| Summary: | menu-cache new security issue CVE-2017-8933 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, lewyssmith, nicolas.salguero, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | advisory mga5-32-ok MGA5-64-OK | ||
| Source RPM: | menu-cache-1.0.0-5.mga5.src.rpm | CVE: | CVE-2017-8933 |
| Status comment: | |||
|
Description
David Walser
2017-05-16 00:11:48 CEST
David Walser
2017-05-16 00:13:59 CEST
Whiteboard:
(none) =>
MGA5TOO Regarding Cauldron, menu-cache-1.0.2-3.mga6 and pcmanfm-1.2.5-2.mga6 already contain the fix. Suggested advisory: ======================== The updated packages fix a security vulnerability: Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability). (CVE-2017-8933) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8933 http://openwall.com/lists/oss-security/2017/05/15/3 ======================== Updated packages in core/updates_testing: ======================== menu-cache-1.0.0-5.1.mga5 lib(64)menu-cache3-1.0.0-5.1.mga5 lib(64)menu-cache-devel-1.0.0-5.1.mga5 pcmanfm-1.2.3-2.3.mga5 from SRPMS: menu-cache-1.0.0-5.1.mga5.src.rpm pcmanfm-1.2.3-2.3.mga5.src.rpm Whiteboard:
MGA5TOO =>
(none) Oops, I did not saw bug 20864 so I added pcmanfm-1.2.3-2.2.mga5.src.rpm to this one. Suggested advisory: ======================== The updated packages fix a security vulnerability: Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability). (CVE-2017-8933) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8933 http://openwall.com/lists/oss-security/2017/05/15/3 ======================== Updated packages in core/updates_testing: ======================== menu-cache-1.0.0-5.1.mga5 lib(64)menu-cache3-1.0.0-5.1.mga5 lib(64)menu-cache-devel-1.0.0-5.1.mga5 from SRPMS: menu-cache-1.0.0-5.1.mga5.src.rpm CC:
(none) =>
nicolas.salguero
Nicolas Salguero
2017-05-16 10:33:42 CEST
Source RPM:
menu-cache-1.0.0-5.mga5.src.rpm, pcmanfm-1.2.3-2.2.mga5.src.rpm =>
menu-cache-1.0.0-5.mga5.src.rpm
Dave Hodgins
2017-05-21 02:59:24 CEST
Whiteboard:
(none) =>
advisory $ uname -a Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 18:41:19 UTC 2017 i686 i686 i686 GNU/Linux The following 3 packages are going to be installed: - libmenu-cache-devel-1.0.0-5.1.mga5.i586 - libmenu-cache3-1.0.0-5.1.mga5.i586 - menu-cache-1.0.0-5.1.mga5.i586 6.1KB of additional disk space will be used. 68KB of packages will be retrieved. Is it ok to continue? --- running LXDE --- Installed menu-cache and rebooted. going through menu and applications things are working as expected. CC:
(none) =>
brtians1 Testing M5_64, LXDE
Updated menu-cache to:
lib64menu-cache3-1.0.0-5.1.mga5
menu-cache-1.0.0-5.1.mga5
Re-booted after the update, and tried every first & last menu & sub-menu ('more') item. All OK. Could see no way to use strace to see whether these two libraries are called during menu manipulations, so OKing the update.
Validating; advisory in place.Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0155.html Status:
ASSIGNED =>
RESOLVED |