multiple vulnerabilities found in OSSEC-HID
CVE-2020-8448 (https://nvd.nist.gov/vuln/detail/CVE-2020-8448): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a denial of service (NULL pointer dereference) via crafted messages written directly to the analysisd UNIX domain socket by a local user. CVE-2020-8447 (https://nvd.nist.gov/vuln/detail/CVE-2020-8447): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of syscheck formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). CVE-2020-8446 (https://nvd.nist.gov/vuln/detail/CVE-2020-8446): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to path traversal (with write access) via crafted syscheck messages written directly to the analysisd UNIX domain socket by a local user. CVE-2020-8445 (https://nvd.nist.gov/vuln/detail/CVE-2020-8445): In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd doesn't remove or encode terminal control characters or newlines from processed log messages. In many cases, those characters are later logged. Because newlines (\n) are permitted in messages processed by ossec-analysisd, it may be possible to inject nested events into the ossec log. Use of terminal control characters may allow obfuscating events or executing commands when viewed through vulnerable terminal emulators. This may be an unauthenticated remote attack for certain types and origins of logged data. CVE-2020-8444 (https://nvd.nist.gov/vuln/detail/CVE-2020-8444): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of ossec-alert formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). CVE-2020-8443 (https://nvd.nist.gov/vuln/detail/CVE-2020-8443): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to an off-by-one heap-based buffer overflow during the cleaning of crafted syslog msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). CVE-2020-8442 (https://nvd.nist.gov/vuln/detail/CVE-2020-8442): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a heap-based buffer overflow in the rootcheck decoder component via an authenticated client.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=893c535777a2ae759e3065aafb25f5c9d77e3ad9 commit 893c535777a2ae759e3065aafb25f5c9d77e3ad9 Author: Ralph Seichter <github@seichter.de> AuthorDate: 2020-02-22 18:33:07 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-03-11 06:09:14 +0000 net-analyzer/ossec-hids: GLEP 81, version bump Change ebuild for GLEP 81, bump to upstream release 3.6.0. Bug: https://bugs.gentoo.org/707826 Closes: https://bugs.gentoo.org/707890 Closes: https://bugs.gentoo.org/710508 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Ralph Seichter <gentoo@seichter.de> Closes: https://github.com/gentoo/gentoo/pull/14743 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-analyzer/ossec-hids/Manifest | 1 + net-analyzer/ossec-hids/files/makefile-3.6.0.patch | 28 +++++++++ net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild | 66 ++++++++++++++++++++++ 3 files changed, 95 insertions(+)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
I have no objections against stabilizing the 3.6.0 ebuild.
Proxy Maintainers if you agree please call for stabilization.
Please stabilize net-analyzer/ossec-hids-3.6.0 so vulnerable ones can be dropped asap.
Please process https://github.com/gentoo/gentoo/pull/15030 before stabilizing. The PR adds a missing dependency to libevent that was first reported two hours ago; see https://bugs.gentoo.org/713692 .
The libevent dependency has been added; my thanks to Whissi for the quick response. Stabilization can continue.
@amd64: ping
(In reply to Sam James from comment #9) > @amd64: ping ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db90a56583292311e28de8f65554a5ce1192ed9d commit db90a56583292311e28de8f65554a5ce1192ed9d Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2020-07-17 06:10:01 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-07-17 06:10:01 +0000 net-analyzer/ossec-hids: stabilize 3.6.0 on amd64, #707826 Bug: https://bugs.gentoo.org/707826 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
amd64 done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96587d39bdb2cdbd29a66ec50af93b2b82510f9e commit 96587d39bdb2cdbd29a66ec50af93b2b82510f9e Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:01:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:48 +0000 net-analyzer/ossec-hids: security cleanup Bug: https://bugs.gentoo.org/707826 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/ossec-hids/Manifest | 3 - net-analyzer/ossec-hids/files/makefile-3.2.0.patch | 28 --------- net-analyzer/ossec-hids/files/makefile-3.3.0.patch | 28 --------- net-analyzer/ossec-hids/files/makefile.patch | 28 --------- net-analyzer/ossec-hids/ossec-hids-3.1.0.ebuild | 68 ---------------------- net-analyzer/ossec-hids/ossec-hids-3.2.0-r1.ebuild | 64 -------------------- net-analyzer/ossec-hids/ossec-hids-3.2.0.ebuild | 63 -------------------- net-analyzer/ossec-hids/ossec-hids-3.3.0.ebuild | 67 --------------------- 8 files changed, 349 deletions(-)
This issue was resolved and addressed in GLSA 202007-33 at https://security.gentoo.org/glsa/202007-33 by GLSA coordinator Sam James (sam_c).