CVEs have been requested for two upstream advisories affecting workspace: http://openwall.com/lists/oss-security/2015/01/16/15 Upstream commits for plasma-workspace are linked in that message. No fix for kdebase4-workspace is listed. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CVE-2015-1307 and CVE-2015-1308: http://openwall.com/lists/oss-security/2015/01/22/6
Summary: kdebase4-workspace and plasma-workspace new security issues fixed upstream => kdebase4-workspace and plasma-workspace new security issues CVE-2015-130[78]
Blocks: (none) => 14674
upstream references: https://www.kde.org/info/security/advisory-20150122-1.txt https://www.kde.org/info/security/advisory-20150122-2.txt (In reply to David Walser from comment #0) > > No fix for kdebase4-workspace is listed. yep, it seems that KDE doesn't plan to fix this issue in kde-workspace 4.11. They only suggest to use the "Screen locker type" "Screen saver". This is the one that we use by default in Mageia. "On kde-workspace using the "Screen locker type" "Screen saver" instead of the default "Simple locker" can circumvent the problem." see "Why screen lockers on X11 cannot be secure" - Martin GräÃlin http://blog.martin-graesslin.com/blog/2015/01/why-screen-lockers-on-x11-cannot-be-secure or on planet KDE https://planetkde.org/
CC: (none) => lmenutHardware: i586 => AllAssignee: lmenut => mageiaSource RPM: kdebase4-workspace-4.11.14-4.mga5.src.rpm, plasma-workspace-5.1.2-8.mga5.src.rpm => plasma-workspace-5.1.2-8.mga5.src.rpmWhiteboard: MGA4TOO => (none)
Just to point out something unrelated in the build log for this package: -- The following OPTIONAL packages have not been found: * Prison (required version >= 1.2.0) , Prison library , <http://projects.kde.org/prison> Needed to create mobile barcodes from clipboard data (no stable release currently) As it says, there's no stable release of 1.2.0 upstream currently, but omdv does have a snapshot of it packaged (nobody else does yet). You might want to consider doing the same and rebuilding this package (as well as kdebase4-workspace and kdepimlibs4), but I'll leave that up to you.
I added the upstream patches to plasma-workspace. They depend on KWayland, and specifically version 5.2.0, because that's the first version that builds the wayland-server library. It's just commented out in one of the CMakeLists in kwayland 5.1.2. I uncommented it and built it so that plasma-workspace could build. It was then missing some of the kwayland-server API that it needed, so I tried to add those pieces, but there keep being more API pieces missing. Ultimately, we need to update Plasma 5 to 5.2.0 for mga5 to fix this.
(In reply to David Walser from comment #4) > I added the upstream patches to plasma-workspace. They depend on KWayland, > and specifically version 5.2.0, because that's the first version that builds > the wayland-server library. It's just commented out in one of the > CMakeLists in kwayland 5.1.2. I uncommented it and built it so that > plasma-workspace could build. It was then missing some of the > kwayland-server API that it needed, so I tried to add those pieces, but > there keep being more API pieces missing. > > Ultimately, we need to update Plasma 5 to 5.2.0 for mga5 to fix this. yep, we need to update Plasma 5 to 5.2.0 to fix CVE-2015-1308. I've just pushed plasma-workspace-5.1.2-9.mga5 with only the fix for CVE-2015-1307, it's better than nothing.
Summary: kdebase4-workspace and plasma-workspace new security issues CVE-2015-130[78] => plasma-workspace new security issues CVE-2015-130[78]
OpenSuSE has issued an advisory for the Qt 5.4.1, KF5 5.7.0, and Plasma 5.2.1 update today (March 13): http://lists.opensuse.org/opensuse-updates/2015-03/msg00040.html
Minor security issue fixed in Qt5 5.4.1, FYI: https://bugzilla.redhat.com/show_bug.cgi?id=1204795
(In reply to David Walser from comment #7) > Minor security issue fixed in Qt5 5.4.1, FYI: > https://bugzilla.redhat.com/show_bug.cgi?id=1204795 LWN reference: http://lwn.net/Vulnerabilities/639231/
OpenSuSE update to KF5 5.8.0 and Plasma 5.2.2 for OpenSuSE 13.2: http://lists.opensuse.org/opensuse-updates/2015-04/msg00022.html
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #7) > > Minor security issue fixed in Qt5 5.4.1, FYI: > > https://bugzilla.redhat.com/show_bug.cgi?id=1204795 > > LWN reference: > http://lwn.net/Vulnerabilities/639231/ That bug is actually in qtwebkit. I've filed Bug 15749 for it. There's also more security issues in qtbase5 itself (and qt4) which have been recently announced, which I've filed as Bug 15750. These will be fixed in 4.8.7 and 5.4.2.
