Bug 14663

Summary: libksba new security issue CVE-2014-9087
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/623292/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
Source RPM: libksba-1.3.1-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-11-26 14:42:14 CET 
A CVE has been assigned for an issue fixed in libksba 1.3.2:
http://openwall.com/lists/oss-security/2014/11/26/3

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 3 and Mageia 4.

libksba is used through gnupg2, so that's what you need to use to test this.  We have a gnupg test procedure; you just need to use "gpg2" instead of "gpg" as the command to test gnupg2:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

This probably isn't the most serious issue in the world, but the testing procedure is quick and easy, so if we're able to get it tested today, then great.

Advisory:
========================

Updated libksba packages fix security vulnerability:

By using special crafted S/MIME messages or ECC based OpenPGP data, it is
possible to create a buffer overflow, which could lead to a denial of service
(CVE-2014-9087).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
http://openwall.com/lists/oss-security/2014/11/26/3
========================

Updated packages in core/updates_testing:
========================
libksba8-1.3.2-1.mga3
libksba-devel-1.3.2-1.mga3
libksba8-1.3.2-1.mga4
libksba-devel-1.3.2-1.mga4

from SRPMS:
libksba-1.3.2-1.mga3.src.rpm
libksba-1.3.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-26 14:42:23 CET

Whiteboard: (none) => MGA3TOO has_procedure

Comment 1 David Walser 2014-11-26 15:54:31 CET 
Tested successfully Mageia 3 i586 and Mageia 4 i586 using the encryption/decryption test with gpg2.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 2 Otto Leipälä 2014-11-26 16:57:05 CET 
Mageia 4 testing done x64 validated update.

Keywords: (none) => validated_update
CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK

Comment 3 Otto Leipälä 2014-11-26 16:58:16 CET 
Sysadmins push to updates.
Comment 4 David Walser 2014-11-26 17:14:20 CET 
Fixing the corrupted whiteboard tag.  Thanks for testing.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 5 Rémi Verschelde 2014-11-26 17:19:18 CET 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK advisory

Otto Leipälä 2014-11-26 17:22:46 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Otto Leipälä 2014-11-26 17:23:22 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 6 Mageia Robot 2014-11-26 18:30:37 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0498.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-28 18:21:02 CET

URL: (none) => http://lwn.net/Vulnerabilities/623292/