Bug 14663 - libksba new security issue CVE-2014-9087
Summary: libksba new security issue CVE-2014-9087
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/623292/
Whiteboard: MGA3TOO has_procedure advisory MGA4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-26 14:42 CET by David Walser
Modified: 2014-11-28 18:21 CET (History)
2 users (show)

See Also:
Source RPM: libksba-1.3.1-2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-11-26 14:42:14 CET 
A CVE has been assigned for an issue fixed in libksba 1.3.2:
http://openwall.com/lists/oss-security/2014/11/26/3

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 3 and Mageia 4.

libksba is used through gnupg2, so that's what you need to use to test this.  We have a gnupg test procedure; you just need to use "gpg2" instead of "gpg" as the command to test gnupg2:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

This probably isn't the most serious issue in the world, but the testing procedure is quick and easy, so if we're able to get it tested today, then great.

Advisory:
========================

Updated libksba packages fix security vulnerability:

By using special crafted S/MIME messages or ECC based OpenPGP data, it is
possible to create a buffer overflow, which could lead to a denial of service
(CVE-2014-9087).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
http://openwall.com/lists/oss-security/2014/11/26/3
========================

Updated packages in core/updates_testing:
========================
libksba8-1.3.2-1.mga3
libksba-devel-1.3.2-1.mga3
libksba8-1.3.2-1.mga4
libksba-devel-1.3.2-1.mga4

from SRPMS:
libksba-1.3.2-1.mga3.src.rpm
libksba-1.3.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-26 14:42:23 CET

Whiteboard: (none) => MGA3TOO has_procedure

Comment 1 David Walser 2014-11-26 15:54:31 CET 
Tested successfully Mageia 3 i586 and Mageia 4 i586 using the encryption/decryption test with gpg2.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 2 Otto Leipälä 2014-11-26 16:57:05 CET 
Mageia 4 testing done x64 validated update.

Keywords: (none) => validated_update
CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK

Comment 3 Otto Leipälä 2014-11-26 16:58:16 CET 
Sysadmins push to updates.
Comment 4 David Walser 2014-11-26 17:14:20 CET 
Fixing the corrupted whiteboard tag.  Thanks for testing.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 5 Rémi Verschelde 2014-11-26 17:19:18 CET 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK advisory

Otto Leipälä 2014-11-26 17:22:46 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Otto Leipälä 2014-11-26 17:23:22 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 6 Mageia Robot 2014-11-26 18:30:37 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0498.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-28 18:21:02 CET

URL: (none) => http://lwn.net/Vulnerabilities/623292/
Note You need to log in before you can comment on or make changes to this bug.