Bug 10428

Summary: libkdcraw new security issue CVE-2013-2126
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: balcaen.john
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/553302/
See Also: https://bugs.mageia.org/show_bug.cgi?id=10346
Whiteboard: MGA2TOO
Source RPM: libkdcraw-4.10.2-1.mga3.src.rpm CVE:
Status comment:
Bug Depends on: 10600, 10768    
Bug Blocks:    

Description David Walser 2013-06-04 17:30:14 CEST 
A Debian developer noted that libkdcraw uses a bundled copy of libraw, which is affected by a double-free security issue, which we have fixed in our libraw package in Bug 10346:
http://openwall.com/lists/oss-security/2013/06/04/2

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-04 17:31:00 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10346
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-18 18:46:35 CEST 
Ubuntu has issued an advisory for this today (June 18):
http://www.ubuntu.com/usn/usn-1885-1/

URL: (none) => http://lwn.net/Vulnerabilities/553302/
CC: (none) => balcaen.john

Comment 2 David Walser 2013-07-11 17:46:29 CEST 
OpenSuSE has issued an advisory for this today (July 11):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00032.html
John Balcaen 2013-07-11 22:35:30 CEST

Depends on: (none) => 10600

Comment 3 John Balcaen 2013-07-13 20:45:28 CEST 
For the record there's also CVE 2013-2127 (a buffer overflow) 
The patch for this one is already added on svn.
The patch for the 2013-2126 is on the way (i'm currently waiting for kde's team review).
One more thing it's going to be pushed with the 4.10.5 release update
Comment 4 David Walser 2013-07-13 20:52:03 CEST 
For Mageia 3, yes 2127 is indeed relevant, and yes I know it'll be fixed with KDE.

For Mageia 2, only CVE-2013-2126 should be relevant.  What's the plan there?
Comment 5 John Balcaen 2013-07-13 21:19:50 CEST 
(In reply to David Walser from comment #4)
> For Mageia 2, only CVE-2013-2126 should be relevant.  What's the plan there?
It's the same patch as mga3 so waiting also for kde team review.
As soon as it's ok i'll push it on mga2 core/updates_testing & open a bug report for QA team.
sorry i forgot to mention it earlier :/
Comment 6 David Walser 2013-07-13 21:28:25 CEST 
No problem, thanks.  You can use this bug for the mgaw update.
Comment 7 David Walser 2013-07-13 21:28:44 CEST 
(In reply to David Walser from comment #6)
> No problem, thanks.  You can use this bug for the mgaw update.

mga2, whoops :o)
John Balcaen 2013-07-14 19:20:10 CEST

Depends on: (none) => 10768

Comment 8 John Balcaen 2013-07-14 19:21:08 CEST 
Ok from Kde team, update pushed for mga2 ( #10768 )
Comment 9 David Walser 2013-07-19 15:49:15 CEST 
Should be fixed in libkdcraw-4.10.95-1.mga4 for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 10 Manuel Hiebel 2013-09-01 16:10:04 CEST 
looks like it could be assigned to QA ?

Version: 3 => 2
Whiteboard: MGA2TOO => (none)

Comment 11 David Walser 2013-09-01 17:26:38 CEST 
Now fixed for Mageia 2 and Mageia 3.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2013-09-01 17:27:09 CEST

Version: 2 => 3
Whiteboard: (none) => MGA2TOO