It appears that krfb bundles libvncserver, which bundles liblzo, which has a security issue that we fixed in Bug 13655. KDE has issued an advisory for this on August 3: http://www.kde.org/info/security/advisory-20140803-1.txt Fedora has issued an advisory for this in August 7: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136758.html Mageia 3 is also affected. The issue will be fixed in KDE 4.14, so Cauldron will be unaffected. Even in Cauldron, krfb should be changed to use the system libraries if possible. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOOCC: (none) => balcaen.john, mageia
(In reply to David Walser from comment #0) > It appears that krfb bundles libvncserver, which bundles liblzo, which has a > security issue that we fixed in Bug 13655. > > KDE has issued an advisory for this on August 3: > http://www.kde.org/info/security/advisory-20140803-1.txt > > Fedora has issued an advisory for this in August 7: > https://lists.fedoraproject.org/pipermail/package-announce/2014-August/ > 136758.html for mageia 4, it will be fixed with KDE update to 4.11.5 or 4.12.5 depending on council decision. > > Mageia 3 is also affected. OK, I will prepare an update. > > The issue will be fixed in KDE 4.14, so Cauldron will be unaffected. patch to update embedded minilzo already applied in Cauldron since 4.13.97 + Revision: 663033 - Update to KDE SC 4.13.97 aka KDE SC 4.14 RC - add security patch from KDE/4.14 to update embedded minilzo (CVE-2014-4607) > > Even in Cauldron, krfb should be changed to use the system libraries if > possible. hum, currently, libvncserver is not fixed and still embeds a vulnerable minilzo.
Hardware: i586 => AllDepends on: (none) => 13221
Packages generated for Mageia 3 update: kdenetwork4-4.10.5-1.2.mga3 kde4-filesharing-4.10.5-1.2.mga3 kdnssd-4.10.5-1.2.mga3 libkgetcore4-4.10.5-1.2.mga3 kget-4.10.5-1.2.mga3 kget-handbook-4.10.5-1.2.mga3 kopete-4.10.5-1.2.mga3 kopete-handbook-4.10.5-1.2.mga3 kopete-latex-4.10.5-1.2.mga3 libkopetecontactlist1-4.10.5-1.2.mga3 libkyahoo1-4.10.5-1.2.mga3 libkopete_videodevice4-4.10.5-1.2.mga3 libkopeteaddaccountwizard1-4.10.5-1.2.mga3 libkopete4-4.10.5-1.2.mga3 libkopeteprivacy1-4.10.5-1.2.mga3 libkopetechatwindow_shared1-4.10.5-1.2.mga3 libkrdccore4-4.10.5-1.2.mga3 libkopetestatusmenu1-4.10.5-1.2.mga3 libkopete_oscar4-4.10.5-1.2.mga3 liboscar1-4.10.5-1.2.mga3 libkopeteidentity1-4.10.5-1.2.mga3 libkrfbprivate4-4.10.5-1.2.mga3 kppp-4.10.5-1.2.mga3 kppp-handbook-4.10.5-1.2.mga3 kppp-provider-4.10.5-1.2.mga3 krdc-4.10.5-1.2.mga3 krdc-handbook-4.10.5-1.2.mga3 krfb-4.10.5-1.2.mga3 krfb-handbook-4.10.5-1.2.mga3 kdenetwork-strigi-analyzers-4.10.5-1.2.mga3 kdenetwork4-devel-4.10.5-1.2.mga3 from kdenetwork4-4.10.5-1.2.mga3
(In reply to Luc Menut from comment #1) > hum, currently, libvncserver is not fixed and still embeds a vulnerable > minilzo. Ugh, thanks for pointing this out. It looks like a lot of packages bundle minilzo. pterjan ran a urpmf minilzo.c on the debug media in Cauldron and got: bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc
(In reply to David Walser from comment #3) > (In reply to Luc Menut from comment #1) > > hum, currently, libvncserver is not fixed and still embeds a vulnerable > > minilzo. > > Ugh, thanks for pointing this out. It looks like a lot of packages bundle > minilzo. pterjan ran a urpmf minilzo.c on the debug media in Cauldron and > got: > bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc yep, many projects embed either lzo or minilzo, see http://seclists.org/oss-sec/2014/q2/676
Yikes, thanks again. It looks like the list I got from pterjan is pretty much complete, except for possibly busybox (bundles lzo and not minilzo as the oss-sec message said, at least in the version in Cauldron) and remmina (bundles libvncserver). Remmina is a weird one because it has BR: pkgconfig(libvncserver) as if it's trying to build against the system one, but none of its packages are linked to libvncserver, yet it didn't show up in the urpmf query.
