Bug 10896 - evolution-data-server new security issue CVE-2013-4166
: evolution-data-server new security issue CVE-2013-4166
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561785/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-01 21:01 CEST by David Walser
Modified: 2013-08-11 14:29 CEST (History)
4 users (show)

See Also:
Source RPM: evolution-data-server-3.9.5-2.mga4.src.rpm
CVE:


Attachments
Screenshot showing that it's failing to find the public key. (185.84 KB, image/png)
2013-08-11 05:16 CEST, Dave Hodgins
Details

Description David Walser 2013-08-01 21:01:43 CEST
Ubuntu has issued an advisory on July 31:
http://www.ubuntu.com/usn/usn-1922-1/

Ubuntu has links to upstream patches for 3.8.x and 3.9.x and a patch for 3.6.x.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-02 14:37:16 CEST
This is fixed upstream in 3.9.5, which we have in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated evolution-data-server packages fix security vulnerability:

Yves-Alexis Perez discovered that Evolution Data Server did not properly
select GPG recipients. Under certain circumstances, this could result in
Evolution encrypting email to an unintended recipient (CVE-2013-4166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4166
http://www.ubuntu.com/usn/usn-1922-1/
========================

Updated packages in core/updates_testing:
========================
evolution-data-server-3.4.4-1.1.mga2
libcamel33-3.4.4-1.1.mga2
libebook13-3.4.4-1.1.mga2
libecal11-3.4.4-1.1.mga2
libedata-book13-3.4.4-1.1.mga2
libedata-cal15-3.4.4-1.1.mga2
libedataserver16-3.4.4-1.1.mga2
libedataserverui1-3.4.4-1.1.mga2
libebackend2-3.4.4-1.1.mga2
libedataserver-devel-3.4.4-1.1.mga2
libevolution-data-server-gir1.2-3.4.4-1.1.mga2
evolution-data-server-3.6.3-1.1.mga3
libcamel1.2_40-3.6.3-1.1.mga3
libebook1.2_14-3.6.3-1.1.mga3
libecal1.2_15-3.6.3-1.1.mga3
libedata-book1.2_15-3.6.3-1.1.mga3
libedata-cal1.2_18-3.6.3-1.1.mga3
libedataserver1.2_17-3.6.3-1.1.mga3
libedataserverui3.0_4-3.6.3-1.1.mga3
libebackend1.2_5-3.6.3-1.1.mga3
libedataserver1.2-devel-3.6.3-1.1.mga3
libevolution-data-server-gir1.2-3.6.3-1.1.mga3

from SRPMS:
evolution-data-server-3.4.4-1.1.mga2.src.rpm
evolution-data-server-3.6.3-1.1.mga3.src.rpm
Comment 2 Dave Hodgins 2013-08-11 05:16:26 CEST
Created attachment 4260 [details]
Screenshot showing that it's failing to find the public key.

Unless I've made a typo, that I'm just not seeing, this is not
working in my test on a Mageia 2 i586 vb guest (i2v).
Comment 3 Dave Hodgins 2013-08-11 05:19:13 CEST
Ignore comment 2. Finally noticed the typo. Missing e in homeip
Comment 4 Dave Hodgins 2013-08-11 05:38:22 CEST
As there is no indication what certain circumstances cause the wrong key to
be selected, just testing that it's working with gpg signed encrypted msgs.

Testing complete on Mageia 2 i586 and x86_64.
Comment 5 Dave Hodgins 2013-08-11 05:54:21 CEST
Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10896.adv to updates.
Comment 6 Thomas Backlund 2013-08-11 14:29:31 CEST
update pushed:
http://advisories.mageia.org/MGASA-2013-0245.html

Note You need to log in before you can comment on or make changes to this bug.