Bug 19160

Summary: bsdiff new security issue CVE-2014-9862
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/696699/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: bsdiff-4.3-9.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-08-08 22:14:01 CEST 
openSUSE has issued an advisory on August 6:
https://lists.opensuse.org/opensuse-updates/2016-08/msg00026.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated bsdiff package fixes security vulnerability:

Integer signedness error in bspatch.c in bspatch in bsdiff allows remote
attackers to execute arbitrary code or cause a denial of service (heap-based
buffer overflow) via a crafted patch file (CVE-2014-9862).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
https://lists.opensuse.org/opensuse-updates/2016-08/msg00026.html
========================

Updated packages in core/updates_testing:
========================
bsdiff-4.3-9.1.mga5

from bsdiff-4.3-9.1.mga5.src.rpm
Comment 1 Herman Viaene 2016-08-11 14:22:06 CEST 
MGA5-32 on Acer D620 Xfce
No installation issues
Tested at CLI by:
$ cd /bin/
$ bsdiff 7z 7za ~/Documenten/bsdiff.txt
which produces a 161 byte file, and 
$ more ~/Documenten/bsdiff.txt
BSDIFF40+

CC: (none) => herman.viaene

Herman Viaene 2016-08-11 14:22:50 CEST

Whiteboard: (none) => MGA5-32-OK

Comment 2 Lewis Smith 2016-08-13 10:16:45 CEST 
Testing mga5 x64 real hardware.

Copied (for safety) /usr/bin/bsdiff, and another copy to play with. Used hexedit to corrupt that play copy.
 $ cp /usr/bin/bsdiff .
 $ cp /usr/bin/bsdiff ./bsdiffcorrupt
 $ hexedit bsdiffcorrupt

BEFORE the update: bsdiff-4.3-9.mga5
 $ bsdiff ./bsdiff ./bsdiffcorrupt ./beforepatch
where beforepatch is the pre-update binary patch file produced.

AFTER update: bsdiff-4.3-9.1.mga5
 $ bsdiff ./bsdiff ./bsdiffcorrupt ./afterpatch
where afterpatch is the post-update binary patch file produced.
 $ cmp beforepatch afterpatch
 $
i.e. the two binary patch files are identical, so the update is not damaging.
OK.
Validating the update, Advisory will be uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2016-08-13 10:26:08 CEST

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 3 Mageia Robot 2016-08-31 17:33:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0288.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED