Bug 10428 - libkdcraw new security issue CVE-2013-2126
Summary: libkdcraw new security issue CVE-2013-2126
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/553302/
Whiteboard: MGA2TOO
Keywords:
Depends on: 10600 10768
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 17:30 CEST by David Walser
Modified: 2013-09-01 17:27 CEST (History)
1 user (show)

See Also:
Source RPM: libkdcraw-4.10.2-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-04 17:30:14 CEST
A Debian developer noted that libkdcraw uses a bundled copy of libraw, which is affected by a double-free security issue, which we have fixed in our libraw package in Bug 10346:
http://openwall.com/lists/oss-security/2013/06/04/2

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-04 17:31:00 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10346
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-18 18:46:35 CEST
Ubuntu has issued an advisory for this today (June 18):
http://www.ubuntu.com/usn/usn-1885-1/

URL: (none) => http://lwn.net/Vulnerabilities/553302/
CC: (none) => balcaen.john

Comment 2 David Walser 2013-07-11 17:46:29 CEST
OpenSuSE has issued an advisory for this today (July 11):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00032.html
John Balcaen 2013-07-11 22:35:30 CEST

Depends on: (none) => 10600

Comment 3 John Balcaen 2013-07-13 20:45:28 CEST
For the record there's also CVE 2013-2127 (a buffer overflow) 
The patch for this one is already added on svn.
The patch for the 2013-2126 is on the way (i'm currently waiting for kde's team review).
One more thing it's going to be pushed with the 4.10.5 release update
Comment 4 David Walser 2013-07-13 20:52:03 CEST
For Mageia 3, yes 2127 is indeed relevant, and yes I know it'll be fixed with KDE.

For Mageia 2, only CVE-2013-2126 should be relevant.  What's the plan there?
Comment 5 John Balcaen 2013-07-13 21:19:50 CEST
(In reply to David Walser from comment #4)
> For Mageia 2, only CVE-2013-2126 should be relevant.  What's the plan there?
It's the same patch as mga3 so waiting also for kde team review.
As soon as it's ok i'll push it on mga2 core/updates_testing & open a bug report for QA team.
sorry i forgot to mention it earlier :/
Comment 6 David Walser 2013-07-13 21:28:25 CEST
No problem, thanks.  You can use this bug for the mgaw update.
Comment 7 David Walser 2013-07-13 21:28:44 CEST
(In reply to David Walser from comment #6)
> No problem, thanks.  You can use this bug for the mgaw update.

mga2, whoops :o)
John Balcaen 2013-07-14 19:20:10 CEST

Depends on: (none) => 10768

Comment 8 John Balcaen 2013-07-14 19:21:08 CEST
Ok from Kde team, update pushed for mga2 ( #10768 )
Comment 9 David Walser 2013-07-19 15:49:15 CEST
Should be fixed in libkdcraw-4.10.95-1.mga4 for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 10 Manuel Hiebel 2013-09-01 16:10:04 CEST
looks like it could be assigned to QA ?

Version: 3 => 2
Whiteboard: MGA2TOO => (none)

Comment 11 David Walser 2013-09-01 17:26:38 CEST
Now fixed for Mageia 2 and Mageia 3.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2013-09-01 17:27:09 CEST

Version: 2 => 3
Whiteboard: (none) => MGA2TOO


Note You need to log in before you can comment on or make changes to this bug.