Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707826 (CVE-2020-8442, CVE-2020-8443, CVE-2020-8444, CVE-2020-8445, CVE-2020-8446, CVE-2020-8447, CVE-2020-8448) - <net-analyzer/ossec-hids-3.6.0: multiple vulnerabilities (CVE-2020-{8442,8443,8444,8445,8446,8447,8448}
Summary: <net-analyzer/ossec-hids-3.6.0: multiple vulnerabilities (CVE-2020-{8442,8443...
Status: RESOLVED FIXED
Alias: CVE-2020-8442, CVE-2020-8443, CVE-2020-8444, CVE-2020-8445, CVE-2020-8446, CVE-2020-8447, CVE-2020-8448
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/ossec/ossec-hids/i...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-01 23:50 UTC by filip ambroz
Modified: 2020-07-27 00:32 UTC (History)
3 users (show)

See Also:
Package list:
=net-analyzer/ossec-hids-3.6.0 amd64
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-01 23:50:20 UTC
multiple vulnerabilities found in OSSEC-HID
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-03-02 06:49:27 UTC
CVE-2020-8448 (https://nvd.nist.gov/vuln/detail/CVE-2020-8448):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to a denial of service (NULL
  pointer dereference) via crafted messages written directly to the analysisd
  UNIX domain socket by a local user.

CVE-2020-8447 (https://nvd.nist.gov/vuln/detail/CVE-2020-8447):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to a use-after-free during
  processing of syscheck formatted msgs (received from authenticated remote
  agents and delivered to the analysisd processing queue by ossec-remoted).

CVE-2020-8446 (https://nvd.nist.gov/vuln/detail/CVE-2020-8446):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to path traversal (with write
  access) via crafted syscheck messages written directly to the analysisd UNIX
  domain socket by a local user.

CVE-2020-8445 (https://nvd.nist.gov/vuln/detail/CVE-2020-8445):
  In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd
  doesn't remove or encode terminal control characters or newlines from
  processed log messages. In many cases, those characters are later logged.
  Because newlines (\n) are permitted in messages processed by
  ossec-analysisd, it may be possible to inject nested events into the ossec
  log. Use of terminal control characters may allow obfuscating events or
  executing commands when viewed through vulnerable terminal emulators. This
  may be an unauthenticated remote attack for certain types and origins of
  logged data.

CVE-2020-8444 (https://nvd.nist.gov/vuln/detail/CVE-2020-8444):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to a use-after-free during
  processing of ossec-alert formatted msgs (received from authenticated remote
  agents and delivered to the analysisd processing queue by ossec-remoted).

CVE-2020-8443 (https://nvd.nist.gov/vuln/detail/CVE-2020-8443):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to an off-by-one heap-based buffer
  overflow during the cleaning of crafted syslog msgs (received from
  authenticated remote agents and delivered to the analysisd processing queue
  by ossec-remoted).

CVE-2020-8442 (https://nvd.nist.gov/vuln/detail/CVE-2020-8442):
  In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log
  analysis (ossec-analysisd) is vulnerable to a heap-based buffer overflow in
  the rootcheck decoder component via an authenticated client.
Comment 2 Larry the Git Cow gentoo-dev 2020-03-11 06:09:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=893c535777a2ae759e3065aafb25f5c9d77e3ad9

commit 893c535777a2ae759e3065aafb25f5c9d77e3ad9
Author:     Ralph Seichter <github@seichter.de>
AuthorDate: 2020-02-22 18:33:07 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-03-11 06:09:14 +0000

    net-analyzer/ossec-hids: GLEP 81, version bump
    
    Change ebuild for GLEP 81, bump to upstream release 3.6.0.
    
    Bug: https://bugs.gentoo.org/707826
    Closes: https://bugs.gentoo.org/707890
    Closes: https://bugs.gentoo.org/710508
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Ralph Seichter <gentoo@seichter.de>
    Closes: https://github.com/gentoo/gentoo/pull/14743
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-analyzer/ossec-hids/Manifest                   |  1 +
 net-analyzer/ossec-hids/files/makefile-3.6.0.patch | 28 +++++++++
 net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild    | 66 ++++++++++++++++++++++
 3 files changed, 95 insertions(+)
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2020-03-15 05:29:33 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Ralph Seichter 2020-03-15 07:17:22 UTC
I have no objections against stabilizing the 3.6.0 ebuild.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-03-18 04:34:55 UTC
Proxy Maintainers if you agree please call for stabilization.
Comment 6 Joonas Niilola gentoo-dev 2020-03-18 05:37:36 UTC
Please stabilize net-analyzer/ossec-hids-3.6.0 so vulnerable ones can be dropped asap.
Comment 7 Ralph Seichter 2020-03-20 22:40:42 UTC
Please process https://github.com/gentoo/gentoo/pull/15030 before stabilizing. The PR adds a missing dependency to libevent that was first reported two hours ago; see https://bugs.gentoo.org/713692 .
Comment 8 Ralph Seichter 2020-03-21 06:22:32 UTC
The libevent dependency has been added; my thanks to Whissi for the quick response. Stabilization can continue.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 11:56:51 UTC
@amd64: ping
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:03:40 UTC
(In reply to Sam James from comment #9)
> @amd64: ping

ping
Comment 11 Larry the Git Cow gentoo-dev 2020-07-17 06:10:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db90a56583292311e28de8f65554a5ce1192ed9d

commit db90a56583292311e28de8f65554a5ce1192ed9d
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2020-07-17 06:10:01 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-17 06:10:01 +0000

    net-analyzer/ossec-hids: stabilize 3.6.0 on amd64, #707826
    
    Bug: https://bugs.gentoo.org/707826
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Joonas Niilola gentoo-dev 2020-07-17 06:10:51 UTC
amd64 done.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-18 00:00:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96587d39bdb2cdbd29a66ec50af93b2b82510f9e

commit 96587d39bdb2cdbd29a66ec50af93b2b82510f9e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:01:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:48 +0000

    net-analyzer/ossec-hids: security cleanup
    
    Bug: https://bugs.gentoo.org/707826
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/ossec-hids/Manifest                   |  3 -
 net-analyzer/ossec-hids/files/makefile-3.2.0.patch | 28 ---------
 net-analyzer/ossec-hids/files/makefile-3.3.0.patch | 28 ---------
 net-analyzer/ossec-hids/files/makefile.patch       | 28 ---------
 net-analyzer/ossec-hids/ossec-hids-3.1.0.ebuild    | 68 ----------------------
 net-analyzer/ossec-hids/ossec-hids-3.2.0-r1.ebuild | 64 --------------------
 net-analyzer/ossec-hids/ossec-hids-3.2.0.ebuild    | 63 --------------------
 net-analyzer/ossec-hids/ossec-hids-3.3.0.ebuild    | 67 ---------------------
 8 files changed, 349 deletions(-)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:32:34 UTC
This issue was resolved and addressed in
 GLSA 202007-33 at https://security.gentoo.org/glsa/202007-33
by GLSA coordinator Sam James (sam_c).