Bug 7002

Psi is also affected by this vulnerability.

Fedora has issued an advisory on November 27:
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html

from http://lwn.net/Vulnerabilities/470760/

I have patched Psi in SVN, but it does not build in Cauldron.

John, could you have a look at this?

CC: (none) => qa-bugs
Assignee: qa-bugs => balcaen.john
Summary: arora missing update for security issue CVE-2011-3367 => arora and psi missing update for security issue CVE-2011-3367

I'm not using cauldron anymore so i can test.
From the build log you should probably rebuild QCA2 first using the new qt4 macros & add 2 patchs on the spec :

cat qca-2.0.3-fix-mkspec-install.patch (fix mkspec install) 
Index: CMakeLists.txt
===================================================================
--- a/CMakeLists.txt
+++ b/CMakeLists.txt    2012-08-10 22:09:35.968210189 -0300
@@ -140,7 +140,7 @@
 endif(NOT WIN32)

 configure_file("crypto.prf.cmake" "${CMAKE_BINARY_DIR}/crypto.prf" @ONLY)
-install(FILES "${CMAKE_BINARY_DIR}/crypto.prf" DESTINATION ${CMAKE_INSTALL_PREFIX}/mkspecs/features)
+install(FILES "${CMAKE_BINARY_DIR}/crypto.prf" DESTINATION "${QT_MKSPECS_DIR}/features" )

 install(FILES man/qcatool2.1 DESTINATION ${CMAKE_INSTALL_PREFIX}/share/man/man1)

cat qca-2.0.3-gcc.patch ( fix gcc4.7 & it's from fedora)
--- ./src/botantools/botan/botan/secmem.h.orig  2012-01-07 20:09:35.427999593 +0100
+++ ./src/botantools/botan/botan/secmem.h       2012-01-07 20:09:52.540001422 +0100
@@ -214,11 +214,11 @@

       SecureVector(u32bit n = 0) { MemoryRegion<T>::init(true, n); }
       SecureVector(const T in[], u32bit n)
-         { MemoryRegion<T>::init(true); set(in, n); }
+         { MemoryRegion<T>::init(true); this->set(in, n); }
       SecureVector(const MemoryRegion<T>& in)
-         { MemoryRegion<T>::init(true); set(in); }
+         { MemoryRegion<T>::init(true); this->set(in); }
       SecureVector(const MemoryRegion<T>& in1, const MemoryRegion<T>& in2)
-         { MemoryRegion<T>::init(true); set(in1); append(in2); }
+         { MemoryRegion<T>::init(true); this->set(in1); append(in2); }
    };

 /*************************************************

& the spec should be changed like this :

Index: SPECS/qca2.spec
===================================================================
--- SPECS/qca2.spec     (révision 280484)
+++ SPECS/qca2.spec     (copie de travail)
@@ -2,21 +2,22 @@
 %{?_without_sys_rootcerts: %{expand: %%global build_sys_rootcerts 0}}
 
 %define name_orig      qca
-%define qtcryptodir    %{qt4plugins}/crypto
+%define qtcryptodir    %{_qt4_plugindir}/crypto
 
 %define source_ver     %{version}
 
 Name: qca2
 Version: 2.0.3
-Release: %mkrel 2
+Release: %mkrel 3
 License: LGPL
 Summary: Straightforward and cross-platform crypto API for Qt
 Group: System/Libraries
 URL: http://delta.affinix.com/qca
 # From kde support module
 Source: %{name_orig}-%{source_ver}.tar.xz
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
-BuildRequires: qt4-devel >= 2:4.5
+Patch100: qca-2.0.3-fix-mkspec-install.patch
+Patch101: qca-2.0.3-gcc.patch
+BuildRequires: pkgconfig(QtCore) <= 5.0.0
 %if %{build_sys_rootcerts}
 BuildRequires: rootcerts
 %endif
@@ -24,6 +25,7 @@
 BuildRequires: libgcrypt-devel
 BuildRequires: libsasl-devel
 BuildRequires: nss-devel
+BuildRequires: gnupg2
 Obsoletes: qca >= 2.0
 
 %description
@@ -42,7 +44,7 @@
 %defattr(0644,root,root,0755)
 %doc README COPYING INSTALL TODO
 %defattr(0755,root,root,0755)
-%{qt4dir}/bin/qcatool2
+%{_bindir}/qcatool2
 %_mandir/man1/*
 
 #------------------------------------------------------------------------------
@@ -59,10 +61,10 @@
 
