Bug 13545

Summary: kdelibs4 new security issue CVE-2014-3494
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: balcaen.john, lmenut
Version: 4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604032/
Whiteboard:
Source RPM: kdelibs4-4.13.2-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 13221    
Bug Blocks:    

Description David Walser 2014-06-18 22:14:29 CEST 
KDE has issued an advisory today (June 18):
http://openwall.com/lists/oss-security/2014/06/18/16

The issue is fixed upstream in 4.13.3, and the commit is linked in the message above.

Mageia 4 is also affected; Mageia 3 is not.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-18 22:14:46 CEST

CC: (none) => balcaen.john, lmenut
Whiteboard: (none) => MGA4TOO

Comment 1 Luc Menut 2014-06-26 22:02:39 CEST 
upstream patch applied in kdelibs4-4.13.2-2 for cauldron.

Hardware: i586 => All
Blocks: (none) => 13221

Comment 2 David Walser 2014-06-26 22:18:52 CEST 
Thanks Luc!  Setting version to 4 now that kdelibs4-4.13.2-2.mga5 is built.

We can use Bug 13221 for submitting the update to QA (along with the rest of KDE), so I'll switch that one to be the blocker.

Depends on: (none) => 13221
Blocks: 13221 => (none)

David Walser 2014-06-26 22:18:59 CEST

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 3 David Walser 2014-07-01 18:52:10 CEST 
Fedora has issued an advisory for this on June 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/134961.html

For reference, here's the upstream URL for their advisory:
http://www.kde.org/info/security/advisory-20140618-1.txt

URL: (none) => http://lwn.net/Vulnerabilities/604032/

Comment 4 Luc Menut 2014-10-29 13:29:03 CET 
Fixed in KDE 4.12.5

Status: NEW => RESOLVED
Resolution: (none) => FIXED