Bug 21922

Summary: exiv2 new security issues CVE-2017-11591 CVE-2017-11683 CVE-2017-14859 CVE-2017-1486[25]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mike Rambo <mhrambo3501>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, mhrambo3501
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=21158
Whiteboard: MGA6TOO, MGA5TOO
Source RPM: exiv2-0.26-2.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 21158    
Bug Blocks:    

Description David Walser 2017-10-23 16:22:12 CEST 
openSUSE has issued an advisory on October 21:
https://lists.opensuse.org/opensuse-updates/2017-10/msg00070.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-23 16:22:17 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-10-24 10:24:30 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => pterjan
CC: (none) => marja11

David Walser 2017-10-25 17:21:38 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21158

Comment 2 Mike Rambo 2017-10-26 16:39:07 CEST 
It looks like suse has a typo in one of their patch CVE numbers. The patch which claims to cover CVE-2017-1486[529] actually covers 1486[429]. There is a ticket on CVE-2017-14865 (and five others) still open upstream. But I found a more comprehensive patch set upstream anyway.

https://github.com/Exiv2/exiv2/pull/120 backports fixes for 15 CVE's to 0.26 (CVE-2017-11337, CVE-2017-11338, CVE-2017-11339, CVE-2017-11340, CVE-2017-11553, CVE-2017-11591, CVE-2017-11592, CVE-2017-11683, CVE-2017-12955, CVE-2017-12956, CVE-2017-12957, CVE-2017-14859, CVE-2017-14860, CVE-2017-14862, CVE-2017-14864) and some research found that the same patch fixed CVE-2017-11336 and CVE-2017-14857 also.

Patched package uploaded for cauldron. Mageia 6 will be forthcoming as will Mageia 5 if the patch applies.

CC: (none) => mrambo
Assignee: pterjan => mrambo

Mike Rambo 2017-10-26 18:53:42 CEST

Depends on: (none) => 21158

Comment 3 Lewis Smith 2017-10-27 14:52:07 CEST 
https://bugs.mageia.org/show_bug.cgi?id=21158#c9
Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does).
Can this bug be closed in consequence?
Comment 4 David Walser 2017-10-27 14:55:49 CEST 
(In reply to Lewis Smith from comment #3)
> https://bugs.mageia.org/show_bug.cgi?id=21158#c9
> Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does).
> Can this bug be closed in consequence?

Once the update for Bug 21158 is pushed.
Comment 5 David Walser 2017-10-30 21:22:48 CET 
Fixed in:
https://advisories.mageia.org/MGASA-2017-0391.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED