Bug 7354

Summary: gnome-keyring new security issue CVE-2012-3466
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: ed_rus099, olav, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/514953/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: gnome-keyring-3.4.1-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-09-04 23:36:38 CEST 
Version 3.4.1, which we have in Mageia 2, is affected.

I don't know if Mageia 1 or Cauldron are affected.

More info here:
http://bugs.debian.org/683655
David Walser 2012-09-04 23:36:58 CEST

CC: (none) => olav
Assignee: bugsquad => olav

Comment 1 David Walser 2012-09-05 21:18:07 CEST 
http://bugzilla.gnome.org/show_bug.cgi?id=681081

Upstream bug.

URL: http://bugzilla.gnome.org/show_bug.cgi?id=681081 => (none)

Comment 2 David Walser 2012-09-05 21:21:20 CEST 
Fedora has issued an advisory on August 21:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/085969.html

Patches added here:
http://pkgs.fedoraproject.org/cgit/gnome-keyring.git/commit/?h=f17&id=807308f73a241ecf14acfe8082bdb3150922d0c7

Looks like Cauldron should not be affected.

URL: (none) => http://lwn.net/Vulnerabilities/514953/

Comment 3 David Walser 2012-09-05 21:27:29 CEST 
The first Fedora patch says regression 3.3.x, so maybe doesn't affect Mageia 1, but the second patch there does apply to the code in Mageia 1.
Comment 4 David Walser 2012-09-05 21:31:24 CEST 
From the upstream bug, sounds like Mageia 1 shouldn't be affected.
Comment 5 David Walser 2012-09-05 21:51:29 CEST 
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated gnome-keyring package fixes security vulnerability:

gnome-keyring seems to obey the configuration asking it to stop caching
passphrases, but after a while it doesn't cache nor does it ask for the
passphrase (CVE-2012-3466).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3466
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/085969.html
========================

Updated packages in core/updates_testing:
========================
gnome-keyring-3.4.1-1.1.mga2

from gnome-keyring-3.4.1-1.1.mga2.src.rpm

Assignee: olav => qa-bugs

Comment 6 Eduard Beliaev 2012-09-08 23:13:11 CEST 
No problems with Mageia 2 x86_64.

CC: (none) => ed_rus099
Whiteboard: (none) => MGA2-64-OK

Comment 7 Eduard Beliaev 2012-09-09 00:05:02 CEST 
Works ok on Mageia 2 i568/x86.

Could sysadmin please push from core/updates_testing to core/updates.

See comment 5 for srpm and advisory.

Thank you.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK

Comment 8 Thomas Backlund 2012-09-09 13:41:10 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0262

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED