12985 – imapsync new security issue CVE-2013-4279

Bug 12985 - imapsync new security issue CVE-2013-4279

Summary: imapsync new security issue CVE-2013-4279

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/590190/
Whiteboard:	MGA3TOO has_procedure advisory MGA3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-03-10 17:04 CET by David Walser
Modified:	2014-03-12 17:33 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	imapsync-1.584-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-03-10 17:04:37 CET

Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html

It disables a feature where it phones home checking for newer versions available causing information leakage about the system on which it's being executed.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

Imapsync, by default, runs a "release check" when executed, which causes
imapsync to connect to http://imapsync.lamiral.info and send information
about the version of imapsync, the operating system and perl (CVE-2013-4279).

The imapsync package has been patched to disable this feature.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4279
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.1.mga3
imapsync-1.584-1.1.mga4

from SRPMS:
imapsync-1.584-1.1.mga3.src.rpm
imapsync-1.584-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-03-10 17:04:43 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-03-10 18:02:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/590190/

Comment 1 Marc Lattemann 2014-03-10 20:11:05 CET

after installation of imapsync and simple run of imapsync wihtout any options iftop shows:
MGA3_32bit => ks.lamiral.info 0b  0b 83b

after update iptop does not show this network connection anymore

successfully tested on mga3 32bit

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

Comment 2 Marc Lattemann 2014-03-10 20:26:03 CET

updates with same procedure successfully tested for 
mag3 64bit
mga4 32bit
mga4 64bit

after advisory from Comment #0 is uploaded updates can be moved to core_updates.

Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 3 claire robinson 2014-03-11 14:53:03 CET

Well done Marc, you're back in the groove!

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-03-12 17:33:18 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0127.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.