Bug #1849205 “CVE-2019-0160: OVMF: overflows with long file nam...” : Bugs : StarlingX

Bruce Jones (brucej) on 2019-10-21

tags:

added: stx.security

Bruce Jones (brucej) on 2019-10-21

Changed in starlingx:
importance:	Undecided → High
tags:	added: stx.3.0

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-10-21:

#1

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

summary:	- Fix CVE-2019-0160 + CVE-2019-0160: OVMF: overflows with long file names and invalid UDF + media
tags:	added: stx.2.0

Ghada Khalil (gkhalil) on 2019-10-21

Changed in starlingx:
status:	New → Triaged

Cindy Xie (xxie1) on 2019-10-22

Changed in starlingx:
assignee:	nobody → Cindy Xie (xxie1)

Revision history for this message

Lin Shuicheng (shuicheng) wrote on 2019-10-24:

#2

Here is the link from Redhat:
https://access.redhat.com/errata/RHSA-2019:2125

Below rpm need be upgraded to fix the issue:
./rpms_centos3rdparties.lst:94:OVMF-20150414-2.gitc9e5618.el7.noarch.rpm

upgraded to:
OVMF-20180508-6.gitee3198e672e2.el7.noarch.rpm

Robin Lu (robinlu) on 2019-11-18

Changed in starlingx:
assignee:	Cindy Xie (xxie1) → Robin Lu (robinlu)

Ghada Khalil (gkhalil) on 2019-11-22

information type:

Private Security → Public Security

OpenStack Infra (hudson-openstack) on 2019-11-25

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-06: Fix merged to tools (master)

#3

Reviewed: https://review.opendev.org/693759
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=1d33f5ae60201a6d1baba026a6503ea43843b3ab
Submitter: Zuul
Branch: master

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

Tests:
simplex, duplex, multi-node

Closes-Bug: 1849205

Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
Signed-off-by: Robin Lu <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-12-06:

#4

@Robin, please cherrypick this change to r/stx.3.0

Revision history for this message

Lin Shuicheng (shuicheng) wrote on 2019-12-09:

#5

For stx.3.0, this change could be cherry-picked without issue.

For stx.2.0, we need make sure below PR get merge first,
https://github.com/starlingx-staging/stx-nova/pull/27

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-09: Fix proposed to tools (r/stx.3.0)

#6

Fix proposed to branch: r/stx.3.0
Review: https://review.opendev.org/697941

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-09: Fix merged to tools (r/stx.3.0)

#7

Reviewed: https://review.opendev.org/697941
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=57777d5ce20e24600138cc5cf3d6f44317622be8
Submitter: Zuul
Branch: r/stx.3.0

commit 57777d5ce20e24600138cc5cf3d6f44317622be8
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

Tests:
simplex, duplex, multi-node

Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>
    (cherry picked from commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab)

Ghada Khalil (gkhalil) on 2019-12-09

tags:

added: in-r-stx30

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-11: Fix proposed to tools (f/centos8)

#8

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-12: Fix merged to tools (f/centos8)

#9

Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

Add feature to check if a CVE has an open launchpad

This change enables the capability to track if a CVE to be fixed already
has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

Story:2006971

Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

Tests:
simplex, duplex, multi-node

Closes-Bug: 1849205

Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

See the announcement link:

https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

Update sudo srpm for CVE bug

To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

Closes-Bug: 1852825

Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

Uprev ruby and associated gems to subminor ver 36

All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

along with numerous other issues.

See the announcement link:

https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Reviewed:  https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch:    f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <vm.rod25@gmail.com>
Date:   Wed Nov 27 17:39:51 2019 -0600

Add feature to check if a CVE has an open launchpad
    
    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/
    
    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.
    
    Story:2006971
    
    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <bin1.lu@intel.com>
Date:   Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.
    
    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html
    
    Tests:
    simplex, duplex, multi-node
    
    Closes-Bug: 1849205
    
    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Mon Nov 25 15:51:29 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7
    
    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html
    
    for more details.
    
    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <bin1.lu@intel.com>
Date:   Fri Nov 22 16:08:13 2019 +0800

Update sudo srpm for CVE bug
    
    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html
    
    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
    
    Closes-Bug: 1852825
    
    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 22 16:35:45 2019 -0500

Uprev ruby and associated gems to subminor ver 36
    
    All affected packages are moved forward to their -36 version.
    
    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)
    
    along with numerous other issues.
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006124.html
    
    for more details.
    
    Note that rubygem-json is moved back to version 1.7.7-36 as it
    should never have been moved to 2.0.2-2 in the first place. That
    appears to have occurred accidentally, taking the package from
    opstools instead of os when moving to CentOS 7.6.
    
    Change-Id: I732a0ddba6e2aa5ebda0e10f6e633f60c162890c
    Closes-Bug: 1849195
    Closes-Bug: 1849203
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit badc87aec310748399164c4f4d610ad4b39c8056
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 22 11:55:56 2019 -0500

Uprev wget to version 1.14-18.el7_6.1
    
    This solves:
    wget: do_conversion() heap-based buffer overflow
    vulnerability (CVE-2019-5953)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-announce/2019-May/023316.html
    
    for more details.
    
    Change-Id: I0e1c47f95b0cb643703d71367d1e9aa10870859b
    Closes-Bug: 1849210
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 855ef14c832c88ee41d4cae05fdd0f6bbf8e38c7
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 18:44:38 2019 -0500

Uprev elfutils to version 0.176-2.el7
    
    This solves:
    elfutils: Double-free due to double decompression of sections in
    crafted ELF causes crash (CVE-2018-16402)
    
    along with quite a few other issues.
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/005856.html
    
    for more details.
    
    Change-Id: Ia328b6043c1815a023ab45ea6f8142dcef91864b
    Closes-Bug: 1849201
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 647676c202022175a331c29a79dba20ef88e9f74
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 18:23:21 2019 -0500

Uprev polkit to version 0.112-22.el7
    
    This solves:
    polkit: Improper handling of user with uid > INT_MAX leading
    to authentication bypass (CVE-2018-19788)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006051.html
    
    for more details.
    
    Change-Id: I6eb69cd129b2b6d0e115f65b42f997d2b3f69d9a
    Closes-Bug: 1849202
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit e4ea643e3cfbf3303e49b36915d3eb87b7fb4033
Author: blu <bin1.lu@intel.com>
Date:   Thu Nov 7 14:32:01 2019 +0800

Update libX11 related rpms, due to CVE bugs
    
    CVE bugs: CVE-2018-14599, CVE-2018-14600
    
    Extra CVE bugs: CVE-2018-14598, CVE-2018-15853, CVE-2018-15854,
    CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859,
    CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864
    These extra CVE bugs are fixed together. Although libxkbcommon
    has a low score, we are including it here anyway just to stay
    consistent with RedHat's bundling decision.
    
    The updated rpms are selected from the link provided by RedHat.
    (https://access.redhat.com/errata/RHSA-2019:2079)
    
    Tests:
    simplex, duplex, multi-node
    
    Closes-Bug: 1849198
    Closes-Bug: 1849199
    
    Change-Id: I184ff40d855c60d4824e28f2fe701230191d62b0
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit 391b7d5e3485d9bc04e642889da7fc1166dbfdec
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 14:29:44 2019 -0500

Uprev systemd to version 219-67.el7
    
    This solves:
    systemd: line splitting via fgets() allows for state injection
    during daemon-reexec (CVE-2018-15686)
    
    along with some other less critical issues.  See the security
    announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006149.html
    
    for more details.
    
    Change-Id: Ia0fcc7184efea5b31408d7514921b58377beb329
    Partial-Bug: 1849200
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit e47f347e9fd9be6707ed35b812f45f2138bb622b
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Nov 19 13:46:43 2019 -0500

Upgrade botocore package
    
    Upgrade botocore package from 1.6.0 to 1.12.75.
    The new version fixed the ipv6 proxy management issue.
    
    Change-Id: Ib82df18ed9ea72fcff9f029289dac2491fe80e81
    Partial-Bug: 1853024
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit b1660fe4a352e1c5ee190e5dc62f4a95c9089b30
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 15 16:21:52 2019 -0500

i40e Driver Upgrade in support of N3000 on-board NICs
    
    Uprev i40e to version 2.10.19.30
    i40evf gets replaced by iavf version 3.7.61.20
    
    The iavf driver supports both fortville and columbiaville,
    so they decided to rename from i40evf to something more generic.
    
    The Intel FPGA Programmable Acceleration Card N3000 contains
    dual Intel XL710 NICs and an FPGA for acceleration purposes.
    This driver upgrade is required to support those NICs.
    
    Story: 2006740
    Task: 37542
    Change-Id: I53c731c1b519b1412acda5f5e2ee7dc33729d40d
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit bc125699793b97e7dd14d05b2b6b620fed03d5f1
Author: zhipengl <zhipengs.liu@intel.com>
Date:   Tue Oct 8 18:40:33 2019 +0800

Update download list for openstack-helm upgrade
    
    Uprade openstack-helm to
    Commit-id:82c72367c85ca94270f702661c7b984899c1ae38
    Upgrade openstack-helm-infra to
    Commit-id:c9d6676bf9a5aceb311dc31dadd07cba6a3d6392
    
    Story: 2006544
    Task: 36623
    
    Change-Id: I991512ef3b0bd9869aa795e4a50a41d5ca187148
    Signed-off-by: zhipengl <zhipengs.liu@intel.com>

tags:

added: in-f-centos8

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-12-16:

#10

@Robin, please cherry-pick/port the equivalent change to the r/stx.2.0 branch.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-12-16:

#11

As per Shuicheng's comment above, the following pull request needs to merge for stx.2.0 as well:
https://github.com/starlingx-staging/stx-nova/pull/27

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-06: Fix proposed to tools (r/stx.2.0)

#12

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/701143

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-14: Fix merged to tools (r/stx.2.0)

#13

Reviewed: https://review.opendev.org/701143
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=bdd5176bbe4eb405dd700e69dfcd641923255f48
Submitter: Zuul
Branch: r/stx.2.0

commit bdd5176bbe4eb405dd700e69dfcd641923255f48
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

Tests:
simplex, duplex, multi-node

Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>
    (cherry picked from commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab)

StarlingX

CVE-2019-0160: OVMF: overflows with long file names and invalid UDF media

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches