Bug 11029

Summary: jackit security vulnerability CVE-2019-13351
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, e.malashin, m.novosyolov, mc2374, pastordidi, v.potapov
Version: AllFlags: v.potapov: qa_verified+
m.novosyolov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: 2016.1 ROSA Vulnerability identifier: CVE-2019-13351
RPM Package: jack-1.9.10-4.src.rpm ISO-related:
Bad POT generating: Upstream:
Attachments: Report from abi-compliance-checker: libjack from 1.9.10 to 1.9.16
Report from abi-compliance-checker: libjackserver from 1.9.10 to 1.9.16
Report from abi-compliance-checker: libjacknet from 1.9.10 to 1.9.16

Description Zombie Ryushu 2020-12-07 17:21:11 MSK 
posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.
Comment 1 Giovanni Mariani 2020-12-15 14:38:16 MSK 
Created attachment 5430 [details]
Report from abi-compliance-checker: libjack from 1.9.10 to 1.9.16
Comment 2 Giovanni Mariani 2020-12-15 14:38:52 MSK 
Created attachment 5431 [details]
Report from abi-compliance-checker: libjackserver from 1.9.10 to 1.9.16
Comment 3 Giovanni Mariani 2020-12-15 14:39:27 MSK 
Created attachment 5432 [details]
Report from abi-compliance-checker: libjacknet from 1.9.10 to 1.9.16
Comment 4 Giovanni Mariani 2020-12-15 14:45:28 MSK 
Advisory:
Update jack to the latest 1.9.16 release to have the fix for CVE-2019-13351.
The same change was pushed to the 2019.1 branch.

Of the 3 libraries provided by jack, only libjack.so and libjacknet.so are "safe", according to abi-compliance-checker (see attached reports); however libjackserver.so is not directly used by any other package in 2016.1 (at least according to "urpmq --whatrequires")...
Bottom line: no need to rebuild the depending packages.

Package for Rosa 2016.1 / Main:
https://abf.rosalinux.ru/build_lists/3611267
https://abf.rosalinux.ru/build_lists/3611268
Comment 5 e.malashin@rosalinux.ru 2020-12-22 17:14:09 MSK 
**************************************
The update is sent to expanded testing
Comment 6 Vladimir Potapov 2020-12-29 04:03:58 MSK 
jack-1.9.16-1
https://abf.rosalinux.ru/build_lists/3611267
https://abf.rosalinux.ru/build_lists/3611268
******************************** Advisory ****************************
Update jack to the latest 1.9.16 release to have the fix for CVE-2019-13351.
**********************************************************************
QA Verified