 %files -n %{name}-root-certificates
 %defattr(0644,root,root,0755)
-%dir %{qt4dir}/share/qca
-%dir %{qt4dir}/share/qca/certs
-%doc %{qt4dir}/share/qca/certs/README
-%{qt4dir}/share/qca/certs/rootcerts.pem
+%dir %{_qt4_prefix}/share/qca
+%dir %{_qt4_prefix}/share/qca/certs
+%doc %{_qt4_prefix}/share/qca/certs/README
+%{_qt4_prefix}/share/qca/certs/rootcerts.pem
 %endif
 
 #------------------------------------------------------------------------------
@@ -89,7 +91,7 @@
 %doc README COPYING INSTALL TODO
 %dir %{qtcryptodir}
 %defattr(0755,root,root,0755)
-%{qt4lib}/libqca.so.%{lib_major}*
+%{_qt4_libdir}/libqca.so.%{lib_major}*
 
 #------------------------------------------------------------------------------
 
@@ -110,10 +112,10 @@
 %files -n %{libdev}
 %defattr(0644,root,root,0755)
 %{_libdir}/pkgconfig/qca2.pc
-%{qt4dir}/mkspecs/features/crypto.prf
-%dir %{qt4include}/QtCrypto
-%{qt4include}/QtCrypto/*
-%{qt4lib}/libqca.so
+%{_qt4_prefix}/mkspecs/features/crypto.prf
+%dir %{_qt4_includedir}/QtCrypto
+%{_qt4_includedir}/QtCrypto/*
+%{_qt4_libdir}/libqca.so
 
 #------------------------------------------------------------------------------
 
@@ -132,7 +134,7 @@
 
 %files plugin-gnupg
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-gnupg.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-gnupg.*
 
 #------------------------------------------------------------------------------
 
@@ -153,7 +155,7 @@
 
 %files plugin-openssl
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-ossl.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-ossl.*
 
 #------------------------------------------------------------------------------
 
@@ -174,7 +176,7 @@
 
 %files plugin-pkcs11
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-pkcs11.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-pkcs11.*
 
 #------------------------------------------------------------------------------
 
@@ -194,7 +196,7 @@
 
 %files plugin-cyrus-sasl
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-cyrus-sasl.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-cyrus-sasl.*
 
 #------------------------------------------------------------------------------
 
@@ -213,7 +215,7 @@
 
 %files plugin-logger
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-logger.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-logger.*
 
 #------------------------------------------------------------------------------
 
@@ -232,7 +234,7 @@

 %files plugin-gcrypt
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-gcrypt.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-gcrypt.*

 #------------------------------------------------------------------------------

@@ -251,7 +253,7 @@

 %files plugin-nss
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-nss.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-nss.*

 #------------------------------------------------------------------------------

@@ -270,29 +272,21 @@

 %files plugin-softstore
 %defattr(0644,root,root,0755)
-%attr(0755,root,root) %{qt4plugins}/crypto/libqca-softstore.*
+%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-softstore.*

 #------------------------------------------------------------------------------

 %prep
 %setup -q -n %{name_orig}-%{source_ver}
+%apply_patches

-
 %build

-%cmake_qt4 \
-       -DCMAKE_INSTALL_PREFIX=%{qt4dir} \
-       -DLIB_INSTALL_DIR=%_libdir \
-       -DPKGCONFIG_INSTALL_PREFIX=%_libdir/pkgconfig
+%cmake_qt4
+
 %make


 %install
 %makeinstall_std -C build

-# Make directory for plugins
-install -d -m 755 %{buildroot}/%{qtcryptodir}
-
-mkdir -p %{buildroot}%{_mandir}
-mv %{buildroot}%qt4dir/share/man/man1 %{buildroot}%{_mandir}


With this psi should be able to detect qca.
So far i don't have time to test psi build, probably next week.

CC: (none) => balcaen.john
Assignee: balcaen.john => bugsquad

 cat psi-0.14-fix-gcc4.7.patch
--- iris/src/irisnet/corelib/netinterface_unix.cpp.orig 2012-01-07 19:46:39.493999646 +0100
+++ iris/src/irisnet/corelib/netinterface_unix.cpp      2012-01-07 19:46:57.251002321 +0100
@@ -33,6 +33,7 @@
 #include <net/route.h>
 #include <netinet/in.h>
 #include <errno.h>
+#include <unistd.h>

 // for solaris
 #ifndef SIOCGIFCONF

Should do the trick for psi (again from fedora to fix gcc4.7 build)

Thanks John!

Fixed qca2 package uploaded for Mageia 2 and Cauldron.

Patched psi package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated arora and psi packages fix security vulnerability:

Arora, possibly 0.11 and other versions, does not use a certain font
when rendering certificate fields in a security dialog, which allows
remote attackers to spoof the common name (CN) of a certificate via
rich text (CVE-2011-3367).

Psi is also affected by this vulnerability and has been patched as well.

Finally, qca2 in Mageia 2 has been fixed so that Psi will build with it.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3367
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html
========================

Updated packages in core/updates_testing:
========================
arora-0.11.0-2.1.mga1
psi-0.14-8.1.mga1
psi-iconsets-0.14-8.1.mga1
psi-smileysets-0.14-8.1.mga1
psi-lang-pack-pl-0.14-8.1.mga1
psi-lang-pack-fr-0.14-8.1.mga1
psi-lang-pack-cs-0.14-8.1.mga1
psi-lang-pack-ru-0.14-8.1.mga1
psi-lang-pack-de-0.14-8.1.mga1
psi-lang-pack-es-0.14-8.1.mga1
psi-lang-pack-mk-0.14-8.1.mga1
psi-lang-pack-it-0.14-8.1.mga1
psi-lang-pack-zh-0.14-8.1.mga1
psi-lang-pack-pt_br-0.14-8.1.mga1
psi-lang-pack-sl-0.14-8.1.mga1
psi-lang-pack-en-0.14-8.1.mga1
psi-lang-pack-be-0.14-8.1.mga1
psi-lang-pack-ur_PK-0.14-8.1.mga1
psi-lang-pack-ja-0.14-8.1.mga1
psi-lang-pack-sv-0.14-8.1.mga1
arora-0.11.0-5.1.mga2
psi-0.14-9.1.mga2
psi-iconsets-0.14-9.1.mga2
psi-smileysets-0.14-9.1.mga2
psi-lang-pack-pl-0.14-9.1.mga2
psi-lang-pack-fr-0.14-9.1.mga2
psi-lang-pack-cs-0.14-9.1.mga2
psi-lang-pack-ru-0.14-9.1.mga2
psi-lang-pack-de-0.14-9.1.mga2
psi-lang-pack-es-0.14-9.1.mga2
psi-lang-pack-mk-0.14-9.1.mga2
psi-lang-pack-it-0.14-9.1.mga2
psi-lang-pack-zh-0.14-9.1.mga2
psi-lang-pack-pt_br-0.14-9.1.mga2
psi-lang-pack-sl-0.14-9.1.mga2
psi-lang-pack-en-0.14-9.1.mga2
psi-lang-pack-be-0.14-9.1.mga2
psi-lang-pack-ur_PK-0.14-9.1.mga2
psi-lang-pack-ja-0.14-9.1.mga2
psi-lang-pack-sv-0.14-9.1.mga2
qca2-2.0.3-2.1.mga2
libqca2-2.0.3-2.1.mga2
libqca-devel-2.0.3-2.1.mga2
qca2-plugin-gnupg-2.0.3-2.1.mga2
qca2-plugin-openssl-2.0.3-2.1.mga2
qca2-plugin-pkcs11-2.0.3-2.1.mga2
qca2-plugin-cyrus-sasl-2.0.3-2.1.mga2
qca2-plugin-logger-2.0.3-2.1.mga2
qca2-plugin-gcrypt-2.0.3-2.1.mga2
qca2-plugin-nss-2.0.3-2.1.mga2
qca2-plugin-softstore-2.0.3-2.1.mga2

from SRPMS:
arora-0.11.0-2.1.mga1.src.rpm
psi-0.14-8.1.mga1.src.rpm
arora-0.11.0-5.1.mga2.src.rpm
psi-0.14-9.1.mga2.src.rpm
qca2-2.0.3-2.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Testing complete on Mageia 1 i586.

No poc, that I could find.

jabber.org is not working, so I created a new account at jabber.me
for testing psi, and was able to join a chat room.

For arora, it isn't working with icedtea-web, but I've confirmed
this is not a regression.  Other standard browser testing, including
flash is working.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK has_procedure

I'll be testing Mageia 1 x86-64, and then Mageia 2 shortly.

Testing complete on Mageia 1 x86-64.  Testing Mageia 2 shortly.

Whiteboard: MGA1TOO MGA1-32-OK has_procedure => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpms
arora-0.11.0-5.1.mga2.src.rpm
psi-0.14-9.1.mga2.src.rpm
qca2-2.0.3-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
arora-0.11.0-2.1.mga1.src.rpm
psi-0.14-8.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated arora and psi packages fix security vulnerability:

Arora, possibly 0.11 and other versions, does not use a certain font
when rendering certificate fields in a security dialog, which allows
remote attackers to spoof the common name (CN) of a certificate via
rich text (CVE-2011-3367).

Psi is also affected by this vulnerability and has been patched as well.

Finally, qca2 in Mageia 2 has been fixed so that Psi will build with it.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3367
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html

https://bugs.mageia.org/show_bug.cgi?id=7002

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK MGA2-32-OK MGA2-64-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0220

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED