| Summary: | libgadu new security issue CVE-2013-4488 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, n54, stormi-mageia, sysadmin-bugs, warrendiogenese, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/578238/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | libgadu-1.11.2-6.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-12-30 18:31:02 CET
David Walser
2013-12-30 18:31:09 CET
Whiteboard:
(none) =>
MGA3TOO
David Walser
2014-02-05 19:09:01 CET
CC:
(none) =>
fundawang, n54
David Walser
2014-02-05 19:09:13 CET
Whiteboard:
MGA3TOO =>
MGA4TOO, MGA3TOO 1.12.0 final is now out and it doesn't change the library major, so that's good. It has a build-time test suite (make check) which fails when built with gnutls support (which we do) on the "connect" test saying buffer overflow detected. libgadu-1.12.0-1.mga5 uploaded for Cauldron (with out make check) by diogenese. The make check has been added in SVN, we'll see if it builds on the build system when it's pushed again... CC:
(none) =>
warrendiogenese Updated packages uploaded for Mageia 3 and Mageia 4. The RedHat bug mentions OpenSSL, but Fedora's package is built with gnutls, not OpenSSL, same as ours. Looking at the code commits they linked, it doesn't look like the issue is only when using OpenSSL. Advisory: ======================== Updated libgadu packages fix security vulnerability: Libgadu before 1.12.0 was found to not be performing SSL certificate validation (CVE-2013-4488). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4488 https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125143.html ======================== Updated packages in core/updates_testing: ======================== libgadu3-1.12.0-1.mga3 libgadu-devel-1.12.0-1.mga3 libgadu3-1.12.0-1.mga4 libgadu-devel-1.12.0-1.mga4 from SRPMS: libgadu-1.12.0-1.mga3.src.rpm libgadu-1.12.0-1.mga4.src.rpm Assignee:
bugsquad =>
qa-bugs Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12709 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Testing MGA4 64
Just testing that the lib installs and is correctly loaded by the ekg2 client.
# urpmi lib64gadu3 --search-media "Updates Testing"
# urpmi ekg2
then
$ strace -o strace.out ekg2 # then type "quit" and then press enter
$ grep libgadu strace.out
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
Testing complete.CC:
(none) =>
stormi In VirtualBox, M3, KDE, 32-bit
Package(s) under test:
libgadu3 ekg2
default install of libgadu3 & ekg2
[root@localhost wilcal]# urpmi libgadu3
Package libgadu3-1.11.4-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-8.mga3.i586 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
install libgadu3 from updates_testing
[root@localhost wilcal]# urpmi libgadu3
Package libgadu3-1.12.0-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-8.mga3.i586 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64CC:
(none) =>
wilcal.int In VirtualBox, M3, KDE, 64-bit
Package(s) under test:
lib64gadu3 ekg2
default install of lib64gadu3 & ekg2
[root@localhost wilcal]# urpmi lib64gadu3
Package lib64gadu3-1.11.4-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-8.mga3.x86_64 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
install lib64gadu3 from updates_testing
[root@localhost wilcal]# urpmi lib64gadu3
Package lib64gadu3-1.12.0-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-8.mga3.x86_64 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney
2014-09-10 19:27:00 CEST
Whiteboard:
MGA3TOO has_procedure MGA4-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK In VirtualBox, M4, KDE, 32-bit
Package(s) under test:
libgadu3 ekg2
default install of libgadu3 & ekg2
[root@localhost wilcal]# urpmi libgadu3
Package libgadu3-1.11.4-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-10.mga4.i586 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
install libgadu3 from updates_testing
[root@localhost wilcal]# urpmi libgadu3
Package libgadu3-1.12.0-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi ekg2
Package ekg2-0.3.1-10.mga4.i586 is already installed
[wilcal@localhost ~]$ strace -o strace.out ekg2
EKG2 launches
Quit EKG2
[wilcal@localhost ~]$ grep libgadu strace.out
open("/lib/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 6
Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK =>
MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0375.html Status:
NEW =>
RESOLVED |