Bug 22025

Summary: konversation new security issue CVE-2017-15923
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: geiger.david68210, herman.viaene, rverschelde, sysadmin-bugs, wilcal.int
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Source RPM: konversation-1.7.2-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-14 23:04:57 CET 
Upstream has issued an advisory on November 11:
https://konversation.kde.org/

Debian has issued an advisory for this on November 13:
https://www.debian.org/security/2017/dsa-4033

The issue is fixed upstream in 1.7.3, already in Cauldron.

A patch for 1.5.x (Mageia 5) can be obtained from upstream's git or Debian.
David Walser 2017-11-14 23:05:08 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2017-11-15 21:17:38 CET 
Done also for mga5 and mga6!
Comment 2 David Walser 2017-11-15 23:10:10 CET 
Advisory:
========================

Updated konversation package fixes security vulnerability:

Joseph Bisch discovered that Konversation could crash when parsing certain IRC
color formatting codes (CVE-2017-15923).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15923
https://konversation.kde.org/
https://www.debian.org/security/2017/dsa-4033
========================

Updated packages in core/updates_testing:
========================
konversation-1.5.1-1.1.mga5
konversation-1.7.3-1.mga6

from SRPMS:
konversation-1.5.1-1.1.mga5.src.rpm
konversation-1.7.3-1.mga6.src.rpm

Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 3 Herman Viaene 2017-11-16 14:16:28 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Started konversation and connected to #mageia, posted and got a reply.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 4 Herman Viaene 2017-11-16 16:17:49 CET 
MGA6-32 on Asus A6000VM MATE
No installation issues
Connected to #mageia-qa, could post, got no answer. Presumed to be working.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 5 William Kenney 2017-11-16 19:49:53 CET 
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
konversation

default install of konversation

[root@localhost wilcal]# urpmi konversation
Package konversation-1.7.2-1.mga6.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

install konversation from updates_testing

[root@localhost wilcal]# urpmi konversation
Package konversation-1.7.3-1.mga6.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

CC: (none) => wilcal.int

William Kenney 2017-11-16 19:50:09 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK

Comment 6 William Kenney 2017-11-16 20:00:27 CET 
In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
konversation

default install of konversation

[root@localhost wilcal]# urpmi konversation
Package konversation-1.5.1-1.mga5.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

install konversation from updates_testing

[root@localhost wilcal]# urpmi konversation
Package konversation-1.5.1-1.1.mga5.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.
William Kenney 2017-11-16 20:00:48 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Comment 7 William Kenney 2017-11-16 20:01:47 CET 
This update works fine.
Testing complete for Mageia 5 & 6, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Lewis Smith 2017-11-19 11:01:55 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2017-11-19 12:20:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0419.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED