Date: Wed, 23 May 2018 06:32:23 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - Procps-ng Audit Report Hi all, As a follow-up to our procps-ng advisory, below are the answers to some frequently asked questions that you may find useful. > - which is the first version with the fixes, does it include all of the > fixes (and if not, what is it missing and are those missing fixes > important to have?), and where to download it? Procps-ng 3.3.15 has been released and includes most of our patches; it is available at: https://sourceforge.net/projects/procps-ng/ The patches that are missing from procps-ng 3.3.15 are: - 7 low-priority patches (0120-0126), which have not yet been validated by upstream; - most of our patches for top, which unfortunately have been reverted by top's author; for example: https://gitlab.com/procps-ng/procps/commit/c5026787156d23512487ad9bbf540be7e3ee8de1 https://gitlab.com/procps-ng/procps/commit/c9dfcdebdc6b482ca2030c6ea3aa376c218232e9 > Can you let us know which patches the CVEs align with as it will > make chasing all of this down a lot easier, thanks! The patch for CVE-2018-1122 is: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch The patch for CVE-2018-1123 is: 0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch The patch for CVE-2018-1124 is: 0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch The patch for CVE-2018-1125 is: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch The patch for CVE-2018-1126 is: 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch The kernel patch for CVE-2018-1120 is: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 There is currently no patch for CVE-2018-1121, because no satisfactory solution (secure and efficient) has been found. Please feel free to suggest ideas here! > - which versions are vulnerable? We did not try to track down the first vulnerable version, but we had a quick look at procps 3.0.0 (from October 2002) and it was already vulnerable to the 5 CVEs. > - which version was audited? We audited procps-ng 3.3.12 (the version used by many stable distributions), but we probably ended up reading most of the master branch too while writing the patches. > what testing have you done? Because procps-ng is a critical package, and because 126 patches introduce significant changes, here is what we did to minimize the risks: - we were two to perform the audit, and we decided to both write the most important patches, independently; the final patches are the result of this double-work, which clearly avoided a few bugs; - we ran procps-ng's test-suite ("make check") after each change; - we manually ran some tests after each major change, to make sure that the code-path leading to the change is not broken, and to make sure that the change actually fixes the issue; - we started sending our patches to upstream on March 30 (for reviewing and testing), long before we contacted linux-distros@; - we contacted linux-distros@ on May 4, and were asked for an embargo extension (for more time to review and test the patches), so we set the Coordinated Release Date to May 17, 17:00 UTC (13 days -- almost the maximum embargo, but we wanted to avoid releasing on a Friday). We are at your disposal for questions, comments, and further discussions. We thank Solar Designer and Kurt Seifried for their help! With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