Bug 20561

Summary: mbedtls new security issue CVE-2017-2784
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: mbedtls-1.3.18-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-23 14:58:43 CET 
Upstream has issued an advisory on March 10:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01

The issue (and others) is fixed in 1.3.19:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released

openSUSE has issued an advisory for this on March 22:
https://lists.opensuse.org/opensuse-updates/2017-03/msg00072.html

Updates for Mageia 5 and Cauldron checked into SVN.  Freeze push requested.

Eventual advisory for this update below.

Advisory:
========================

Updated mbedtls packages fix security vulnerabilities:

In mbedTLS before 1.3.19, if a malicious peer supplies a certificate with a
specially crafted secp224k1 public key, then an attacker can cause the server
or client to attempt to free block of memory held on stack. Depending on the
platform, this could result in a Denial of Service (client crash) or potentially
could be exploited to allow remote code execution with the same privileges as
the host application (CVE-2017-2784).

The mbedtls package has been updated to version 1.3.19, fixing this issue as
well as other security issues and bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2784
https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01
https://lists.opensuse.org/opensuse-updates/2017-03/msg00072.html
========================

Updated packages in core/updates_testing:
========================
mbedtls-1.3.19-1.mga5
libmbedtls9-1.3.19-1.mga5
libmbedtls-devel-1.3.19-1.mga5

from mbedtls-1.3.19-1.mga5.src.rpm
Comment 1 David Walser 2017-03-23 14:59:05 CET 
The previous update was simply tested by running the mbedtls-selftest command.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2017-03-24 00:15:08 CET 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory, packages, and testing information in Comment 0 and Comment 1.

Assignee: bugsquad => qa-bugs

Dave Hodgins 2017-03-25 00:43:06 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 3 Len Lawrence 2017-03-27 17:52:52 CEST 
The preupdate packages were already installed.
Ran the mbedtls-selftest command and all tests were passed.
Installed the updates on x86_64 and ran the test command again.

Tailend of output:

  DHM parameter load: passed

  ENTROPY test: passed

  PBKDF2 (SHA1) #0: passed
  PBKDF2 (SHA1) #1: passed
  PBKDF2 (SHA1) #2: passed
  PBKDF2 (SHA1) #3: passed
  PBKDF2 (SHA1) #4: passed
  PBKDF2 (SHA1) #5: passed

  PBKDF2 (SHA1) #0: passed
  PBKDF2 (SHA1) #1: passed
  PBKDF2 (SHA1) #2: passed
  PBKDF2 (SHA1) #3: passed
  PBKDF2 (SHA1) #4: passed
  PBKDF2 (SHA1) #5: passed

  TIMING tests note: will take some time!
  TIMING test #1 (m_sleep   / get_timer): passed
  TIMING test #2 (set_alarm / get_timer): passed
  TIMING test #3 (hardclock / get_timer): passed
  TIMING test #4 (net_usleep/ get_timer): passed

  [ All tests passed ]

CC: (none) => tarazed25

Len Lawrence 2017-03-27 17:53:08 CEST

Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Comment 4 Len Lawrence 2017-03-27 18:08:36 CEST 
Installed missing pre-update packages on i586 in virtualbox and ran the selftest.  All OK.

Installed the update and ran the mbedtls-selftest command again.  All tests passed.

OK for both architectures.  Can be validated.
Len Lawrence 2017-03-27 18:09:21 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-03-27 23:28:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0094.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED