Bug 12985

Summary: imapsync new security issue CVE-2013-4279
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marc.lattemann, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590190/
Whiteboard: MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Source RPM: imapsync-1.584-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-10 17:04:37 CET 
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html

It disables a feature where it phones home checking for newer versions available causing information leakage about the system on which it's being executed.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

Imapsync, by default, runs a "release check" when executed, which causes
imapsync to connect to http://imapsync.lamiral.info and send information
about the version of imapsync, the operating system and perl (CVE-2013-4279).

The imapsync package has been patched to disable this feature.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4279
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.1.mga3
imapsync-1.584-1.1.mga4

from SRPMS:
imapsync-1.584-1.1.mga3.src.rpm
imapsync-1.584-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-10 17:04:43 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-03-10 18:02:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/590190/

Comment 1 Marc Lattemann 2014-03-10 20:11:05 CET 
after installation of imapsync and simple run of imapsync wihtout any options iftop shows:
MGA3_32bit => ks.lamiral.info 0b  0b 83b

after update iptop does not show this network connection anymore

successfully tested on mga3 32bit

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

Comment 2 Marc Lattemann 2014-03-10 20:26:03 CET 
updates with same procedure successfully tested for 
mag3 64bit
mga4 32bit
mga4 64bit

after advisory from Comment #0 is uploaded updates can be moved to core_updates.

Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 3 claire robinson 2014-03-11 14:53:03 CET 
Well done Marc, you're back in the groove!

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-03-12 17:33:18 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0127.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED