Bug 13278

Summary: [CVE 21] multipath-tools 0.8.9 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2022-41973, CVE-2022-41974,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:00:51 MSK 
Please patch CVEs for package multipath-tools version 0.8.9
  
INFO (CVEs are): multipath-tools 0.8.9
 cves found
CVE-2022-41973
Desc: multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41973
Severity: HIGH
CVE-2022-41974
Desc: multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41974
Severity: HIGH
Comment 1 ilfat 2023-05-25 14:34:02 MSK 
********** QA ADVISORY **********

CVE-2022-41973 fixed with patch
CVE-2022-41974 fixed with patches

https://abf.io/build_lists/4444303 x86_64
https://abf.io/build_lists/4444304 aarch64
https://abf.io/build_lists/4444305 i686
Comment 2 Dmitry Postnikov 2023-05-30 14:13:38 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-06-06 10:24:33 MSK 
multipath-tools-0.8.9-3
https://abf.io/build_lists/4444303 x86_64
https://abf.io/build_lists/4444304 aarch64
https://abf.io/build_lists/4444305 i686
*************************** Advisory **********************
CVE-2022-41973 fixed with patch
CVE-2022-41974 fixed with patches
***********************************************************
QA Verified
Comment 4 Yury 2023-07-05 11:14:59 MSK 
Secteam Approved
Comment 5 Yury 2023-10-31 13:04:44 MSK 
По пути https://abf.io/build_lists/4444303

получаю ошибку 404.
Заребилдите, плз
Comment 6 Vladimir Potapov 2023-10-31 15:21:11 MSK 

*** This bug has been marked as a duplicate of bug 13461 ***
Comment 7 Yury 2023-11-08 18:13:48 MSK 
(In reply to Vladimir Potapov from comment #6)
> 
> *** This bug has been marked as a duplicate of bug 13461 ***

Так дуп или нет?

По пути на АБФ билдлиста нет
Comment 8 Yury 2023-11-08 18:17:20 MSK 
secteam_verified