Bug 13933

(In reply to David Walser from comment #0)
> It appears that krfb bundles libvncserver, which bundles liblzo, which has a
> security issue that we fixed in Bug 13655.
> 
> KDE has issued an advisory for this on August 3:
> http://www.kde.org/info/security/advisory-20140803-1.txt
> 
> Fedora has issued an advisory for this in August 7:
> https://lists.fedoraproject.org/pipermail/package-announce/2014-August/
> 136758.html

for mageia 4, it will be fixed with KDE update to 4.11.5 or 4.12.5 depending on council decision.

> 
> Mageia 3 is also affected.

OK, I will prepare an update.

> 
> The issue will be fixed in KDE 4.14, so Cauldron will be unaffected.

patch to update embedded minilzo already applied in Cauldron since 4.13.97
+ Revision: 663033
- Update to KDE SC 4.13.97 aka KDE SC 4.14 RC
- add security patch from KDE/4.14 to update embedded minilzo (CVE-2014-4607)

> 
> Even in Cauldron, krfb should be changed to use the system libraries if
> possible.

hum, currently, libvncserver is not fixed and still embeds a vulnerable minilzo.

Hardware: i586 => All
Depends on: (none) => 13221

Packages generated for Mageia 3 update:
kdenetwork4-4.10.5-1.2.mga3
kde4-filesharing-4.10.5-1.2.mga3
kdnssd-4.10.5-1.2.mga3
libkgetcore4-4.10.5-1.2.mga3
kget-4.10.5-1.2.mga3
kget-handbook-4.10.5-1.2.mga3
kopete-4.10.5-1.2.mga3
kopete-handbook-4.10.5-1.2.mga3
kopete-latex-4.10.5-1.2.mga3
libkopetecontactlist1-4.10.5-1.2.mga3
libkyahoo1-4.10.5-1.2.mga3
libkopete_videodevice4-4.10.5-1.2.mga3
libkopeteaddaccountwizard1-4.10.5-1.2.mga3
libkopete4-4.10.5-1.2.mga3
libkopeteprivacy1-4.10.5-1.2.mga3
libkopetechatwindow_shared1-4.10.5-1.2.mga3
libkrdccore4-4.10.5-1.2.mga3
libkopetestatusmenu1-4.10.5-1.2.mga3
libkopete_oscar4-4.10.5-1.2.mga3
liboscar1-4.10.5-1.2.mga3
libkopeteidentity1-4.10.5-1.2.mga3
libkrfbprivate4-4.10.5-1.2.mga3
kppp-4.10.5-1.2.mga3
kppp-handbook-4.10.5-1.2.mga3
kppp-provider-4.10.5-1.2.mga3
krdc-4.10.5-1.2.mga3
krdc-handbook-4.10.5-1.2.mga3
krfb-4.10.5-1.2.mga3
krfb-handbook-4.10.5-1.2.mga3
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3
kdenetwork4-devel-4.10.5-1.2.mga3

from kdenetwork4-4.10.5-1.2.mga3

(In reply to Luc Menut from comment #1)
> hum, currently, libvncserver is not fixed and still embeds a vulnerable
> minilzo.

Ugh, thanks for pointing this out.  It looks like a lot of packages bundle minilzo.  pterjan ran a urpmf minilzo.c on the debug media in Cauldron and got:
bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc

(In reply to David Walser from comment #3)
> (In reply to Luc Menut from comment #1)
> > hum, currently, libvncserver is not fixed and still embeds a vulnerable
> > minilzo.
> 
> Ugh, thanks for pointing this out.  It looks like a lot of packages bundle
> minilzo.  pterjan ran a urpmf minilzo.c on the debug media in Cauldron and
> got:
> bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc

yep, many projects embed either lzo or minilzo, see
http://seclists.org/oss-sec/2014/q2/676

Yikes, thanks again.  It looks like the list I got from pterjan is pretty much complete, except for possibly busybox (bundles lzo and not minilzo as the oss-sec message said, at least in the version in Cauldron) and remmina (bundles libvncserver).  Remmina is a weird one because it has BR: pkgconfig(libvncserver) as if it's trying to build against the system one, but none of its packages are linked to libvncserver, yet it didn't show up in the urpmf query.

Patched kdenetwork4 uploaded for Mageia 3.

Advisory:
========================

Updated kdenetwork4 packages fixes security vulnerability in krfb:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.  The krfb package is built
with a bundled copy of libvncserver.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
http://www.kde.org/info/security/advisory-20140803-1.txt
========================

