| Summary: | kwalletd new security issue CVE-2013-7252 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lmenut, mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/629676/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | kdebase4-runtime-4.12.5-1.2.mga4 | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 14851 | ||
|
Description
David Walser
2015-01-09 15:52:27 CET
David Walser
2015-01-09 15:52:41 CET
CC:
(none) =>
mageia
David Walser
2015-01-12 19:38:05 CET
Blocks:
(none) =>
14674 This kwalletd vulnerability is fixed in Cauldron with: - kdebase4-runtime 4.14.3-3 (KDE SC 4.14), - kwallet 5.5.0-2 (KF5). Source RPM:
kwallet =>
kdebase4-runtime-4.12.5-1.2.mga4 Fedora has issued an advisory for this on January 12: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html URL:
(none) =>
http://lwn.net/Vulnerabilities/629676/ src.rpm: kdebase4-runtime-4.12.5-1.3.mga4.src.rpm packages i586: kdebase4-runtime-4.12.5-1.3.mga4.i586.rpm kdebase4-runtime-devel-4.12.5-1.3.mga4.i586.rpm kdebase4-runtime-handbook-4.12.5-1.3.mga4.noarch.rpm kwallet-daemon-4.12.5-1.3.mga4.i586.rpm libkwalletbackend4-4.12.5-1.3.mga4.i586.rpm libmolletnetwork4-4.12.5-1.3.mga4.i586.rpm nepomuk-4.12.5-1.3.mga4.i586.rpm packages x86_64: kdebase4-runtime-4.12.5-1.3.mga4.x86_64.rpm kdebase4-runtime-devel-4.12.5-1.3.mga4.x86_64.rpm kdebase4-runtime-handbook-4.12.5-1.3.mga4.noarch.rpm kwallet-daemon-4.12.5-1.3.mga4.x86_64.rpm lib64kwalletbackend4-4.12.5-1.3.mga4.x86_64.rpm lib64molletnetwork4-4.12.5-1.3.mga4.x86_64.rpm nepomuk-4.12.5-1.3.mga4.x86_64.rpm I will write the advisory later (too late this evening), but testing by QA can start. Summary:
kwallet new security issue CVE-2013-7252 =>
kwalletd new security issue CVE-2013-7252
Luc Menut
2015-01-23 00:01:48 CET
Blocks:
(none) =>
14851 Still need an advisory please Luc or David Advisory: ======================== Updated kdebase4-runtime packages fix security vulnerability: kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack (CVE-2013-7252). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7252 https://www.kde.org/info/security/advisory-20150109-1.txt https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html Testing complete mga4 64 Ensured nepomuk was enabled in kde settings (search settings) and kwallet subsystem in kde wallet manager settings. Used konqueror to store a login/password and verified it was stored in kwallet. Deleted the wallet, as it was only used for testing. Whiteboard:
(none) =>
has_procedure mga4-64-ok This update has some additional fixes, so I proposes to add to advisory: This update also fixes some additional issues: - encoding in KDEsuDialog (mga#14851) - kio_sftp can corrupts files when reading (bko#342391) - use euro currency for Lithuania - save the default file manager, email client and browser in mimeapps.list [Default Applications] for a better interoperability with most of GTK applications (mga#4461) and for references: https://bugs.mageia.org/show_bug.cgi?id=14851 https://bugs.kde.org/show_bug.cgi?id=342391 https://bugs.mageia.org/show_bug.cgi?id=4461 Thanks Luc. Advisory: ======================== Updated kdebase4-runtime packages fix security vulnerability: kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack (CVE-2013-7252). This update also fixes some additional issues: - encoding in KDEsuDialog (mga#14851) - kio_sftp can corrupts files when reading (bko#342391) - use euro currency for Lithuania - save the default file manager, email client and browser in mimeapps.list [Default Applications] for a better interoperability with most of GTK applications (mga#4461) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7252 https://www.kde.org/info/security/advisory-20150109-1.txt https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148090.html https://bugs.kde.org/show_bug.cgi?id=342391 https://bugs.mageia.org/show_bug.cgi?id=14851 https://bugs.mageia.org/show_bug.cgi?id=4461 https://bugs.mageia.org/show_bug.cgi?id=14997 Testing completed mga4 32 Whiteboard:
has_procedure mga4-64-ok =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Please push to 4 updates Thanks CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0044.html Status:
NEW =>
RESOLVED This may have caused a regression with weather plasmoids. They appear unable to connect. Previously we've had an issue with plasmoids expecting networkmanager. Is it possible we've lost a patch? yawp is still working fine for me on two machines and a VM with this update. Have you rebooted since installing it? yes |