Bug 20809

Summary: libetpan new security issue CVE-2017-8825
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, mageia, marja11, mhrambo3501, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: libetpan-1.7.2-1.mga6.src.rpm CVE: CVE-2017-8825
Status comment:

Description David Walser 2017-05-09 03:43:47 CEST 
A security issue fixed upstream in libetpan has been announced:
http://openwall.com/lists/oss-security/2017/05/08/6

The issue is fixed in 1.8.

The message above contains a link to the upstream commit that fixed the issue.

Mageia 5 is also affected.
David Walser 2017-05-09 03:43:54 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-05-09 07:41:53 CEST 
Fixed in cauldron

Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Version: Cauldron => 5

Nicolas Lécureuil 2017-05-09 07:42:01 CEST

CVE: (none) => CVE-2017-8825

Comment 2 Marja Van Waes 2017-05-09 11:49:51 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Mike Rambo 2017-06-14 20:18:24 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libetpan package fixes security vulnerability:

It was discovered that libetpan, a C language mail access and handling library that is used in a number of MUAs, contained a NULL dereference vulnerability in the MIME handling code (CVE-2017-8825)

References:
http://openwall.com/lists/oss-security/2017/05/08/6
========================

Updated packages in core/updates_testing:
========================
lib64etpan17-1.6-1.1.mga5
lib64etpan-devel-1.6-1.1.mga5
libetpan-debuginfo-1.6-1.1.mga5

from libetpan-1.6-1.1.mga5.src.rpm

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-06-18 08:05:34 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Herman Viaene 2017-06-19 13:48:02 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Claws mail is dependent on libetpan17.
Opened claw mail and sent message (including an attachment) and with
$ strace -o libetpan17 claws-mail 
found in the trace file
open("/lib/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

So OK for me.

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2017-06-27 20:33:52 CEST 
Testing M5_64

 $ urpmq -i lib64etpan17
The purpose of this mail library is to provide a portable, efficient
framework for different kinds of mail access.
 $ urpmq --whatrequires lib64etpan17
 claws-mail
I use Claws-mail routinely.

BEFORE the update: ib64etpan17-1.6-1.mga5

AFTER the update: lib64etpan17-1.6-1.1.mga5
 $ strace claws-mail 2>&1 | grep libetpan
open("/lib64/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

Sent a few messages to myself at 2 addresses, with attachment. All looks OK.
Validating; already advisoried.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-28 12:12:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0191.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED