Re: Qualys Security Advisory - Procps-ng Audit Report

[Qualys Security Advisory <qsa () qualys com>]

Hi all,

As a follow-up to our procps-ng advisory, below are the answers to some
frequently asked questions that you may find useful.

> - which is the first version with the fixes, does it include all of the
> fixes (and if not, what is it missing and are those missing fixes
> important to have?), and where to download it?

Procps-ng 3.3.15 has been released and includes most of our patches; it
is available at:

https://sourceforge.net/projects/procps-ng/

The patches that are missing from procps-ng 3.3.15 are:

- 7 low-priority patches (0120-0126), which have not yet been validated
  by upstream;

- most of our patches for top, which unfortunately have been reverted by
  top's author; for example:

https://gitlab.com/procps-ng/procps/commit/c5026787156d23512487ad9bbf540be7e3ee8de1
https://gitlab.com/procps-ng/procps/commit/c9dfcdebdc6b482ca2030c6ea3aa376c218232e9

> Can you let us know which patches the CVEs align with as it will
> make chasing all of this down a lot easier, thanks!

The patch for CVE-2018-1122 is:
0097-top-Do-not-default-to-the-cwd-in-configs_read.patch

The patch for CVE-2018-1123 is:
0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch

The patch for CVE-2018-1124 is:
0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch

The patch for CVE-2018-1125 is:
0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch

The patch for CVE-2018-1126 is:
0035-proc-alloc.-Use-size_t-not-unsigned-int.patch

The kernel patch for CVE-2018-1120 is:
https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830

There is currently no patch for CVE-2018-1121, because no satisfactory
solution (secure and efficient) has been found. Please feel free to
suggest ideas here!

> - which versions are vulnerable?

We did not try to track down the first vulnerable version, but we had a
quick look at procps 3.0.0 (from October 2002) and it was already
vulnerable to the 5 CVEs.

> - which version was audited?

We audited procps-ng 3.3.12 (the version used by many stable
distributions), but we probably ended up reading most of the master
branch too while writing the patches.

> what testing have you done?

Because procps-ng is a critical package, and because 126 patches
introduce significant changes, here is what we did to minimize the
risks:

- we were two to perform the audit, and we decided to both write the
  most important patches, independently; the final patches are the
  result of this double-work, which clearly avoided a few bugs;

- we ran procps-ng's test-suite ("make check") after each change;

- we manually ran some tests after each major change, to make sure that
  the code-path leading to the change is not broken, and to make sure
  that the change actually fixes the issue;

- we started sending our patches to upstream on March 30 (for reviewing
  and testing), long before we contacted linux-distros@;

- we contacted linux-distros@ on May 4, and were asked for an embargo
  extension (for more time to review and test the patches), so we set
  the Coordinated Release Date to May 17, 17:00 UTC (13 days -- almost
  the maximum embargo, but we wanted to avoid releasing on a Friday).

We are at your disposal for questions, comments, and further
discussions. We thank Solar Designer and Kurt Seifried for their help!
With best regards,

-- 
the Qualys Security Advisory team