Bug 11010 - libimobiledevice new security issue CVE-2013-2142
: libimobiledevice new security issue CVE-2013-2142
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/563532/
: mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-15 17:38 CEST by David Walser
Modified: 2013-08-17 10:47 CEST (History)
4 users (show)

See Also:
Source RPM: libimobiledevice-1.1.4-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-15 17:38:02 CEST
Ubuntu has issued an advisory on August 14:
http://www.ubuntu.com/usn/usn-1927-1/

Patches checked into SVN for Mageia 3 and Cauldron.

Mageia 2 is not affected.

In Cauldron, it currently will not build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130815153246.luigiwalser.valstar.22801/log/libimobiledevice-1.1.5-2.mga4/build.0.20130815153302.log

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-15 18:12:01 CEST
Fixed in Cauldron in libimobiledevice-1.1.5-2.mga4 by Funda.  Thanks Funda!

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated libimobiledevice packages fix security vulnerability:

Paul Collins discovered that libimobiledevice incorrectly handled temporary
files. A local attacker could possibly use this issue to overwrite
arbitrary files and access device keys. In the default Ubuntu installation,
this issue should be mitigated by the Yama link restrictions (CVE-2013-2142).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2142
http://www.ubuntu.com/usn/usn-1927-1/
========================

Updated packages in core/updates_testing:
========================
libimobiledevice-1.1.4-4.1.mga3
libimobiledevice3-1.1.4-4.1.mga3
libimobiledevice-devel-1.1.4-4.1.mga3
python-imobiledevice-1.1.4-4.1.mga3

from libimobiledevice-1.1.4-4.1.mga3.src.rpm
Comment 2 claire robinson 2013-08-15 18:18:18 CEST
You need an iphone or ipod touch to test this properly I think.

Anybody have one?
Comment 3 David GEIGER 2013-08-17 08:58:02 CEST
Testing complete mga3_64, with my iPhone 4 Ok for me nothing to report.
Simple test by connecting my iBidule.
Comment 4 David GEIGER 2013-08-17 08:58:14 CEST
Testing complete mga3_32, with my iPhone 4 Ok for me nothing to report too.
Simple test by connecting my iBidule.
Comment 5 claire robinson 2013-08-17 09:54:38 CEST
Thanks David. Advisory from comment 1 uploaded.

Validating

Could sysadmin please push from 3 core updates testing to updates

Thanks!
Comment 6 Thomas Backlund 2013-08-17 10:47:48 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0251.html

Note You need to log in before you can comment on or make changes to this bug.