Bug 11010

Summary: libimobiledevice new security issue CVE-2013-2142
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, geiger.david68210, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/563532/
Whiteboard: mga3-64-ok mga3-32-ok
Source RPM: libimobiledevice-1.1.4-4.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-08-15 17:38:02 CEST 
Ubuntu has issued an advisory on August 14:
http://www.ubuntu.com/usn/usn-1927-1/

Patches checked into SVN for Mageia 3 and Cauldron.

Mageia 2 is not affected.

In Cauldron, it currently will not build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130815153246.luigiwalser.valstar.22801/log/libimobiledevice-1.1.5-2.mga4/build.0.20130815153302.log

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-15 17:38:18 CEST

CC: (none) => fundawang
Version: 3 => Cauldron
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-08-15 18:12:01 CEST 
Fixed in Cauldron in libimobiledevice-1.1.5-2.mga4 by Funda.  Thanks Funda!

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated libimobiledevice packages fix security vulnerability:

Paul Collins discovered that libimobiledevice incorrectly handled temporary
files. A local attacker could possibly use this issue to overwrite
arbitrary files and access device keys. In the default Ubuntu installation,
this issue should be mitigated by the Yama link restrictions (CVE-2013-2142).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2142
http://www.ubuntu.com/usn/usn-1927-1/
========================

Updated packages in core/updates_testing:
========================
libimobiledevice-1.1.4-4.1.mga3
libimobiledevice3-1.1.4-4.1.mga3
libimobiledevice-devel-1.1.4-4.1.mga3
python-imobiledevice-1.1.4-4.1.mga3

from libimobiledevice-1.1.4-4.1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 2 claire robinson 2013-08-15 18:18:18 CEST 
You need an iphone or ipod touch to test this properly I think.

Anybody have one?
Comment 3 David GEIGER 2013-08-17 08:58:02 CEST 
Testing complete mga3_64, with my iPhone 4 Ok for me nothing to report.
Simple test by connecting my iBidule.

CC: (none) => geiger.david68210
Whiteboard: (none) => mga3-64-ok mga3-32-ok

Comment 4 David GEIGER 2013-08-17 08:58:14 CEST 
Testing complete mga3_32, with my iPhone 4 Ok for me nothing to report too.
Simple test by connecting my iBidule.
Comment 5 claire robinson 2013-08-17 09:54:38 CEST 
Thanks David. Advisory from comment 1 uploaded.

Validating

Could sysadmin please push from 3 core updates testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2013-08-17 10:47:48 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0251.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED