Bug 22848

Summary: links new security issue CVE-2017-11114
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, nicolas.salguero, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: links-2.14-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-03-31 22:02:38 CEST 
openSUSE has issued an advisory on March 30:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00115.html

The issue is fixed upstream in 2.15.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-31 22:02:46 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2018-03-31 22:22:40 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-05-01 05:59:24 CEST 
Updated by Nicolas.  Thanks!

Advisory:
========================

Updated links packages fix security vulnerability:

Buffer over-read vulnerability in case of corrupted UTF-8 data (CVE-2017-11114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11114
https://lists.opensuse.org/opensuse-updates/2018-03/msg00115.html
========================

Updated packages in core/updates_testing:
========================
links-2.15-1.mga5
links-graphic-2.15-1.mga5
links-common-2.15-1.mga5
links-2.15-1.mga6
links-graphic-2.15-1.mga6
links-common-2.15-1.mga6

from SRPMS:
links-2.15-1.mga5.src.rpm
links-2.15-1.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => nicolas.salguero
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 3 PC LX 2018-05-02 15:22:54 CEST 
Installed OK but is crashing in the quick tests I did.

How to trigger the crash:
1. Execute "gdb links"
2. Run links with "run https://youtube.com/"
3. Change pages several times.
4. Press ESC to show menu.
5. Exit links.

$ uname -a
Linux marte 4.14.38-desktop-1.mga6 #1 SMP Mon Apr 30 13:15:08 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep links-.*2.15 | sort
links-2.15-1.mga6
links-common-2.15-1.mga6
links-debuginfo-2.15-1.mga6
$ gdb links
<SNIP>
(gdb) run https://youtube.com/
<SNIP>
INTERNAL ERROR at error.c:515: mem_free(NULL)

Forcing core dump

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6afe818 in __GI_raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:55
55        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007ffff6afe818 in __GI_raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x000000000041956a in force_dump () at error.c:149
#2  int_error (m=m@entry=0x485bb3 "mem_free(NULL)") at error.c:229
#3  0x000000000041976d in mem_free (p=<optimized out>) at error.c:515
#4  0x0000000000414584 in free_cookie (c=c@entry=0x7be540) at cookies.c:31
#5  0x0000000000414d83 in free_cookies () at cookies.c:225
#6  0x00000000004044eb in terminate_all_subsystems () at main.c:563
#7  main (argc=<optimized out>, argv=<optimized out>) at main.c:738
(gdb)

CC: (none) => mageia

Comment 4 David Walser 2018-05-02 15:42:09 CEST 
Browsing mirrors.mageia.org and a mirror with it worked fine.  I was able to load youtube.com but when I exited it did say Segmentation fault.  Mageia 5 x86_64.
Comment 5 Nicolas Salguero 2018-05-03 13:22:02 CEST 
Advisory:
========================

Updated links packages fix security vulnerability:

Buffer over-read vulnerability in case of corrupted UTF-8 data (CVE-2017-11114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11114
https://lists.opensuse.org/opensuse-updates/2018-03/msg00115.html
========================

Updated packages in core/updates_testing:
========================
links-2.15-2.mga5
links-graphic-2.15-2.mga5
links-common-2.15-2.mga5
links-2.15-2.mga6
links-graphic-2.15-2.mga6
links-common-2.15-2.mga6

from SRPMS:
links-2.15-2.mga5.src.rpm
links-2.15-2.mga6.src.rpm

Status: NEW => ASSIGNED

Comment 6 Nicolas Salguero 2018-05-03 13:33:32 CEST 
Sorry, I made a mistake in the patch links-2.15-fix-segfault-on-loading-cookies.patch.

Advisory:
========================

Updated links packages fix security vulnerability:

Buffer over-read vulnerability in case of corrupted UTF-8 data (CVE-2017-11114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11114
https://lists.opensuse.org/opensuse-updates/2018-03/msg00115.html
========================

Updated packages in core/updates_testing:
========================
links-2.15-3.mga5
links-graphic-2.15-3.mga5
links-common-2.15-3.mga5
links-2.15-3.mga6
links-graphic-2.15-3.mga6
links-common-2.15-3.mga6

from SRPMS:
links-2.15-3.mga5.src.rpm
links-2.15-3.mga6.src.rpm
Comment 7 David Walser 2018-05-03 15:27:58 CEST 
Looks good on Mageia 5 x86_64.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 8 PC LX 2018-05-03 18:25:49 CEST 
After the last update the segfault is resolved. No issue found. Seems OK for Mageia 6 x86_64.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Lewis Smith 2018-05-04 10:27:21 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-05-04 19:30:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0217.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED