Bug 19793

Summary: tre new security issues CVE-2015-3796 and CVE-2016-8859
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/704924/
Whiteboard: advisory MGA5-32-OK
Source RPM: tre-0.8.0-13.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-11-15 20:51:16 CET 
Fedora has issued an advisory on November 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RF7IRNEREOGUAKOAE2LLRIJ37TCLAL4/

LWN reference for the first CVE:
http://lwn.net/Vulnerabilities/706479/
David Walser 2016-11-15 20:51:23 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2016-11-16 15:50:12 CET 
fixed on cauldron

CC: (none) => mageia
Version: Cauldron => 5

David Walser 2016-11-16 15:53:06 CET

Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2016-11-16 15:55:42 CET 
*** Bug 19676 has been marked as a duplicate of this bug. ***
Nicolas Lécureuil 2016-11-16 15:56:09 CET

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2016-11-16 16:43:20 CET 
Advisory:
========================

Updated tre packages fix security vulnerabilities:

The TRE library allows context-dependent attackers to execute arbitrary code or
cause a denial of service (memory corruption and application crash) via a
crafted regular expression (CVE-2015-3796).

A vulnerability has been found in the tre package that could allow an attacker
to perform controlled heap corruption (CVE-2016-8859).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8859
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RF7IRNEREOGUAKOAE2LLRIJ37TCLAL4/
========================

Updated packages in core/updates_testing:
========================
libtre5-0.8.0-12.1.mga5
agrep-0.8.0-12.1.mga5
libtre-devel-0.8.0-12.1.mga5

from tre-0.8.0-12.1.mga5.src.rpm
Dave Hodgins 2016-11-17 22:06:21 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Herman Viaene 2016-11-18 14:06:26 CET 
MGA5-32 on Acer D620 Xfce
No installation issues
Tried "ps -ef | agrep -2 http"  versus "ps -ef | grep http". agrep generate noticeably more output.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Dave Hodgins 2016-11-21 21:59:23 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2016-11-21 23:18:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0395.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED