Bug 13933 - krfb new security issue CVE-2014-4607
Summary: krfb new security issue CVE-2014-4607
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3-32-OK MGA3-64-OK advisory
Keywords: validated_update
Depends on:
Blocks: 13943
  Show dependency treegraph
 
Reported: 2014-08-18 21:49 CEST by David Walser
Modified: 2014-08-27 10:22 CEST (History)
7 users (show)

See Also:
Source RPM: kdenetwork4-4.10.5-1.1.mga3.src.rpm, krfb-4.11.4-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-08-18 21:49:53 CEST
It appears that krfb bundles libvncserver, which bundles liblzo, which has a security issue that we fixed in Bug 13655.

KDE has issued an advisory for this on August 3:
http://www.kde.org/info/security/advisory-20140803-1.txt

Fedora has issued an advisory for this in August 7:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136758.html

Mageia 3 is also affected.

The issue will be fixed in KDE 4.14, so Cauldron will be unaffected.

Even in Cauldron, krfb should be changed to use the system libraries if possible.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-18 21:50:09 CEST

Whiteboard: (none) => MGA3TOO
CC: (none) => balcaen.john, mageia

Comment 1 Luc Menut 2014-08-19 01:16:29 CEST
(In reply to David Walser from comment #0)
> It appears that krfb bundles libvncserver, which bundles liblzo, which has a
> security issue that we fixed in Bug 13655.
> 
> KDE has issued an advisory for this on August 3:
> http://www.kde.org/info/security/advisory-20140803-1.txt
> 
> Fedora has issued an advisory for this in August 7:
> https://lists.fedoraproject.org/pipermail/package-announce/2014-August/
> 136758.html

for mageia 4, it will be fixed with KDE update to 4.11.5 or 4.12.5 depending on council decision.

> 
> Mageia 3 is also affected.

OK, I will prepare an update.

> 
> The issue will be fixed in KDE 4.14, so Cauldron will be unaffected.

patch to update embedded minilzo already applied in Cauldron since 4.13.97
+ Revision: 663033
- Update to KDE SC 4.13.97 aka KDE SC 4.14 RC
- add security patch from KDE/4.14 to update embedded minilzo (CVE-2014-4607)

> 
> Even in Cauldron, krfb should be changed to use the system libraries if
> possible.

hum, currently, libvncserver is not fixed and still embeds a vulnerable minilzo.

Hardware: i586 => All
Depends on: (none) => 13221

Comment 2 David Walser 2014-08-19 17:10:44 CEST
Packages generated for Mageia 3 update:
kdenetwork4-4.10.5-1.2.mga3
kde4-filesharing-4.10.5-1.2.mga3
kdnssd-4.10.5-1.2.mga3
libkgetcore4-4.10.5-1.2.mga3
kget-4.10.5-1.2.mga3
kget-handbook-4.10.5-1.2.mga3
kopete-4.10.5-1.2.mga3
kopete-handbook-4.10.5-1.2.mga3
kopete-latex-4.10.5-1.2.mga3
libkopetecontactlist1-4.10.5-1.2.mga3
libkyahoo1-4.10.5-1.2.mga3
libkopete_videodevice4-4.10.5-1.2.mga3
libkopeteaddaccountwizard1-4.10.5-1.2.mga3
libkopete4-4.10.5-1.2.mga3
libkopeteprivacy1-4.10.5-1.2.mga3
libkopetechatwindow_shared1-4.10.5-1.2.mga3
libkrdccore4-4.10.5-1.2.mga3
libkopetestatusmenu1-4.10.5-1.2.mga3
libkopete_oscar4-4.10.5-1.2.mga3
liboscar1-4.10.5-1.2.mga3
libkopeteidentity1-4.10.5-1.2.mga3
libkrfbprivate4-4.10.5-1.2.mga3
kppp-4.10.5-1.2.mga3
kppp-handbook-4.10.5-1.2.mga3
kppp-provider-4.10.5-1.2.mga3
krdc-4.10.5-1.2.mga3
krdc-handbook-4.10.5-1.2.mga3
krfb-4.10.5-1.2.mga3
krfb-handbook-4.10.5-1.2.mga3
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3
kdenetwork4-devel-4.10.5-1.2.mga3

from kdenetwork4-4.10.5-1.2.mga3
Comment 3 David Walser 2014-08-19 17:12:19 CEST
(In reply to Luc Menut from comment #1)
> hum, currently, libvncserver is not fixed and still embeds a vulnerable
> minilzo.

Ugh, thanks for pointing this out.  It looks like a lot of packages bundle minilzo.  pterjan ran a urpmf minilzo.c on the debug media in Cauldron and got:
bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc
Comment 4 Luc Menut 2014-08-19 17:24:21 CEST
(In reply to David Walser from comment #3)
> (In reply to Luc Menut from comment #1)
> > hum, currently, libvncserver is not fixed and still embeds a vulnerable
> > minilzo.
> 
> Ugh, thanks for pointing this out.  It looks like a lot of packages bundle
> minilzo.  pterjan ran a urpmf minilzo.c on the debug media in Cauldron and
> got:
> bb blender distcc dump grub2 icecream italc krfb libvncserver mednafen x11vnc

yep, many projects embed either lzo or minilzo, see
http://seclists.org/oss-sec/2014/q2/676
Comment 5 David Walser 2014-08-19 17:38:32 CEST
Yikes, thanks again.  It looks like the list I got from pterjan is pretty much complete, except for possibly busybox (bundles lzo and not minilzo as the oss-sec message said, at least in the version in Cauldron) and remmina (bundles libvncserver).  Remmina is a weird one because it has BR: pkgconfig(libvncserver) as if it's trying to build against the system one, but none of its packages are linked to libvncserver, yet it didn't show up in the urpmf query.
David Walser 2014-08-19 18:44:50 CEST

Blocks: (none) => 13943

Comment 6 Luc Menut 2014-08-19 21:51:01 CEST
Patched kdenetwork4 uploaded for Mageia 3.

Advisory:
========================

Updated kdenetwork4 packages fixes security vulnerability in krfb:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.  The krfb package is built
with a bundled copy of libvncserver.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
http://www.kde.org/info/security/advisory-20140803-1.txt
========================

src.rpm:
kdenetwork4-4.10.5-1.2.mga3.src.rpm

packages for i586:
kde4-filesharing-4.10.5-1.2.mga3.i586.rpm
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.i586.rpm
kdenetwork4-4.10.5-1.2.mga3.i586.rpm
kdenetwork4-devel-4.10.5-1.2.mga3.i586.rpm
kdnssd-4.10.5-1.2.mga3.i586.rpm
kget-4.10.5-1.2.mga3.i586.rpm
kget-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-4.10.5-1.2.mga3.i586.rpm
kopete-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-latex-4.10.5-1.2.mga3.i586.rpm
kppp-4.10.5-1.2.mga3.i586.rpm
kppp-handbook-4.10.5-1.2.mga3.noarch.rpm
kppp-provider-4.10.5-1.2.mga3.i586.rpm
krdc-4.10.5-1.2.mga3.i586.rpm
krdc-handbook-4.10.5-1.2.mga3.noarch.rpm
krfb-4.10.5-1.2.mga3.i586.rpm
krfb-handbook-4.10.5-1.2.mga3.noarch.rpm
libkgetcore4-4.10.5-1.2.mga3.i586.rpm
libkopete4-4.10.5-1.2.mga3.i586.rpm
libkopete_oscar4-4.10.5-1.2.mga3.i586.rpm
libkopete_videodevice4-4.10.5-1.2.mga3.i586.rpm
libkopeteaddaccountwizard1-4.10.5-1.2.mga3.i586.rpm
libkopetechatwindow_shared1-4.10.5-1.2.mga3.i586.rpm
libkopetecontactlist1-4.10.5-1.2.mga3.i586.rpm
libkopeteidentity1-4.10.5-1.2.mga3.i586.rpm
libkopeteprivacy1-4.10.5-1.2.mga3.i586.rpm
libkopetestatusmenu1-4.10.5-1.2.mga3.i586.rpm
libkrdccore4-4.10.5-1.2.mga3.i586.rpm
libkrfbprivate4-4.10.5-1.2.mga3.i586.rpm
libkyahoo1-4.10.5-1.2.mga3.i586.rpm
liboscar1-4.10.5-1.2.mga3.i586.rpm

packages for x86_64:
kde4-filesharing-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork-strigi-analyzers-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork4-4.10.5-1.2.mga3.x86_64.rpm
kdenetwork4-devel-4.10.5-1.2.mga3.x86_64.rpm
kdnssd-4.10.5-1.2.mga3.x86_64.rpm
kget-4.10.5-1.2.mga3.x86_64.rpm
kget-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-4.10.5-1.2.mga3.x86_64.rpm
kopete-handbook-4.10.5-1.2.mga3.noarch.rpm
kopete-latex-4.10.5-1.2.mga3.x86_64.rpm
kppp-4.10.5-1.2.mga3.x86_64.rpm
kppp-handbook-4.10.5-1.2.mga3.noarch.rpm
kppp-provider-4.10.5-1.2.mga3.x86_64.rpm
krdc-4.10.5-1.2.mga3.x86_64.rpm
krdc-handbook-4.10.5-1.2.mga3.noarch.rpm
krfb-4.10.5-1.2.mga3.x86_64.rpm
krfb-handbook-4.10.5-1.2.mga3.noarch.rpm
lib64kgetcore4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete_oscar4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopete_videodevice4-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteaddaccountwizard1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetechatwindow_shared1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetecontactlist1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteidentity1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopeteprivacy1-4.10.5-1.2.mga3.x86_64.rpm
lib64kopetestatusmenu1-4.10.5-1.2.mga3.x86_64.rpm
lib64krdccore4-4.10.5-1.2.mga3.x86_64.rpm
lib64krfbprivate4-4.10.5-1.2.mga3.x86_64.rpm
lib64kyahoo1-4.10.5-1.2.mga3.x86_64.rpm
lib64oscar1-4.10.5-1.2.mga3.x86_64.rpm

Assignee: lmenut => qa-bugs

Comment 7 William Kenney 2014-08-23 19:28:26 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
krfb krfb-handbook libkrfbprivate4

default install of krfb krfb-handbook libkrfbprivate4

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.10.5-1.1.mga3.i586 is already installed

Installs without reporting errors

install krfb krfb-handbook libkrfbprivate4 from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.10.5-1.2.mga3.i586 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 8 William Kenney 2014-08-23 19:28:43 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
krfb krfb-handbook lib64krfbprivate4

default install of krfb

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.10.5-1.1.mga3.x86_64 is already installed

Installs without reporting errors

install krfb from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.10.5-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.10.5-1.2.mga3.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.10.5-1.2.mga3.x86_64 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 9 William Kenney 2014-08-23 19:29:06 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
krfb krfb-handbook libkrfbprivate4

default install of krfb krfb-handbook libkrfbprivate4

[root@localhost wilcal]# urpmi krfb
Package krfb-4.11.4-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.11.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.11.4-1.mga4.i586 is already installed

Installs without reporting errors

install krfb krfb-handbook libkrfbprivate4 from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.12.5-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.12.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libkrfbprivate4
Package libkrfbprivate4-4.12.5-1.mga4.i586 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 10 William Kenney 2014-08-23 19:29:37 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
krfb krfb-handbook lib64krfbprivate4

default install of krfb

[root@localhost wilcal]# urpmi krfb
Package krfb-4.11.4-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.11.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.11.4-1.mga4.x86_64 is already installed

Installs without reporting errors

install krfb from updates_testing

[root@localhost wilcal]# urpmi krfb
Package krfb-4.12.5-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi krfb-handbook
Package krfb-handbook-4.12.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64krfbprivate4
Package lib64krfbprivate4-4.12.5-1.mga4.x86_64 is already installed

Installs without reporting errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 11 William Kenney 2014-08-23 19:35:38 CEST
For me this update installs without errors
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 12 Luc Menut 2014-08-23 19:51:36 CEST
(In reply to William Kenney from comment #11)
> For me this update installs without errors
> Testing complete for mga3 32-bit & 64-bit
> Testing complete for mga4 32-bit & 64-bit
> Validating the update.
> Could someone from the sysadmin team push this to updates.
> Thanks

Fixed packages concern only Mga 3 for now (see list in comment #6).
@sysadmin team, please push only mga3 packages.

For Mga 4, it will be fixed with the global KDE update to 4.11.5 or 4.12.5 depending on council decision (krfb-4.12.5-1.mga4 packages are not fixed for CVE-2014-4607).

CC: (none) => lmenut
Version: 4 => 3
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK

Luc Menut 2014-08-23 19:52:24 CEST

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA4TOO MGA3-32-OK MGA3-64-OK

Comment 13 Dave Hodgins 2014-08-26 09:38:58 CEST
Advisory 13933.adv added to svn.

Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK => MGA4TOO MGA3-32-OK MGA3-64-OK advisory
CC: (none) => davidwhodgins

Comment 14 Dave Hodgins 2014-08-26 09:49:48 CEST
Removing the MGA4TOO whiteboard entry, as this bug report is only for the
Mageia 3 version, as per comment #6.

Whiteboard: MGA4TOO MGA3-32-OK MGA3-64-OK advisory => MGA3-32-OK MGA3-64-OK advisory

Comment 15 Colin Guthrie 2014-08-27 00:49:38 CEST
I cannot push this update due to the dep on #13221

My code refuses to issue an update advisory ID if there are open, dependant bug (nice test of this check!! :D)

So, either the dep should be removed, or we will have to wait (or I could override my check...)

CC: (none) => mageia

Comment 16 David Walser 2014-08-27 00:57:45 CEST
13221 is for the mga4 update.  Dep removed

Depends on: 13221 => (none)

Comment 17 Mageia Robot 2014-08-27 10:22:03 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0360.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.