Bug 13786

Summary: eet new security issue CVE-2014-4611
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: oe, rverschelde, sysadmin-bugs, tremyfr
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603972/
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK advisory
Source RPM: eet-1.7.10-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-22 17:33:34 CEST 
OpenSuSE has issued an advisory on July 21:
http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html

The issue is in LZ4 decompression.  The original advisory for this issue is here:
http://openwall.com/lists/oss-security/2014/06/26/25

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-22 17:33:41 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 trem 2014-07-24 18:49:16 CEST 
Thanks for reporting this issue.
I don't found the patch, do you know where I can found it please ?
Comment 3 Oden Eriksson 2014-07-31 13:14:27 CEST 
Fixed with eet-1.7.5-2.1.mga3, eet-1.7.10-1.1.mga4 & eet-1.7.10-2.mga5.

CC: (none) => oe

Comment 4 David Walser 2014-07-31 19:38:40 CEST 
Thanks Oden.  We actually didn't have eet in Cauldron anymore before this (I'm not sure why).  I guess it was still in SVN.  Hopefully trem will see this and if it was supposed to be dropped, do so properly.

Advisory:
========================

Updated eet packages fix security vulnerability:

Integer overflow in the LZ4 algorithm implementation on 32-bit platforms might
allow context-dependent attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a crafted Literal
Run that would be improperly handled by programs not complying with an API
limitation (CVE-2014-4611).

The eet package bundles the LZ4 implementation and has been patched to correct
this flaw.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4611
http://openwall.com/lists/oss-security/2014/06/26/25
http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html
========================

Updated packages in core/updates_testing:
========================
eet-1.7.5-2.1.mga3
libeet1-1.7.5-2.1.mga3
libeet-devel-1.7.5-2.1.mga3
eet-1.7.10-1.1.mga4
libeet1-1.7.10-1.1.mga4
libeet-devel-1.7.10-1.1.mga4

from SRPMS:
eet-1.7.5-2.1.mga3.src.rpm
eet-1.7.10-1.1.mga4.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/603972/
CC: (none) => tremyfr
Assignee: tremyfr => qa-bugs

Comment 5 David Walser 2014-08-01 15:44:36 CEST 
Validating this.  See the discussion in the QA meeting:
http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30

The advisory still needs to be uploaded.

Please push this to core/updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Rémi Verschelde 2014-08-01 23:32:48 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 7 Rémi Verschelde 2014-08-04 21:48:40 CEST 
Installs fine on Mageia 4 32bit, and the "eet" command produces some output. Good enough for an already validated update.

Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory

Comment 8 Rémi Verschelde 2014-08-05 19:58:39 CEST 
Made sure it installs in Mageia 3 32bit.

Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory

Comment 9 Mageia Robot 2014-08-06 12:31:59 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0321.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED