 --------------------------------------
 dev-db/etcd/etcd-3.3.19.ebuild | 78 --------------------------------------
 dev-db/etcd/etcd-3.3.20.ebuild | 78 --------------------------------------
 dev-db/etcd/etcd-3.4.3.ebuild  | 86 ------------------------------------------
 dev-db/etcd/etcd-3.4.4.ebuild  | 73 -----------------------------------
 dev-db/etcd/etcd-3.4.5.ebuild  | 73 -----------------------------------
 dev-db/etcd/etcd-3.4.7.ebuild  | 73 -----------------------------------
 9 files changed, 625 deletions(-)
Comment 11 Sam James archtester gentoo-dev Security 2020-08-15 04:12:11 UTC
GLSA vote: no.

Closing, thanks all!