Gentoo has issued an advisory on September 19: http://www.gentoo.org/security/en/glsa/glsa-201409-07.xml According to Gentoo it was fixed upstream in 0.2.6, so only Mageia 3 is affected. Reproducible: Steps to Reproduce:
According to the Gentoo bug, it actually wasn't yet fixed upstream in 0.2.6, they had backported an additional patch: https://bugs.gentoo.org/show_bug.cgi?id=455324 So Mageia 4 would also be affected.
Version: 3 => 4Whiteboard: (none) => MGA3TOO
The patch Gentoo added only fixes CVE-2013-7401: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-proxy/c-icap/files/c-icap-0.2.6-fix-icap-parsing.patch?revision=1.1&view=markup CVE-2013-7402 is only fixed in 0.3.x, in these commits: http://sourceforge.net/p/c-icap/code/1018/ http://sourceforge.net/p/c-icap/code/1021/ see this bug report for CVE-2013-7402: http://sourceforge.net/p/c-icap/bugs/59/ I guess it could be updated to 0.3.x in Mageia 3 and Mageia 4 (and c-icap-modules-extra would need to be as well I would imagine). If so, even Cauldron should be updated to the newest 0.3.4, as it contains a crasher fix: http://sourceforge.net/p/c-icap/news/ Here's an osvdb advisory for CVE-2013-7401 and more info including a PoC: http://www.osvdb.org/show/osvdb/89304 http://osvdb.org/ref/89/c-icap.txt
Debian has issued an advisory for this on December 13: https://www.debian.org/security/2014/dsa-3101 Now I see that the two upstream commits that I linked in Comment 2 apply cleanly to 0.2.6 and fix both CVEs. I guess I should have figured that out earlier... Patched package uploaded for Mageia 4. Removing Mageia 3 from the whiteboard due to EOL. This package has been removed from Cauldron due to lack of response from the maintainer. Advisory: ======================== Updated c-icap packages fix security vulnerabilities: Several vulnerabilities were found in c-icap, which could allow a remote attacker to cause c-icap to crash, or have other, unspecified impacts (CVE-2013-7401, CVE-2013-7402). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7402 http://www.gentoo.org/security/en/glsa/glsa-201409-07.xml https://www.debian.org/security/2014/dsa-3101 ======================== Updated packages in core/updates_testing: ======================== libc-icap0-0.2.6-2.2.mga4 libc-icap-devel-0.2.6-2.2.mga4 c-icap-server-0.2.6-2.2.mga4 c-icap-client-0.2.6-2.2.mga4 c-icap-modules-0.2.6-2.2.mga4 from c-icap-0.2.6-2.2.mga4.src.rpm
CC: (none) => luis.daniel.lucioAssignee: luis.daniel.lucio => qa-bugsWhiteboard: MGA3TOO => (none)
Testing on Mageia 4x64 real hardware. From current packages : --------------------- - c-icap-client-0.2.6-2.mga4.x86_64 - c-icap-modules-0.2.6-2.mga4.x86_64 - c-icap-modules-extra-0.2.5-2.mga4.x86_64 - c-icap-server-0.2.6-2.mga4.x86_64 - lib64c-icap0-0.2.6-2.mga4.x86_64 Following instructions found here : http://sourceforge.net/p/c-icap/wiki/c-icapInstall/ # systemctl start icapd # systemctl status icapd icapd.service - ICAP Server Loaded: loaded (/usr/lib/systemd/system/icapd.service; enabled) Active: active (running) $ c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK: Methods:RESPMOD, REQMOD Service:C-ICAP/0.2.6 server - Echo demo service ISTag:CI0001-XXXXXXXXX Transfer-Preview:* Options-TTL:3600 Date:Sun, 14 Dec 2014 21:23:12 GMT Preview:1024 Allow:204 X-Include:X-Authenticated-User, X-Authenticated-Groups Encapsulated:null-body=0 $ c-icap-client -req http://www.mageia.org/fr/ ICAP server:localhost, ip:127.0.0.1, port:1344 No modification needed (Allow 204 response) $ c-icap-client -i localhost -s "info?view=text" -req "a_url" ICAP server:localhost, ip:127.0.0.1, port:1344 which shows server statistics changing each time I access the server through the client. Stopped and disabled icecapd.service. Updated to testing packages : --------------------------- - c-icap-client-0.2.6-2.2.mga4.x86_64 - c-icap-modules-0.2.6-2.2.mga4.x86_64 - c-icap-server-0.2.6-2.2.mga4.x86_64 - lib64c-icap0-0.2.6-2.2.mga4.x86_64 Followed same procedure. c-icap-server functionnal, c-icap-client can access the server. All OK.
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Testing on Mageia4x32, using same procedure as in comment 4. From current packages : --------------------- - c-icap-client-0.2.6-2.mga4.i586 - c-icap-modules-0.2.6-2.mga4.i586 - c-icap-modules-extra-0.2.5-2.mga4.i586 - c-icap-server-0.2.6-2.mga4.i586 - libc-icap0-0.2.6-2.mga4.i586 To updated testing packages : --------------------------- - c-icap-client-0.2.6-2.2.mga4.i586 - c-icap-modules-0.2.6-2.2.mga4.i586 - c-icap-server-0.2.6-2.2.mga4.i586 - libc-icap0-0.2.6-2.2.mga4.i586 Which gave same satisfactory results. Giving the OK.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0530.html
Status: NEW => RESOLVEDResolution: (none) => FIXED