Whiteboard: (none) => MGA5TOO
I'm guessing that this is now fixed for cauldron, but is there any progress on mga5?
CC: (none) => mageia
(In reply to Sander Lepik from comment #11) > I'm guessing that this is now fixed for cauldron, but is there any progress > on mga5? The updates are still in progress in Cauldron, although these particular issues are fixed there now, yes. It'll probably be a while before Nicolas is ready to update KF5 and Plasma 5 in Mageia 5. However, I don't know why the Qt5 5.4.2 update hasn't been built yet.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
So as of now, the planned update would be Qt5 5.4.2, KF5 5.13.0, and Plasma 5.4.0. Is there any progress on any of this?
KDE has issued an advisory today (February 9): https://www.kde.org/info/security/advisory-20160209-1.txt CVE-2016-2312 has been assigned: http://openwall.com/lists/oss-security/2016/02/09/5 This will be addressed in Cauldron when we update to 5.5.5. This will need to be addressed when we (finally) do the Mageia 5 update as well.
Summary: plasma-workspace new security issues CVE-2015-130[78] => plasma-workspace new security issues CVE-2015-130[78] and CVE-2016-2312
(In reply to David Walser from comment #14) > KDE has issued an advisory today (February 9): > https://www.kde.org/info/security/advisory-20160209-1.txt > > CVE-2016-2312 has been assigned: > http://openwall.com/lists/oss-security/2016/02/09/5 LWN reference: http://lwn.net/Vulnerabilities/675045/
(In reply to David Walser from comment #15) > (In reply to David Walser from comment #14) > > KDE has issued an advisory today (February 9): > > https://www.kde.org/info/security/advisory-20160209-1.txt > > > > CVE-2016-2312 has been assigned: > > http://openwall.com/lists/oss-security/2016/02/09/5 > > LWN reference: > http://lwn.net/Vulnerabilities/675045/ Fedora has issued an advisory for this on February 21: https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177557.html
OpenSuSE has issued advisories for Qt5 5.5.1 and KF5 5.19.0 today (March 1): http://lists.opensuse.org/opensuse-updates/2016-03/msg00000.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00001.html Fixes include ones for security issues. LWN references: http://lwn.net/Vulnerabilities/678161/ http://lwn.net/Vulnerabilities/678163/ Also, Plasma 5.5.5 is now available, fixing CVE-2016-2312: https://www.kde.org/announcements/plasma-5.5.5.php
Given the complexity of the KF5/Plasma5 ecosystem, I'm not sure that we will realistically be able to provide a more recent version in Mageia 5 to fix those security vulnerabilities. It's already quite difficult to get right in Cauldron itself. Eventually it's Nicolas' call, but I'd be tempted to say that this issue will end up as WONTFIX (on the other hand security bugs in Qt5 should be fixed).
Honestly, it would be great if we could actually do this update, and do it before Mageia 6, and give people another platform on which to test Plasma before we release Mageia 6. There's already a KF5 update in updates_testing, so it just needs to be updated again, and then Plasma would be the last piece.
i finish the bug plasma5 part in cauldron and i look to this. I will look which plasma release i can update to in mga5
CVE request for KArchive issue fixed in KF5 5.24.0: http://openwall.com/lists/oss-security/2016/07/16/2
(In reply to David Walser from comment #21) > CVE request for KArchive issue fixed in KF5 5.24.0: > http://openwall.com/lists/oss-security/2016/07/16/2 CVE-2016-6232: http://openwall.com/lists/oss-security/2016/07/16/3
(In reply to David Walser from comment #22) > (In reply to David Walser from comment #21) > > CVE request for KArchive issue fixed in KF5 5.24.0: > > http://openwall.com/lists/oss-security/2016/07/16/2 > > CVE-2016-6232: > http://openwall.com/lists/oss-security/2016/07/16/3 http://lwn.net/Vulnerabilities/695323/
Given that KF5 5.25.0 just now bumped the Qt5 requirement to 5.5, I guess that means that KF5 5.24.0 should be buildable on Mageia 5.
CC: lmenut => (none)
KDE has issued an advisory on February 28: https://www.kde.org/info/security/advisory-20170228-1.txt The issue is fixed in kio 5.32. Moving it here from Bug 20403.
We weren't able to fix any of this for Mageia 5. Bummer.
Status: NEW => RESOLVEDResolution: (none) => OLD