|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0536: tripwire: format string bug | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Tomas Crhak <tcrhak> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0536: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
patchinfo-box.tripwire
patchinfo.tripwire |
||
|
Description
Thomas Biege
2004-06-04 16:17:09 UTC
<!-- SBZ_reproduce --> - Created attachment 20708 [details]
patchinfo-box.tripwire
Created attachment 20709 [details]
patchinfo.tripwire
Tomas, what about an update? Tomas, are you on vacation? I have submitted fixed packages for 8.2, 9.0, SLES9 and STABLE on friday and I'll submit the others today and patchinfos as soon as the packages are checked in and rebuilt. Please don't delay the patchinfo submission until the packages are checked in because I will only check in the packages when there is a patchinfo file... I have checked releases prior to 8.2. We have Tripwire-1.2 there, a very old version, which is not affected. So I have submitted the box patchinfo only. <!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jun 22 20:48:39 2004 will be reassigned for tracking... packages approved a customer reported that the old SEGV problems appears again.
when creating policy files by using twadmin a segfault is triggered.
unlink("tripwire-report-vZE5KC.txt") = 0
access("/var/lib/tripwire/report/serv4-20040629-092911.twr", F_OK) = -1 ENOENT
(No such file or directory)
lstat64("/var/lib/tripwire/report/serv4-20040629-092911.twr", 0xbfffd4a0) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/de_DE@euro/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/de@euro/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/de_DE/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/usr/share/locale/de/LC_MESSAGES/libc.mo", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=90059, ...}) = 0
old_mmap(NULL, 90059, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40203000
close(3) = 0
open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\6\0\000"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=6052, ...}) = 0
old_mmap(NULL, 8860, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4007f000
old_mmap(0x40081000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x1000) = 0x40081000
close(3) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
write(2, "Software interrupt forced exit: "..., 51Software interrupt forced
exit: Segmentation Fault
) = 51
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
getpid() = 25833
kill(25833, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
write(2, " Abort\n", 7 Abort
) = 7
munmap(0x4007e000, 4096) = 0
munmap(0x4007d000, 4096) = 0
exit_group(8) = ?
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jun 29 18:12:11 2004 reopen Are you sure you have reopend the very bug? Tripwire used to segfault on non-i386 archs - see bug 51050. I have tested tripwire from stable (=sles9) and twadmin did not segfault. is the arch used in comment# 12 a non-i396 arch? i remember we solved the bug by compiling/linking tripwire with another binutils (???) package. maybe this was missing here... i dunno. to be honest i have nothing against droping this package as long as we ship AIDE or alike. That was bug 48440. See also comment #10 of that bug for comparation of AIDE and tripwire. I do not understand, what does the customer judge from this is 'the old SEGV problem' and not just another SEGV problem. Please, open a new bug and reclose this one as there seems to be no relation between the format string bug and the segfault. Add comment #15 and comment #16: I have tested on an i386 arch. I do not know, which arch does commend #12 come from. The information would come in handy. If the customer is still using 8.2, you may be right it is the binutils problem, since IIRC we have never fixed binutils in 8.2. In bug 48440 Rudi built a package for the customer with binutils from stable (which I do not know what it was those days) and we need to do the same and we will need to do that whenever tripwire is rebuilt for 8.2 unitl 8.2 is dead or its binutils fixed (which is dangerous) - but I can not do that. Ask Rudi, pls. ok CVE-2004-0536: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) |