Bug 20378

Summary: libice new security issue CVE-2017-2626
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, sysadmin-bugs, zombie.ryushu
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory
Source RPM: libice-1.0.9-4.mga6.src.rpm CVE: CVE-2017-2626
Status comment:

Description David Walser 2017-03-01 12:20:51 CET 
Upstream has issued an advisory on February 28:
http://openwall.com/lists/oss-security/2017/02/28/3
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/

More info available here:
http://openwall.com/lists/oss-security/2017/03/01/1

Mageia 5 is also affected.
David Walser 2017-03-01 12:21:02 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Thierry Vignaud 2017-03-01 14:23:33 CET 
I added BR on libbsd-devel for cauldron:
http://svnweb.mageia.org/packages?view=revision&revision=1088368
Nicolas Lécureuil 2017-04-24 16:19:42 CEST

Version: Cauldron => 5
CC: (none) => mageia
CVE: (none) => CVE-2017-2626
Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2017-08-11 12:33:33 CEST 
pushed in updates_testing for mageia 5

src.rpm:    libice-1.0.9-3.1.mga5

Assignee: thierry.vignaud => qa-bugs

Comment 3 David Walser 2017-08-11 14:14:59 CEST 
Advisory:
========================

Updated libice packages fix security vulnerability:

libICE depends on arc4random() to generate the session cookies, thereby using a
weak mechanism to generate entropy (CVE-2017-2626).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
========================

Updated packages in core/updates_testing:
========================
libice6-1.0.9-3.1.mga5
libice-devel-1.0.9-3.1.mga5

from libice-1.0.9-3.1.mga5.src.rpm
Comment 4 Herman Viaene 2017-08-25 14:38:13 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Loads of progs have a dependency on libice6. Traced a simple case: open some txt file with pluma.
Found call to libICE.so.6 in the trace, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Lewis Smith 2017-08-25 21:23:23 CEST 
@David
Aout to do the advisory, I noticed that the CVE-ID is not consistent. Neither 2625 nor 2626 go anywhere, both are RESERVED.
Ah.The reference includes (among others) both, but libICE is equated to 2626.
All that for the record. Advisory done with 2626.
And because this is M5 only, validating also.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-08-25 22:36:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2017-08-25 23:00:57 CEST 
Lewis, there are no inconsistencies, as I consistently used 2626 here, which is the correct CVE for libice.  Note that most CVEs say RESERVED because no description has been posted, but it also means that it *has* been assigned for something.
Comment 8 David Walser 2017-08-25 23:03:11 CEST 
Ahh nevermind, I see it.
Comment 9 David Walser 2019-11-24 01:14:59 CET 
*** Bug 25731 has been marked as a duplicate of this bug. ***

CC: (none) => zombie.ryushu