Blocks: (none) => 13943
Patched kdenetwork4 uploaded for Mageia 3. Advisory: ======================== Updated kdenetwork4 packages fixes security vulnerability in krfb: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The libvncserver library is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. The krfb package is built with a bundled copy of libvncserver. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0290.html http://www.kde.org/info/security/advisory-20140803-1.txt ======================== src.rpm: kdenetwork4-4.10.5-1.2.mga3.src.rpm packages for i586: kde4-filesharing-4.10.5-1.2.mga3.i586.rpm kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.i586.rpm kdenetwork4-4.10.5-1.2.mga3.i586.rpm kdenetwork4-devel-4.10.5-1.2.mga3.i586.rpm kdnssd-4.10.5-1.2.mga3.i586.rpm kget-4.10.5-1.2.mga3.i586.rpm kget-handbook-4.10.5-1.2.mga3.noarch.rpm kopete-4.10.5-1.2.mga3.i586.rpm kopete-handbook-4.10.5-1.2.mga3.noarch.rpm kopete-latex-4.10.5-1.2.mga3.i586.rpm kppp-4.10.5-1.2.mga3.i586.rpm kppp-handbook-4.10.5-1.2.mga3.noarch.rpm kppp-provider-4.10.5-1.2.mga3.i586.rpm krdc-4.10.5-1.2.mga3.i586.rpm krdc-handbook-4.10.5-1.2.mga3.noarch.rpm krfb-4.10.5-1.2.mga3.i586.rpm krfb-handbook-4.10.5-1.2.mga3.noarch.rpm libkgetcore4-4.10.5-1.2.mga3.i586.rpm libkopete4-4.10.5-1.2.mga3.i586.rpm libkopete_oscar4-4.10.5-1.2.mga3.i586.rpm libkopete_videodevice4-4.10.5-1.2.mga3.i586.rpm libkopeteaddaccountwizard1-4.10.5-1.2.mga3.i586.rpm libkopetechatwindow_shared1-4.10.5-1.2.mga3.i586.rpm libkopetecontactlist1-4.10.5-1.2.mga3.i586.rpm libkopeteidentity1-4.10.5-1.2.mga3.i586.rpm libkopeteprivacy1-4.10.5-1.2.mga3.i586.rpm libkopetestatusmenu1-4.10.5-1.2.mga3.i586.rpm libkrdccore4-4.10.5-1.2.mga3.i586.rpm libkrfbprivate4-4.10.5-1.2.mga3.i586.rpm libkyahoo1-4.10.5-1.2.mga3.i586.rpm liboscar1-4.10.5-1.2.mga3.i586.rpm packages for x86_64: kde4-filesharing-4.10.5-1.2.mga3.x86_64.rpm kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.x86_64.rpm kdenetwork4-4.10.5-1.2.mga3.x86_64.rpm kdenetwork4-devel-4.10.5-1.2.mga3.x86_64.rpm kdnssd-4.10.5-1.2.mga3.x86_64.rpm kget-4.10.5-1.2.mga3.x86_64.rpm kget-handbook-4.10.5-1.2.mga3.noarch.rpm kopete-4.10.5-1.2.mga3.x86_64.rpm kopete-handbook-4.10.5-1.2.mga3.noarch.rpm kopete-latex-4.10.5-1.2.mga3.x86_64.rpm kppp-4.10.5-1.2.mga3.x86_64.rpm kppp-handbook-4.10.5-1.2.mga3.noarch.rpm kppp-provider-4.10.5-1.2.mga3.x86_64.rpm krdc-4.10.5-1.2.mga3.x86_64.rpm krdc-handbook-4.10.5-1.2.mga3.noarch.rpm krfb-4.10.5-1.2.mga3.x86_64.rpm krfb-handbook-4.10.5-1.2.mga3.noarch.rpm lib64kgetcore4-4.10.5-1.2.mga3.x86_64.rpm lib64kopete4-4.10.5-1.2.mga3.x86_64.rpm lib64kopete_oscar4-4.10.5-1.2.mga3.x86_64.rpm lib64kopete_videodevice4-4.10.5-1.2.mga3.x86_64.rpm lib64kopeteaddaccountwizard1-4.10.5-1.2.mga3.x86_64.rpm lib64kopetechatwindow_shared1-4.10.5-1.2.mga3.x86_64.rpm lib64kopetecontactlist1-4.10.5-1.2.mga3.x86_64.rpm lib64kopeteidentity1-4.10.5-1.2.mga3.x86_64.rpm lib64kopeteprivacy1-4.10.5-1.2.mga3.x86_64.rpm lib64kopetestatusmenu1-4.10.5-1.2.mga3.x86_64.rpm lib64krdccore4-4.10.5-1.2.mga3.x86_64.rpm lib64krfbprivate4-4.10.5-1.2.mga3.x86_64.rpm lib64kyahoo1-4.10.5-1.2.mga3.x86_64.rpm lib64oscar1-4.10.5-1.2.mga3.x86_64.rpm
Assignee: lmenut => qa-bugs
In VirtualBox, M3, KDE, 32-bit Package(s) under test: krfb krfb-handbook libkrfbprivate4 default install of krfb krfb-handbook libkrfbprivate4 [root@localhost wilcal]# urpmi krfb Package krfb-4.10.5-1.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi libkrfbprivate4 Package libkrfbprivate4-4.10.5-1.1.mga3.i586 is already installed Installs without reporting errors install krfb krfb-handbook libkrfbprivate4 from updates_testing [root@localhost wilcal]# urpmi krfb Package krfb-4.10.5-1.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed [root@localhost wilcal]# urpmi libkrfbprivate4 Package libkrfbprivate4-4.10.5-1.2.mga3.i586 is already installed Installs without reporting errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: krfb krfb-handbook lib64krfbprivate4 default install of krfb [root@localhost wilcal]# urpmi krfb Package krfb-4.10.5-1.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi lib64krfbprivate4 Package lib64krfbprivate4-4.10.5-1.1.mga3.x86_64 is already installed Installs without reporting errors install krfb from updates_testing [root@localhost wilcal]# urpmi krfb Package krfb-4.10.5-1.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed [root@localhost wilcal]# urpmi lib64krfbprivate4 Package lib64krfbprivate4-4.10.5-1.2.mga3.x86_64 is already installed Installs without reporting errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: krfb krfb-handbook libkrfbprivate4 default install of krfb krfb-handbook libkrfbprivate4 [root@localhost wilcal]# urpmi krfb Package krfb-4.11.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.11.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi libkrfbprivate4 Package libkrfbprivate4-4.11.4-1.mga4.i586 is already installed Installs without reporting errors install krfb krfb-handbook libkrfbprivate4 from updates_testing [root@localhost wilcal]# urpmi krfb Package krfb-4.12.5-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.12.5-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi libkrfbprivate4 Package libkrfbprivate4-4.12.5-1.mga4.i586 is already installed Installs without reporting errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: krfb krfb-handbook lib64krfbprivate4 default install of krfb [root@localhost wilcal]# urpmi krfb Package krfb-4.11.4-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.11.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi lib64krfbprivate4 Package lib64krfbprivate4-4.11.4-1.mga4.x86_64 is already installed Installs without reporting errors install krfb from updates_testing [root@localhost wilcal]# urpmi krfb Package krfb-4.12.5-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi krfb-handbook Package krfb-handbook-4.12.5-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi lib64krfbprivate4 Package lib64krfbprivate4-4.12.5-1.mga4.x86_64 is already installed Installs without reporting errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update installs without errors Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
(In reply to William Kenney from comment #11) > For me this update installs without errors > Testing complete for mga3 32-bit & 64-bit > Testing complete for mga4 32-bit & 64-bit > Validating the update. > Could someone from the sysadmin team push this to updates. > Thanks Fixed packages concern only Mga 3 for now (see list in comment #6). @sysadmin team, please push only mga3 packages. For Mga 4, it will be fixed with the global KDE update to 4.11.5 or 4.12.5 depending on council decision (krfb-4.12.5-1.mga4 packages are not fixed for CVE-2014-4607).
CC: (none) => lmenutVersion: 4 => 3Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA4TOO MGA3-32-OK MGA3-64-OK
Advisory 13933.adv added to svn.
Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK => MGA4TOO MGA3-32-OK MGA3-64-OK advisoryCC: (none) => davidwhodgins
Removing the MGA4TOO whiteboard entry, as this bug report is only for the Mageia 3 version, as per comment #6.
Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK advisory => MGA3-32-OK MGA3-64-OK advisory
I cannot push this update due to the dep on #13221 My code refuses to issue an update advisory ID if there are open, dependant bug (nice test of this check!! :D) So, either the dep should be removed, or we will have to wait (or I could override my check...)
CC: (none) => mageia
13221 is for the mga4 update. Dep removed
Depends on: 13221 => (none)
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0360.html
Status: NEW => RESOLVEDResolution: (none) => FIXED