Bug 11100 - libdigidoc new security issue CVE-2013-5648
Summary: libdigidoc new security issue CVE-2013-5648
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/565579/
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-08-28 19:22 CEST by Sander Lepik
Modified: 2013-09-04 02:39 CEST (History)
3 users (show)

See Also:
Source RPM: libdigidoc
CVE:
Status comment:


Attachments
File for testing that the qdigidoc client still works. (8.07 KB, application/x-ddoc)
2013-08-28 19:24 CEST, Sander Lepik
Details

Description Sander Lepik 2013-08-28 19:22:22 CEST
Details will follow.

Reproducible: 

Steps to Reproduce:
Comment 1 Sander Lepik 2013-08-28 19:24:32 CEST
Created attachment 4294 [details]
File for testing that the qdigidoc client still works.
Comment 2 Sander Lepik 2013-08-28 20:56:32 CEST
I have uploaded patched packages for Mageia 2 and 3.

As there is no POC we can only test that the qdigidoc client is still opening ddoc files after updating.

How to test:
1. Install qdigidoc.
2. Open file in comment #1 and check that the signature is valid.
3. Update libdigidoc.
4. Repeat second step.

Suggested advisory:
========================

Updated libdigidoc packages fix security vulnerability:

Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim.

References:
http://www.id.ee/?lang=en&id=34283#3_7_2
========================

Updated packages in core/updates_testing:
========================
mga2:
lib64digidoc-devel-2.7.1.59-1.1.mga2.x86_64.rpm
lib64digidoc2-2.7.1.59-1.1.mga2.x86_64.rpm
libdigidoc2-2.7.1.59-1.1.mga2.i586.rpm
libdigidoc-devel-2.7.1.59-1.1.mga2.i586.rpm

Source RPM:
libdigidoc-2.7.1.59-1.1.mga2.src.rpm

mga3:
lib64digidoc2-3.6.0.0-3.1.mga3.x86_64.rpm
lib64digidoc-devel-3.6.0.0-3.1.mga3.x86_64.rpm
libdigidoc-3.6.0.0-3.1.mga3.x86_64.rpm
libdigidoc2-3.6.0.0-3.1.mga3.i586.rpm
libdigidoc-devel-3.6.0.0-3.1.mga3.i586.rpm
libdigidoc-3.6.0.0-3.1.mga3.i586.rpm

Source RPM: 
libdigidoc-3.6.0.0-3.1.mga3.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: (none) => MGA2TOO has_procedure

Comment 3 claire robinson 2013-08-28 22:39:10 CEST
Thanks Sander

Testing complete mga2 32. Just started digidoc client and chose to 'View signed document content' then checked the content & signature etc for obvious errors.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok

Comment 4 David Walser 2013-08-28 22:58:39 CEST
CVE request here:
http://openwall.com/lists/oss-security/2013/08/28/11

CC: (none) => luigiwalser

Comment 5 claire robinson 2013-08-28 23:18:06 CEST
Advisory 11100.adv uploaded but will need updating when a CVE is issued.
Comment 6 claire robinson 2013-08-29 09:53:02 CEST
Testing complete mga3 64

Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga3-64-ok

Comment 7 claire robinson 2013-08-29 10:01:10 CEST
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga3-64-ok mga3-32-ok

Comment 8 claire robinson 2013-08-29 10:10:33 CEST
Testing complete mga2 64

Validating. Advisory is uploaded but will need to be updated when a CVE is issued.

Could sysadmin please push from 2 & 3 core/updates_testing to updates.

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga3-64-ok mga3-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 9 David Walser 2013-08-29 14:00:49 CEST
CVE-2013-5648 has been assigned:
http://openwall.com/lists/oss-security/2013/08/29/2

Suggested advisory:
========================

Updated libdigidoc packages fix security vulnerability:

Fixed one critical bug in the DDOC parsing routines. By persuading a victim to
open a specially-crafted DDOC file, a remote attacker could exploit this
vulnerability to overwrite arbitrary files on the system with the privileges
of the victim (CVE-2013-5648).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5648
http://www.id.ee/?lang=en&id=34283#3_7_2

Summary: Security vulnerability in libdigidoc => libdigidoc new security issue CVE-2013-5648

Comment 10 claire robinson 2013-08-29 14:12:25 CEST
Advisory updated, thanks.
Comment 11 Thomas Backlund 2013-08-30 19:45:16 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0268.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-09-04 02:39:00 CEST

URL: http://www.id.ee/?lang=en&id=34283#3_7_2 => http://lwn.net/Vulnerabilities/565579/


Note You need to log in before you can comment on or make changes to this bug.