src.rpm:
kdenetwork4-4.10.5-1.2.mga3.src.rpm

packages for i586:
kde4-filesharing-4.10.5-1.2.mga3.i586.rpm
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.i586.rpm
kdenetwork4-4.10.5-1.2.mga3.i586.rpm
kdenetwork4-devel-4.10.5-1.2.mga3.i586.rpm
kdnssd-4.10.5-1.2.mga3.i586.rpm
kget-4.10.5-1.2.mga3.i586.rpm
kget-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-4.10.5-1.2.mga3.i586.rpm
kopete-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-latex-4.10.5-1.2.mga3.i586.rpm
kppp-4.10.5-1.2.mga3.i586.rpm
kppp-handbook-4.10.5-1.2.mga3.noarch.rpm
kppp-provider-4.10.5-1.2.mga3.i586.rpm
krdc-4.10.5-1.2.mga3.i586.rpm
krdc-handbook-4.10.5-1.2.mga3.noarch.rpm
krfb-4.10.5-1.2.mga3.i586.rpm
krfb-handbook-4.10.5-1.2.mga3.noarch.rpm
libkgetcore4-4.10.5-1.2.mga3.i586.rpm
libkopete4-4.10.5-1.2.mga3.i586.rpm
libkopete_oscar4-4.10.5-1.2.mga3.i586.rpm
libkopete_videodevice4-4.10.5-1.2.mga3.i586.rpm
libkopeteaddaccountwizard1-4.10.5-1.2.mga3.i586.rpm
libkopetechatwindow_shared1-4.10.5-1.2.mga3.i586.rpm
libkopetecontactlist1-4.10.5-1.2.mga3.i586.rpm
libkopeteidentity1-4.10.5-1.2.mga3.i586.rpm
libkopeteprivacy1-4.10.5-1.2.mga3.i586.rpm
libkopetestatusmenu1-4.10.5-1.2.mga3.i586.rpm
libkrdccore4-4.10.5-1.2.mga3.i586.rpm
libkrfbprivate4-4.10.5-1.2.mga3.i586.rpm
libkyahoo1-4.10.5-1.2.mga3.i586.rpm
liboscar1-4.10.5-1.2.mga3.i586.rpm

packages for x86_64:
kde4-filesharing-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork4-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork4-devel-4.10.5-1.2.mga3.x86_64.rpm
kdnssd-4.10.5-1.2.mga3.x86_64.rpm
kget-4.10.5-1.2.mga3.x86_64.rpm
kget-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-4.10.5-1.2.mga3.x86_64.rpm
kopete-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-latex-4.10.5-1.2.mga3.x86_64.rpm
kppp-4.10.5-1.2.mga3.x86_64.rpm
kppp-handbook-4.10.5-1.2.mga3.noarch.rpm
kppp-provider-4.10.5-1.2.mga3.x86_64.rpm
krdc-4.10.5-1.2.mga3.x86_64.rpm
krdc-handbook-4.10.5-1.2.mga3.noarch.rpm
krfb-4.10.5-1.2.mga3.x86_64.rpm
krfb-handbook-4.10.5-1.2.mga3.noarch.rpm
lib64kgetcore4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete_oscar4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete_videodevice4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteaddaccountwizard1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetechatwindow_shared1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetecontactlist1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteidentity1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteprivacy1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetestatusmenu1-4.10.5-1.2.mga3.x86_64.rpm
lib64krdccore4-4.10.5-1.2.mga3.x86_64.rpm
lib64krfbprivate4-4.10.5-1.2.mga3.x86_64.rpm
lib64kyahoo1-4.10.5-1.2.mga3.x86_64.rpm
lib64oscar1-4.10.5-1.2.mga3.x86_64.rpm

Assignee: lmenut => qa-bugs

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
krfb krfb-handbook libkrfbprivate4

default install of krfb krfb-handbook libkrfbprivate4

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.10.5-1.1.mga3.i586 is already installed

Installs without reporting errors

install krfb krfb-handbook libkrfbprivate4 from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.10.5-1.2.mga3.i586 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
krfb krfb-handbook lib64krfbprivate4

default install of krfb

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.10.5-1.1.mga3.x86_64 is already installed

Installs without reporting errors

install krfb from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.10.5-1.2.mga3.x86_64 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
krfb krfb-handbook libkrfbprivate4

default install of krfb krfb-handbook libkrfbprivate4

[root@localhost wilcal]# urpmi krfb
Package krfb-4.11.4-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.11.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.11.4-1.mga4.i586 is already installed

Installs without reporting errors

install krfb krfb-handbook libkrfbprivate4 from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.12.5-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.12.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.12.5-1.mga4.i586 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
krfb krfb-handbook lib64krfbprivate4

default install of krfb

[root@localhost wilcal]# urpmi krfb
Package krfb-4.11.4-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.11.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.11.4-1.mga4.x86_64 is already installed

Installs without reporting errors

install krfb from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.12.5-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.12.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.12.5-1.mga4.x86_64 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

For me this update installs without errors
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

(In reply to William Kenney from comment #11)
> For me this update installs without errors
> Testing complete for mga3 32-bit & 64-bit
> Testing complete for mga4 32-bit & 64-bit
> Validating the update.
> Could someone from the sysadmin team push this to updates.
> Thanks

Fixed packages concern only Mga 3 for now (see list in comment #6).
@sysadmin team, please push only mga3 packages.

For Mga 4, it will be fixed with the global KDE update to 4.11.5 or 4.12.5 depending on council decision (krfb-4.12.5-1.mga4 packages are not fixed for CVE-2014-4607).

CC: (none) => lmenut
Version: 4 => 3
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK

Advisory 13933.adv added to svn.

Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK => MGA4TOO MGA3-32-OK MGA3-64-OK advisory
CC: (none) => davidwhodgins

Removing the MGA4TOO whiteboard entry, as this bug report is only for the
Mageia 3 version, as per comment #6.

Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK advisory => MGA3-32-OK MGA3-64-OK advisory

I cannot push this update due to the dep on #13221

My code refuses to issue an update advisory ID if there are open, dependant bug (nice test of this check!! :D)

So, either the dep should be removed, or we will have to wait (or I could override my check...)

CC: (none) => mageia

13221 is for the mga4 update.  Dep removed

Depends on: 13221 => (none)

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0360.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED