Bug 14199 - geary new security issue CVE-2014-5444
Summary: geary new security issue CVE-2014-5444
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/614053/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-30 21:14 CEST by David Walser
Modified: 2014-11-29 21:47 CET (History)
5 users (show)

See Also:
Source RPM: geary-0.4.3-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-09-30 21:14:56 CEST 
OpenSuSE has issued an advisory on September 28:
http://lists.opensuse.org/opensuse-updates/2014-09/msg00035.html

The issue was fixed upstream in 0.6.3.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-30 21:15:04 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-10-26 17:43:44 CET 
According to the upstream bug, the version in Mageia 3 is definitely also affected.  Unfortunately, the patch to fix this is not backportable, so upgrading to 0.6.3 is the only fix.  While this works on Mageia 4, it doesn't on Mageia 3 because building geary 0.6.3 requires vala 0.22.1, and Mageia 3 has 0.18.1.

Can we update vala?
Comment 2 David Walser 2014-10-26 18:11:16 CET 
On Mageia 3, I updated vala locally to 0.22.1 and tried to build geary, and get this error even though libgcr-devel is installed:

error: Package `gcr-3' not found in specified Vala API directories or GObject-Introspection GIR directories
Comment 3 David Walser 2014-11-27 16:10:58 CET 
Dropping Mageia 3 from the whiteboard due to EOL:
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated geary package fixes security vulnerability:

Geary before 0.6.3 does not present the user with a warning when a TLS
certificate error is detected, which makes it easier for remote attackers to
conduct man-in-the-middle attacks via a crafted certificate (CVE-2014-5444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5444
http://lists.opensuse.org/opensuse-updates/2014-09/msg00035.html
========================

Updated packages in core/updates_testing:
========================
geary-0.6.3-1.mga4

from geary-0.6.3-1.mga4.src.rpm

CC: (none) => olav
Assignee: olav => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 4 Herman Viaene 2014-11-28 11:33:15 CET 
Testing MGA4-64 on HP6555b
Installed geary without problems. Was able to connect to my gmail account. Sent an e-mail to other account and received reply back. Seems OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 5 olivier charles 2014-11-29 07:12:42 CET 
Testing on Mageia4x32 real hardware

From geary-0.4.3-1.mga4.i586
to geary-0.6.3-1.mga4.i586

All OK

CC: (none) => olchal
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 6 Rémi Verschelde 2014-11-29 21:34:52 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Mageia Robot 2014-11-29 21:47:01 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0500.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.