Bug 13786 - eet new security issue CVE-2014-4611
Summary: eet new security issue CVE-2014-4611
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603972/
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-07-22 17:33 CEST by David Walser
Modified: 2014-08-06 12:31 CEST (History)
4 users (show)

See Also:
Source RPM: eet-1.7.10-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-07-22 17:33:34 CEST
OpenSuSE has issued an advisory on July 21:
http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html

The issue is in LZ4 decompression.  The original advisory for this issue is here:
http://openwall.com/lists/oss-security/2014/06/26/25

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-22 17:33:41 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 trem 2014-07-24 18:49:16 CEST
Thanks for reporting this issue.
I don't found the patch, do you know where I can found it please ?
Comment 3 Oden Eriksson 2014-07-31 13:14:27 CEST
Fixed with eet-1.7.5-2.1.mga3, eet-1.7.10-1.1.mga4 & eet-1.7.10-2.mga5.

CC: (none) => oe

Comment 4 David Walser 2014-07-31 19:38:40 CEST
Thanks Oden.  We actually didn't have eet in Cauldron anymore before this (I'm not sure why).  I guess it was still in SVN.  Hopefully trem will see this and if it was supposed to be dropped, do so properly.

Advisory:
========================

Updated eet packages fix security vulnerability:

Integer overflow in the LZ4 algorithm implementation on 32-bit platforms might
allow context-dependent attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a crafted Literal
Run that would be improperly handled by programs not complying with an API
limitation (CVE-2014-4611).

The eet package bundles the LZ4 implementation and has been patched to correct
this flaw.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4611
http://openwall.com/lists/oss-security/2014/06/26/25
http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html
========================

Updated packages in core/updates_testing:
========================
eet-1.7.5-2.1.mga3
libeet1-1.7.5-2.1.mga3
libeet-devel-1.7.5-2.1.mga3
eet-1.7.10-1.1.mga4
libeet1-1.7.10-1.1.mga4
libeet-devel-1.7.10-1.1.mga4

from SRPMS:
eet-1.7.5-2.1.mga3.src.rpm
eet-1.7.10-1.1.mga4.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/603972/
CC: (none) => tremyfr
Assignee: tremyfr => qa-bugs

Comment 5 David Walser 2014-08-01 15:44:36 CEST
Validating this.  See the discussion in the QA meeting:
http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30

The advisory still needs to be uploaded.

Please push this to core/updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Rémi Verschelde 2014-08-01 23:32:48 CEST
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 7 Rémi Verschelde 2014-08-04 21:48:40 CEST
Installs fine on Mageia 4 32bit, and the "eet" command produces some output. Good enough for an already validated update.

Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory

Comment 8 Rémi Verschelde 2014-08-05 19:58:39 CEST
Made sure it installs in Mageia 3 32bit.

Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory

Comment 9 Mageia Robot 2014-08-06 12:31:59 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0321.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.