Bug 29416

Summary: libesmtp new security issue CVE-2019-19977
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libesmtp-1.0.6-12.mga8.src.rpm CVE: CVE-2019-19977
Status comment:

Description David Walser 2021-08-26 18:31:35 CEST 
SUSE has issued an advisory on August 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html

Mageia 8 is also affected.
David Walser 2021-08-26 18:32:07 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-26 20:49:10 CEST 
'libesmtp' has no registered nor evident maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-09-03 19:34:38 CEST 
openSUSE has issued an advisory for this today (September 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/

Status comment: (none) => Patch available from openSUSE

Comment 3 Nicolas Salguero 2021-09-06 09:43:38 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. (CVE-2019-19977)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19977
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/
========================

Updated packages in core/updates_testing:
========================
lib(64)esmtp6-1.0.6-12.1.mga8
lib(64)esmtp-devel-1.0.6-12.1.mga8

from SRPM:
libesmtp-1.0.6-12.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-19977
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Patch available from openSUSE => (none)
Version: Cauldron => 8

Comment 4 Herman Viaene 2021-09-30 15:08:24 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
No previous updates or wiki entry, so
# urpmq --whatrequires lib64esmtp6
lib64esmtp-devel
lib64esmtp-devel
lib64esmtp6
pacemaker
syslog-ng-smtp
[root@mach5 ~]# urpmq --whatrequires-recursive lib64esmtp6
crmsh
crmsh-test
drbd-utils-pacemaker
lib64esmtp-devel
lib64esmtp-devel
lib64esmtp6
lib64pacemaker-devel
pacemaker
syslog-ng-smtp

Pacemaker has to do with clusters of computers and crmsh is just a CLI to pacemaker, and syslog-ng-smtp has to do with sending log messages from an smtp server. All out f my league........

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-11-05 15:05:44 CET 
Same here, Herman. I'm going to pass it on based on your clean install.

Validating. Advisory in Comment 3.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-11-07 22:41:29 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-11-10 23:54:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0503.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED