Bug 13827

Summary: gpgme new security issue CVE-2014-3564
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: markkuehn, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/607793/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK
Source RPM: gpgme-1.4.3-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-31 17:28:46 CEST 
Details of a vulnerability fixed upstream have been released today (July 31):
http://openwall.com/lists/oss-security/2014/07/31/5

The issue is fixed in version 1.5.1, just uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated gpgme packages fix security vulnerability:

A heap-based buffer overflow in gpgme before 1.5.1 could allow a specially
crafted certificate to cause crashes or potentially cause arbitrary code
execution (CVE-2014-3564).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564
https://bugzilla.redhat.com/show_bug.cgi?id=1113267
========================

Updated packages in core/updates_testing:
========================
libgpgme11-1.3.2-2.1.mga3
libgpgme-devel-1.3.2-2.1.mga3
libgpgme11-1.4.3-2.1.mga4
libgpgme-devel-1.4.3-2.1.mga4

from SRPMS:
gpgme-1.3.2-2.1.mga3.src.rpm
gpgme-1.4.3-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-31 17:28:52 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 RĂ©mi Verschelde 2014-08-01 15:52:41 CEST 
No PoC as far as I can tell, we should just test for obvious regressions.

CC: (none) => remi

Comment 2 Mark Kay 2014-08-05 09:35:59 CEST 
I can't for the life of me reproduce this bug as outlined here through Kmail: https://bugzilla.redhat.com/show_bug.cgi?id=1113267

Installed:
- lib64gpgme11-1.4.3-2.1.mga4.x86_64
- lib64gpgme-devel-1.4.3-2.1.mga4.x86_64

But overall, no regression in x86_64 version.

CC: (none) => markkuehn
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 3 David Walser 2014-08-06 21:46:26 CEST 
Ubuntu has issued an advisory for this today (August 6):
http://www.ubuntu.com/usn/usn-2307-1/

URL: (none) => http://lwn.net/Vulnerabilities/607793/

Comment 4 Dick Gevers 2014-08-14 21:35:31 CEST 
IMO if gpg agent works okay in signing/encrypting mail with your mail client, then gpgme ought to be okay.
Comment 5 claire robinson 2014-08-20 17:50:33 CEST 
Testing complete mga3 32 using python-gpgme
(urpmq --whatrequires libgpgme11)

Found a basic script here: 
http://stackoverflow.com/questions/9257450/how-to-sign-a-file-and-then-verify

Assuming you've previously created gpg keys.

$ cat gpgmetest.py 
import gpgme
from io import BytesIO

ctx = gpgme.Context()
plain = BytesIO("Hello")
sign = BytesIO("")

ctx.sign(plain, sign, gpgme.SIG_MODE_CLEAR)
print sign.getvalue()


$ python gpgmetest.py
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJT9MJYAAoJEAwPe11O4nSymR8H/jFazvLQoPyY9ruCYVS6oJvE

...etc

LrPFAAqlwYPPt93/i4+KtWlQkgSUqGtcsNw9gjbJep/d8t6Gc8CfhS7eedFNghw=
=Jm9S
-----END PGP SIGNATURE-----

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK

Comment 6 claire robinson 2014-08-20 18:02:20 CEST 
Checked patches applied with rpmdiff in madb.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2014-08-21 11:37:07 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0340.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED