Bug 15038 - Update candidate: freeciv 2.4.4: bug fixes and fix for CVE-2014-5461
Summary: Update candidate: freeciv 2.4.4: bug fixes and fix for CVE-2014-5461
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/610398/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-13 22:20 CET by Rémi Verschelde
Modified: 2015-01-22 18:23 CET (History)
3 users (show)

See Also:
Source RPM: freeciv-2.4.1-1.mga4
CVE:
Status comment:


Attachments

Description Rémi Verschelde 2015-01-13 22:20:23 CET
Freeciv 2.4.4 has been released with bug fixes and a security fix for CVE-2014-5461 in its embedded lua5.1 copy. Freeciv can actually be built against the system lua5.1 version (which has already been patched for the security flaw), but this was not done for Freeciv 2.4.1 in Mageia 4.

So since an update must be made, I also include the numerous bug fixes and minor new features of the 2.4.x stable branch.
Comment 1 Rémi Verschelde 2015-01-13 22:29:47 CET
Suggested advisory:
===================

Updated freeciv packages to latest bugfix version, also fixing security vulnerability

  Freeciv 2.4.1 in Mageia 4 was built against an embedded version of lua 5.1,
  vulnerable to the following security issue:

  A heap-based overflow vulnerability was found in the way Lua handles varargs
  functions with many fixed parameters called with few arguments, leading to
  application crashes or, potentially, arbitrary code execution (CVE-2014-5461,
  mga#14038).

  As of this update, Freeciv is now built against the patched system version
  of lua 5.1.

  This update also provides Freeciv 2.4.4, a maintenance release in the 2.4.x
  stable branch with numerous bug fixes and minor new features.
  See the referenced release notes for details.

References:
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
 - https://bugs.mageia.org/show_bug.cgi?id=14038
 - http://freeciv.wikia.com/wiki/NEWS-2.4.2
 - http://freeciv.wikia.com/wiki/NEWS-2.4.3
 - http://freeciv.wikia.com/wiki/NEWS-2.4.4


RPMS in core/updates_testing:
=============================
freeciv-client-2.4.4-1.mga4
freeciv-data-2.4.4-1.mga4.noarch
freeciv-server-2.4.4-1.mga4

from SRPM:
freeciv-2.4.4-1.mga4

CC: (none) => lists.jjorge
Source RPM: (none) => freeciv-2.4.1-1.mga4
Assignee: bugsquad => qa-bugs
Component: RPM Packages => Security

Comment 2 claire robinson 2015-01-20 17:54:18 CET
Lua was already updated and pushed so it's sufficient to test this game is still working with the update installed.

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2015-01-20 18:50:21 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
freeciv-server freeciv-client

default install of freeciv-server & freeciv-client

[root@localhost wilcal]# urpmi freeciv-client
Package freeciv-client-2.4.1-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi freeciv-server
Package freeciv-server-2.4.1-1.mga4.i586 is already installed

install creates Menu -> Games -> Freeciv & Freeciv server launch icons
Launching Freeciv I can play the game.
Launching Freeciv server then launching Freeciv I can connect to the
freeciv server at localhost:5556 and start a game.

install freeciv-server & freeciv-client from updates_testing

[root@localhost wilcal]# urpmi freeciv-client
Package freeciv-client-2.4.4-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi freeciv-server
Package freeciv-server-2.4.4-1.mga4.i586 is already installed

Launching Freeciv I can play the game.
Launching Freeciv server then launching Freeciv I can connect to the
freeciv server at localhost:5556 and start a game.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: has_procedure => has_procedure MGA4-32-OK
CC: (none) => wilcal.int

Comment 4 William Kenney 2015-01-20 19:05:01 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
freeciv-server freeciv-client

default install of freeciv-server & freeciv-client

[root@localhost wilcal]# urpmi freeciv-client
Package freeciv-client-2.4.1-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi freeciv-server
Package freeciv-server-2.4.1-1.mga4.x86_64 is already installed

install creates Menu -> Games -> Freeciv & Freeciv server launch icons
Launching Freeciv I can play the game.
Launching Freeciv server then launching Freeciv I can connect to the
freeciv server at localhost:5556 and start a game.

install freeciv-server & freeciv-client from updates_testing

[root@localhost wilcal]# urpmi freeciv-client
Package freeciv-client-2.4.4-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi freeciv-server
Package freeciv-server-2.4.4-1.mga4.x86_64 is already installed

Launching Freeciv I can play the game.
Launching Freeciv server then launching Freeciv I can connect to the
freeciv server at localhost:5556 and start a game.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2015-01-20 19:06:01 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update

Comment 6 claire robinson 2015-01-20 19:17:39 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2015-01-21 18:15:57 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0034.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-22 18:23:00 CET

URL: (none) => http://lwn.net/Vulnerabilities/610398/


Note You need to log in before you can comment on or make changes to this bug.