From d84a6099498bb732472e5f2f356e4d7a4bb2d79f Mon Sep 17 00:00:00 2001 From: David Beveridge Date: May 01 2018 22:38:06 +0000 Subject: Fix TALOS-2017-0501, CVE-2017-14474 - CVE-2017-14481 Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd commonly runs with root privileges and does not require authentication by default. A specially crafted MMM protocol message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm_agentd process. An attacker that can initiate a TCP session with mmm_agentd can trigger these vulnerabilities. --- diff --git a/mysql-mmm-fix-cve-remote-command-injection.patch b/mysql-mmm-fix-cve-remote-command-injection.patch new file mode 100644 index 0000000..315fb13 --- /dev/null +++ b/mysql-mmm-fix-cve-remote-command-injection.patch @@ -0,0 +1,87 @@ +diff --git a/lib/Agent/Helpers.pm b/lib/Agent/Helpers.pm +index 24caae8..c0155e4 100644 +--- a/lib/Agent/Helpers.pm ++++ b/lib/Agent/Helpers.pm +@@ -168,6 +168,10 @@ sub _execute($$$) { + my $config_file = $main::agent->config_file; + $params = '' unless defined($params); + ++ if ($params !~ /^[\w\. \:\-]*$/) { ++ _exit_error("ERROR: Invalid Parameter"); ++ } ++ + DEBUG "Executing $path $config_file $params"; + my $res = `$path $config_file $params 2>&1`; + +diff --git a/lib/Agent/Helpers/Network.pm b/lib/Agent/Helpers/Network.pm +index 8ef4468..b0d5a8b 100644 +--- a/lib/Agent/Helpers/Network.pm ++++ b/lib/Agent/Helpers/Network.pm +@@ -33,6 +33,10 @@ sub check_ip($$) { + my $if = shift; + my $ip = shift; + ++ if ($ip !~ /^[\d\.]*$/) { ++ _exit_error("ERROR: Invalid IP Address"); ++ } ++ + my $output; + if ($OSNAME eq 'linux') { + $output = `/sbin/ip addr show dev $if`; +@@ -65,6 +69,10 @@ sub add_ip($$) { + my $if = shift; + my $ip = shift; + ++ if ($ip !~ /^[\d\.]*$/) { ++ _exit_error("ERROR: Invalid IP Address"); ++ } ++ + my $output; + if ($OSNAME eq 'linux') { + $output = `/sbin/ip addr add $ip/32 dev $if`; +@@ -101,6 +109,10 @@ sub clear_ip($$) { + my $if = shift; + my $ip = shift; + ++ if ($ip !~ /^[\d\.]*$/) { ++ _exit_error("ERROR: Invalid IP Address"); ++ } ++ + my $output; + if ($OSNAME eq 'linux') { + $output = `/sbin/ip addr del $ip/32 dev $if`; +@@ -130,6 +142,9 @@ sub send_arp($$) { + my $if = shift; + my $ip = shift; + ++ if ($ip !~ /^[\d\.]*$/) { ++ _exit_error("ERROR: Invalid IP Address"); ++ } + + if ($OSNAME eq 'linux' || $OSNAME eq 'freebsd') { + my $mac = ''; +diff --git a/lib/Common/Role.pm b/lib/Common/Role.pm +index 7cd4dc9..211ab5f 100644 +--- a/lib/Common/Role.pm ++++ b/lib/Common/Role.pm +@@ -59,7 +59,7 @@ sub from_string($$) { + my $class = shift; + my $string = shift; + +- if (my ($name, $ip) = $string =~ /(.*)\((.*)\)/) { ++ if (my ($name, $ip) = $string =~ /^([\w_\.\-]+)\(([\d\.]+)\)$/) { + return $class->new(name => $name, ip => $ip); + } + return undef; +diff --git a/lib/Common/Socket.pm b/lib/Common/Socket.pm +index 6adecd1..38e1f7b 100644 +--- a/lib/Common/Socket.pm ++++ b/lib/Common/Socket.pm +@@ -80,6 +80,7 @@ sub create_sender($$$) { + SSL_cert_file => $main::config->{'socket'}->{cert_file}, + SSL_key_file => $main::config->{'socket'}->{key_file}, + SSL_ca_file => $main::config->{'socket'}->{ca_file}, ++ SSL_verify_mode => 0x03 # SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT + ); + } + diff --git a/mysql-mmm.spec b/mysql-mmm.spec index d1bb309..800cb35 100644 --- a/mysql-mmm.spec +++ b/mysql-mmm.spec @@ -2,7 +2,7 @@ Name: mysql-mmm Version: 2.2.1 -Release: 19%{?dist} +Release: 20%{?dist} Summary: Multi-Master Replication Manager for MySQL License: GPLv2 URL: http://mysql-mmm.org @@ -27,6 +27,7 @@ Provides: mysql-master-master = %{version}-%{release} Patch0: mysql-mmm-2.1.0-paths.patch Patch1: mysql-mmm-fix-bug-with-newer-net-arp.patch +Patch2: mysql-mmm-fix-cve-remote-command-injection.patch %description MMM (MySQL Master-Master Replication Manager) is a set of flexible scripts @@ -94,6 +95,7 @@ EOF %patch0 -p1 %patch1 -p1 +%patch2 -p1 find . -type f -name "*.orig" -print0 | xargs -0r rm %build @@ -178,6 +180,10 @@ make install DESTDIR=%{buildroot} %changelog +* Wed May 02 2018 David Beveridge 2.2.1-20 +- Patch for mmm_agentd Remote Command Injection Vulnerabilities +- TALOS-2017-0501, CVE-2017-14474 - CVE-2017-14481 + * Thu Feb 08 2018 Fedora Release Engineering - 2.2.1-19 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild