Bug 25653

Summary: freetds new security issue CVE-2019-13508
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: freetds-1.00.83-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-11-03 03:07:11 CET 
Ubuntu has issued an advisory on October 30:
https://usn.ubuntu.com/4173-1/

Mageia 7 is also affected.
David Walser 2019-11-03 03:07:19 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-11-03 05:18:46 CET 
This is already fixed upstream in 1.1.16 release from Cauldron:

"FreeTDS through 1.1.11 has a Buffer Overflow."

Source RPM: freetds-1.1.16-1.mga8.src.rpm => freetds-1.00.83-2.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210

Comment 2 David GEIGER 2019-11-03 05:21:16 CET 
And now mga7 fixed.
Comment 3 David Walser 2019-11-03 06:04:07 CET 
Advisory:
========================

Updated freetds packages fix security vulnerability:

Felix Wilhelm discovered that FreeTDS incorrectly handled certain types after a
protocol downgrade. A remote attacker could use this issue to cause FreeTDS to
crash, resulting in a denial of service, or possibly execute arbitrary code
(CVE-2019-13508).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508
https://usn.ubuntu.com/4173-1/
========================

Updated packages in core/updates_testing:
========================
libfreetds0-1.00.83-2.1.mga7
libfreetds0-unixodbc-1.00.83-2.1.mga7
libfreetds-devel-1.00.83-2.1.mga7
freetds-doc-1.00.83-2.1.mga7

from freetds-1.00.83-2.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Herman Viaene 2019-11-05 10:24:42 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
I read from www.freetds.org "FreeTDS is a set of libraries for Unix and Linux that allows your programs to natively talk to Microsoft SQL Server and Sybase databases".
I don't have these databases available, but found some sample at https://www.freetds.org/userguide/perl.htm
Installed package perl-dBD-Sybase and used the sample progam there, giving
$ perl freetdstest.pl 
Unable for connect to server OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (44)
Server JDBC, database 
Message String: Server name not found in configuration files.
OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (45)
Server JDBC, database 
Message String: Unknown host machine name.
OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (41)
Server JDBC, database 
Message String: Unable to connect: Adaptive Server is unavailable or does not exist

Meaning probably that the Sybase's public JDBC server isn'tt there anymore, but anyway, the feedback seems sensible enough.
OK'ing unless someonehas a better idea to test.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-11-07 16:23:02 CET 
I'm going to go with it, Herman. Validating. Advisory in Comment 3.

Keywords: (none) => validated_backport
CC: (none) => andrewsfarm

Thomas Backlund 2019-11-07 21:48:50 CET

Keywords: validated_backport => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 6 Mageia Robot 2019-11-08 00:38:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0319.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2019-12-23 19:36:27 CET 
It looks like the Ubuntu comment (Comment 1) was incorrect and the fix was actually included in 1.1.11.  Just noting that.