| Summary: | libdigidoc new security issue CVE-2013-5648 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Sander Lepik <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | luigiwalser, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/565579/ | ||
| Whiteboard: | MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok | ||
| Source RPM: | libdigidoc | CVE: | |
| Status comment: | |||
| Attachments: | File for testing that the qdigidoc client still works. | ||
|
Description
Sander Lepik
2013-08-28 19:22:22 CEST
Created attachment 4294 [details]
File for testing that the qdigidoc client still works.
I have uploaded patched packages for Mageia 2 and 3. As there is no POC we can only test that the qdigidoc client is still opening ddoc files after updating. How to test: 1. Install qdigidoc. 2. Open file in comment #1 and check that the signature is valid. 3. Update libdigidoc. 4. Repeat second step. Suggested advisory: ======================== Updated libdigidoc packages fix security vulnerability: Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim. References: http://www.id.ee/?lang=en&id=34283#3_7_2 ======================== Updated packages in core/updates_testing: ======================== mga2: lib64digidoc-devel-2.7.1.59-1.1.mga2.x86_64.rpm lib64digidoc2-2.7.1.59-1.1.mga2.x86_64.rpm libdigidoc2-2.7.1.59-1.1.mga2.i586.rpm libdigidoc-devel-2.7.1.59-1.1.mga2.i586.rpm Source RPM: libdigidoc-2.7.1.59-1.1.mga2.src.rpm mga3: lib64digidoc2-3.6.0.0-3.1.mga3.x86_64.rpm lib64digidoc-devel-3.6.0.0-3.1.mga3.x86_64.rpm libdigidoc-3.6.0.0-3.1.mga3.x86_64.rpm libdigidoc2-3.6.0.0-3.1.mga3.i586.rpm libdigidoc-devel-3.6.0.0-3.1.mga3.i586.rpm libdigidoc-3.6.0.0-3.1.mga3.i586.rpm Source RPM: libdigidoc-3.6.0.0-3.1.mga3.src.rpm Assignee:
mageia =>
qa-bugs Thanks Sander Testing complete mga2 32. Just started digidoc client and chose to 'View signed document content' then checked the content & signature etc for obvious errors. Whiteboard:
MGA2TOO has_procedure =>
MGA2TOO has_procedure mga2-32-ok Advisory 11100.adv uploaded but will need updating when a CVE is issued. Testing complete mga3 64 Whiteboard:
MGA2TOO has_procedure mga2-32-ok =>
MGA2TOO has_procedure mga2-32-ok mga3-64-ok Testing complete mga3 32 Whiteboard:
MGA2TOO has_procedure mga2-32-ok mga3-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga3-64-ok mga3-32-ok Testing complete mga2 64 Validating. Advisory is uploaded but will need to be updated when a CVE is issued. Could sysadmin please push from 2 & 3 core/updates_testing to updates. Thanks! Keywords:
(none) =>
validated_update CVE-2013-5648 has been assigned: http://openwall.com/lists/oss-security/2013/08/29/2 Suggested advisory: ======================== Updated libdigidoc packages fix security vulnerability: Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim (CVE-2013-5648). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5648 http://www.id.ee/?lang=en&id=34283#3_7_2 Summary:
Security vulnerability in libdigidoc =>
libdigidoc new security issue CVE-2013-5648 Advisory updated, thanks. Update pushed: http://advisories.mageia.org/MGASA-2013-0268.html Status:
NEW =>
RESOLVED
David Walser
2013-09-04 02:39:00 CEST
URL:
http://www.id.ee/?lang=en&id=34283#3_7_2 =>
http://lwn.net/Vulnerabilities/565579/ |