Bug 11100 - libdigidoc new security issue CVE-2013-5648
: libdigidoc new security issue CVE-2013-5648
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565579/
: MGA2TOO has_procedure mga2-64-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-28 19:22 CEST by Sander Lepik
Modified: 2013-09-04 02:39 CEST (History)
3 users (show)

See Also:
Source RPM: libdigidoc
CVE:


Attachments
File for testing that the qdigidoc client still works. (8.07 KB, application/x-ddoc)
2013-08-28 19:24 CEST, Sander Lepik
Details

Description Sander Lepik 2013-08-28 19:22:22 CEST
Details will follow.

Reproducible: 

Steps to Reproduce:
Comment 1 Sander Lepik 2013-08-28 19:24:32 CEST
Created attachment 4294 [details]
File for testing that the qdigidoc client still works.
Comment 2 Sander Lepik 2013-08-28 20:56:32 CEST
I have uploaded patched packages for Mageia 2 and 3.

As there is no POC we can only test that the qdigidoc client is still opening ddoc files after updating.

How to test:
1. Install qdigidoc.
2. Open file in comment #1 and check that the signature is valid.
3. Update libdigidoc.
4. Repeat second step.

Suggested advisory:
========================

Updated libdigidoc packages fix security vulnerability:

Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim.

References:
http://www.id.ee/?lang=en&id=34283#3_7_2
========================

Updated packages in core/updates_testing:
========================
mga2:
lib64digidoc-devel-2.7.1.59-1.1.mga2.x86_64.rpm
lib64digidoc2-2.7.1.59-1.1.mga2.x86_64.rpm
libdigidoc2-2.7.1.59-1.1.mga2.i586.rpm
libdigidoc-devel-2.7.1.59-1.1.mga2.i586.rpm

Source RPM:
libdigidoc-2.7.1.59-1.1.mga2.src.rpm

mga3:
lib64digidoc2-3.6.0.0-3.1.mga3.x86_64.rpm
lib64digidoc-devel-3.6.0.0-3.1.mga3.x86_64.rpm
libdigidoc-3.6.0.0-3.1.mga3.x86_64.rpm
libdigidoc2-3.6.0.0-3.1.mga3.i586.rpm
libdigidoc-devel-3.6.0.0-3.1.mga3.i586.rpm
libdigidoc-3.6.0.0-3.1.mga3.i586.rpm

Source RPM: 
libdigidoc-3.6.0.0-3.1.mga3.src.rpm
Comment 3 claire robinson 2013-08-28 22:39:10 CEST
Thanks Sander

Testing complete mga2 32. Just started digidoc client and chose to 'View signed document content' then checked the content & signature etc for obvious errors.
Comment 4 David Walser 2013-08-28 22:58:39 CEST
CVE request here:
http://openwall.com/lists/oss-security/2013/08/28/11
Comment 5 claire robinson 2013-08-28 23:18:06 CEST
Advisory 11100.adv uploaded but will need updating when a CVE is issued.
Comment 6 claire robinson 2013-08-29 09:53:02 CEST
Testing complete mga3 64
Comment 7 claire robinson 2013-08-29 10:01:10 CEST
Testing complete mga3 32
Comment 8 claire robinson 2013-08-29 10:10:33 CEST
Testing complete mga2 64

Validating. Advisory is uploaded but will need to be updated when a CVE is issued.

Could sysadmin please push from 2 & 3 core/updates_testing to updates.

Thanks!
Comment 9 David Walser 2013-08-29 14:00:49 CEST
CVE-2013-5648 has been assigned:
http://openwall.com/lists/oss-security/2013/08/29/2

Suggested advisory:
========================

Updated libdigidoc packages fix security vulnerability:

Fixed one critical bug in the DDOC parsing routines. By persuading a victim to
open a specially-crafted DDOC file, a remote attacker could exploit this
vulnerability to overwrite arbitrary files on the system with the privileges
of the victim (CVE-2013-5648).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5648
http://www.id.ee/?lang=en&id=34283#3_7_2
Comment 10 claire robinson 2013-08-29 14:12:25 CEST
Advisory updated, thanks.
Comment 11 Thomas Backlund 2013-08-30 19:45:16 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0268.html

Note You need to log in before you can comment on or make changes to this bug.