| Summary: | coreutils new security issues CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | cmrisolde, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/535735/ | ||
| Whiteboard: | has_procedure mga2-32-OK mga2-64-OK | ||
| Source RPM: | coreutils | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-02-01 19:49:13 CET
David Walser
2013-02-01 19:49:20 CET
Whiteboard:
(none) =>
MGA2TOO
David Walser
2013-02-01 20:38:44 CET
CC:
(none) =>
tmb
David Walser
2013-02-01 21:43:44 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/535735/ It appears the master branch in Fedora git had the exact same i18n patch we do in Cauldron. The updated one for version 8.20 is here: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch Fedora 17 has the same coreutils version we do, 8.15. Their i18n patch there was almost exactly the same as ours, but not quite exactly. Here's the updated one for 8.15: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch?h=f17&id=7491020ff9f0c45480b5b365823a58c869df7552 I have committed them to SVN for Mageia 2 and Cauldron, but I'll wait for Thomas to give the go-ahead to push them to the build system. Looks ok, Go ahead and push them... Thanks Thomas! Fixed packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated coreutils packages fix security vulnerabilities: It was reported that the sort command suffered from a segfault when processing input streams that contained extremely long strings when used with the -d and -M switches (CVE-2013-0221). It was reported that the uniq command suffered from a segfault when processing input streams that contained extremely long strings (CVE-2013-0222). It was reported that the join command suffered from a segfault when processing input streams that contained extremely long strings when used with the -i switch (CVE-2013-0223). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097837.html ======================== Updated packages in core/updates_testing: ======================== coreutils-8.15-1.2.mga2 coreutils-doc-8.15-1.2.mga2 from coreutils-8.15-1.2.mga2.src.rpm Version:
Cauldron =>
2 PoC's: CVE-2013-0221 https://bugzilla.novell.com/show_bug.cgi?id=798538 CVE-2013-0222 https://bugzilla.novell.com/show_bug.cgi?id=796243 CVE-2013-0223 https://bugzilla.novell.com/show_bug.cgi?id=798541 Whiteboard:
(none) =>
has_procedure Tested i586 in VM. CVE-2013-0221: unable to reproduce bug CVE-2013-0222 and CVE-2013-0223: bugs reproduced; bugs gone after update. Carolyn CC:
(none) =>
isolde Could you add the relevant whiteboard keyword please Carolyn. https://wiki.mageia.org/en/QA_process_for_validating_updates Thankyou :)
Carolyn Rowse
2013-02-10 16:19:23 CET
Whiteboard:
has_procedure =>
has_procedure mga2-32-OK Now testing 64-bit. Carolyn Testing complete on 64-bit. All bugs verified before update. All bugs gone after update. Update validated. See comment 3 for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0048 Status:
NEW =>
RESOLVED |