Bug 1093414 (CVE-2019-3688)

Summary: VUL-0: CVE-2019-3688: squid: /usr/sbin/pinger packaged with wrong permission
Product: [SUSE Linux Enterprise Server] Beta SUSE Linux Enterprise Server 15 Reporter: Luiz Angelo Daros de Luca <luizluca>
Component: OtherAssignee: Security Team bot <security-team>
Status: CONFIRMED --- QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P3 - Medium CC: amajer, jsegitz, malte.kraus, matthias.gerstner, security-team, wolfgang.frisch
Version: RC 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241628/
Whiteboard: CVSSv3:SUSE:CVE-2019-3688:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Luiz Angelo Daros de Luca 2018-05-15 20:51:47 UTC 
I'm using SUSE Linux Enterprise Server 15 RC4 and squid-4.0.23-3.30.x86_64

Just after installation, RPM warns me that it fixed pinger permission:

setting /usr/sbin/pinger to squid:root 0750 "= cap_net_raw+ep". (wrong owner/group rootquid, missing capabilities)                                                                                                             

I checked squid, /etc/permissions.* and squid.rpm and they do not match:

# rpm -q squid --dump | grep pinger
/usr/sbin/pinger 76488 1525295718 c83b442c035c575b7ea31212ec649b174cd417726c67f272fda0507ad50c50cf 0100750 root squid 0 0 0 X

# ls /usr/sbin/pinger -la
-rwxr-x--- 1 squid root 76488 mai  2 18:15 /usr/sbin/pinger

# grep pinger /etc/permissions.easy 
/usr/sbin/pinger                                        squid:root        0750

Someone is wrong here. If the right is squid:root (I guess the correct one), it is minor problem and chkstat is fixing the problem and it is just a extra touched file in FS. If it is the opposite, something might not work.
Comment 3 Johannes Segitz 2019-09-16 07:21:27 UTC 
I assigned CVE-2019-3688 to this, please add this to the changelog when you change this
Comment 4 Alexandros Toptsoglou 2019-09-16 09:54:11 UTC 
*** Bug 1149108 has been marked as a duplicate of this bug. ***
Comment 10 Swamp Workflow Management 2019-11-18 11:10:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1093414) was mentioned in
https://build.opensuse.org/request/show/749269 Factory / permissions
Comment 13 Swamp Workflow Management 2019-12-05 14:15:49 UTC 
SUSE-SU-2019:3180-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1093414,1150734,1157198
CVE References: CVE-2019-3688,CVE-2019-3690
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    permissions-2015.09.28.1626-17.20.1
SUSE OpenStack Cloud 8 (src):    permissions-2015.09.28.1626-17.20.1
SUSE OpenStack Cloud 7 (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    permissions-2015.09.28.1626-17.20.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    permissions-2015.09.28.1626-17.20.1
SUSE Enterprise Storage 5 (src):    permissions-2015.09.28.1626-17.20.1
SUSE CaaS Platform 3.0 (src):    permissions-2015.09.28.1626-17.20.1
HPE Helion Openstack 8 (src):    permissions-2015.09.28.1626-17.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-12-05 20:17:02 UTC 
SUSE-SU-2019:3182-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1093414,1150734,1157198
CVE References: CVE-2019-3688,CVE-2019-3690
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    permissions-20180125-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-12-05 20:18:01 UTC 
SUSE-SU-2019:3183-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1047247,1093414,1097665,1150734,1157198
CVE References: CVE-2019-3688,CVE-2019-3690
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    permissions-20170707-3.14.1
SUSE Linux Enterprise Server 12-SP4 (src):    permissions-20170707-3.14.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    permissions-20170707-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-12-11 14:14:24 UTC 
openSUSE-SU-2019:2672-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1093414,1150734,1157198
CVE References: CVE-2019-3688,CVE-2019-3690
Sources used:
openSUSE Leap 15.1 (src):    permissions-20181116-lp151.4.9.1
Comment 20 Swamp Workflow Management 2021-07-09 19:22:53 UTC 
SUSE-SU-2021:2280-1: An update that solves three vulnerabilities and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1047247,1050467,1093414,1097665,1123886,1150734,1155939,1157198,1160594,1160764,1161779,1163922,1171883,1182899
CVE References: CVE-2019-3688,CVE-2019-3690,CVE-2020-8013
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    permissions-20170707-6.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 OBSbugzilla Bot 2021-11-17 15:40:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1093414) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions
Comment 22 Swamp Workflow Management 2021-12-02 20:17:41 UTC 
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1