Bug 10896

Summary: evolution-data-server new security issue CVE-2013-4166
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, olav, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/561785/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: evolution-data-server-3.9.5-2.mga4.src.rpm CVE:
Status comment:
Attachments: Screenshot showing that it's failing to find the public key.

Description David Walser 2013-08-01 21:01:43 CEST 
Ubuntu has issued an advisory on July 31:
http://www.ubuntu.com/usn/usn-1922-1/

Ubuntu has links to upstream patches for 3.8.x and 3.9.x and a patch for 3.6.x.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-01 21:01:51 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-08-02 14:37:16 CEST 
This is fixed upstream in 3.9.5, which we have in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated evolution-data-server packages fix security vulnerability:

Yves-Alexis Perez discovered that Evolution Data Server did not properly
select GPG recipients. Under certain circumstances, this could result in
Evolution encrypting email to an unintended recipient (CVE-2013-4166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4166
http://www.ubuntu.com/usn/usn-1922-1/
========================

Updated packages in core/updates_testing:
========================
evolution-data-server-3.4.4-1.1.mga2
libcamel33-3.4.4-1.1.mga2
libebook13-3.4.4-1.1.mga2
libecal11-3.4.4-1.1.mga2
libedata-book13-3.4.4-1.1.mga2
libedata-cal15-3.4.4-1.1.mga2
libedataserver16-3.4.4-1.1.mga2
libedataserverui1-3.4.4-1.1.mga2
libebackend2-3.4.4-1.1.mga2
libedataserver-devel-3.4.4-1.1.mga2
libevolution-data-server-gir1.2-3.4.4-1.1.mga2
evolution-data-server-3.6.3-1.1.mga3
libcamel1.2_40-3.6.3-1.1.mga3
libebook1.2_14-3.6.3-1.1.mga3
libecal1.2_15-3.6.3-1.1.mga3
libedata-book1.2_15-3.6.3-1.1.mga3
libedata-cal1.2_18-3.6.3-1.1.mga3
libedataserver1.2_17-3.6.3-1.1.mga3
libedataserverui3.0_4-3.6.3-1.1.mga3
libebackend1.2_5-3.6.3-1.1.mga3
libedataserver1.2-devel-3.6.3-1.1.mga3
libevolution-data-server-gir1.2-3.6.3-1.1.mga3

from SRPMS:
evolution-data-server-3.4.4-1.1.mga2.src.rpm
evolution-data-server-3.6.3-1.1.mga3.src.rpm

CC: (none) => olav
Version: Cauldron => 3
Assignee: olav => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 Dave Hodgins 2013-08-11 05:16:26 CEST 
Created attachment 4260 [details]
Screenshot showing that it's failing to find the public key.

Unless I've made a typo, that I'm just not seeing, this is not
working in my test on a Mageia 2 i586 vb guest (i2v).

CC: (none) => davidwhodgins

Dave Hodgins 2013-08-11 05:17:10 CEST

Whiteboard: MGA2TOO => MGA2TOO feedback

Comment 3 Dave Hodgins 2013-08-11 05:19:13 CEST 
Ignore comment 2. Finally noticed the typo. Missing e in homeip

Whiteboard: MGA2TOO feedback => MGA2TOO

Comment 4 Dave Hodgins 2013-08-11 05:38:22 CEST 
As there is no indication what certain circumstances cause the wrong key to
be selected, just testing that it's working with gpg signed encrypted msgs.

Testing complete on Mageia 2 i586 and x86_64.

Whiteboard: MGA2TOO => MGA2TOO MGA2-64-OK MGA2-32-OK

Comment 5 Dave Hodgins 2013-08-11 05:54:21 CEST 
Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10896.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2013-08-11 14:29:31 CEST 
update pushed:
http://advisories.mageia.org/MGASA-2013-0245.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED