Bug 21397

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Indeed these fixes weren't in 2.0.0.  They were committed upstream later.

Advisory:
========================

Updated libical packages fix security vulnerabilities:

libical 1.0 allows remote attackers to cause a denial of service
(use-after-free) via a crafted ics file (CVE-2016-5824).

The icaltime_from_string function in libical 0.47 and 1.0 allows remote
attackers to cause a denial of service (out-of-bounds heap read) via a crafted
string to the icalparser_parse_string function (CVE-2016-5827).

libical allows remote attackers to cause a denial of service (use-after-free)
and possibly read heap memory via a crafted ics file (CVE-2016-9584).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5827
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9584
https://lists.opensuse.org/opensuse-updates/2017-07/msg00108.html
========================

Updated packages in core/updates_testing:
========================
libical1-1.0-4.1.mga5
libicalss1-1.0-4.1.mga5
libicalvcal1-1.0-4.1.mga5
libical-devel-1.0-4.1.mga5
libical2-2.0.0-2.1.mga6
libicalss2-2.0.0-2.1.mga6
libicalvcal2-2.0.0-2.1.mga6
libical-devel-2.0.0-2.1.mga6

from SRPMS:
libical-1.0-4.1.mga5.src.rpm
libical-2.0.0-2.1.mga6.src.rpm

Version: 5 => 6
Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => MGA5TOO

MGA5-32 on Dell Latitude D600 Xfce
No installation issues
# urpmq --whatrequires libical1
found a.o. orage
$ strace -o libical.txt orage 
** Message: Orage **: 11:11:26  wakeup timer init 0
** Message: Orage **: 11:11:27  Wekkerlijst gemaakt voor hoofdbestand van Orage:
** Message: Orage **: 11:11:27  	0 wekkers toegevoegd. 0 gebeurtenissen verwerkt.
** Message: Orage **: 11:11:27  	Gevonden 0 wekkers, waarvan 0 actief (Gezocht 0 herhalende wekkers).
** Message: Orage **: 11:12:08  NEW appointment: 20180102
** Message: Orage **: 11:13:05  Added: O00.Orage-20180102T101305Z0-1000@mach6.hviaene.thuis
** Message: Orage **: 11:13:26  Archiveren niet ingeschakeld. Aan het afsluiten
I created an event in orage and found a call to libical and libicalss in the trace file.
OK for me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Testing M6/64

BEFORE update:
 lib64ical2-2.0.0-2.mga6
 lib64icalss2-2.0.0-2.mga6
 lib64icalvcal2-2.0.0-2.mga6.x86_64

Tried orage, minimal usage worked:
open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libicalss.so.2", O_RDONLY|O_CLOEXEC) = 3

Tried Evolution, which worked for most things, calendar functions included; but not for e-mail.
 $ strace evolution 2>&1 | grep libical
open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libicalvcal.so.2", O_RDONLY|O_CLOEXEC) = 17
Put this down to Evolution - it got its e-mail account knickers in a twist, even after un installation & re-installation

AFTER update:
 lib64ical2-2.0.0-2.1.mga6
 lib64icalss2-2.0.0-2.1.mga6
 lib64icalvcal2-2.0.0-2.1.mga6.x86_64

Orage worked OK (discovered how to add & play with an event).
Evolution calendar worked OK.
Tried AbiWord to insert a date in a document.
 $ strace abiword 2>&1 | grep libical
 open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3

Looks good for an OK. And in the circumstances, validation.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0021.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED