Bug 15853 - virtuoso-opensource multiple security issues fixed upstream in 7.2.0
Summary: virtuoso-opensource multiple security issues fixed upstream in 7.2.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/650633/
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA5...
Keywords: validated_update
Depends on:
Blocks: 14674
  Show dependency treegraph
 
Reported: 2015-05-05 18:40 CEST by David Walser
Modified: 2015-07-09 19:04 CEST (History)
5 users (show)

See Also:
Source RPM: virtuoso-opensource-6.1.6-7.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-05 18:40:37 CEST
Florian Weimer from RedHat pointed out that multiple security issues were fixed upstream in virtuoso-opensource in the last couple years:
http://openwall.com/lists/oss-security/2015/05/05/12

These are all fixed in the newest release 7.2.0.

It looks like we could fix these by updating to 6.1.8 and adding commits 4ae3693 and 58568be.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-05 18:40:51 CEST

CC: (none) => lmenut
Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Luc Menut 2015-06-18 22:51:34 CEST
Hum, we should be careful with this update.
Most of distrib still use virtuoso-opensource 6.1.6 because 6.1.7 has a regression which break things in KDE. I don't know if this was fixed in 6.1.8 or not.
But Fedora and OpenSUSE still use virtuoso-opensource 6.1.6, and they don't have push security fix for now.

https://mail.kde.org/pipermail/release-team/2013-August/007313.html
-------- Message transféré --------
Sujet : Regression with Virtuoso 6.1.7
Date : Thu, 29 Aug 2013 20:33:28 +0530
De : Vishesh Handa <me@vhanda.in>
Répondre à : KDE release coordination <release-team@kde.org>
Pour : KDE release coordination <release-team@kde.org>, kde-packagers@kde.org

Hey guys

Please do not ship virtuoso 6.1.7 with KDE 4.11. It contains a
regression which breaks ratings and maybe many more things. I'm in
contact with the virtuoso team, and hopefully they will fix it soon.

Fixing this from our end would require a big change in Soprano and
many parts of Nepomuk. This is not something we want to do.

@Release team:

Do you think I should explicitly block 6.1.7 on a Nepomuk level? I
would just need to revert 0e01d5b5 from nepomuk-core.

-- 
Vishesh Handa
Comment 2 David Walser 2015-06-18 22:53:58 CEST
Yes, we know.  I already knew about the regression in 6.1.7 and talked to Nicolas about this on IRC.  This is why we didn't push this update at the time I filed this.  We'll have to test it carefully.
Comment 3 Sander Lepik 2015-06-27 20:20:18 CEST
Ping..

CC: (none) => mageia

Comment 4 David Walser 2015-07-04 21:53:35 CEST
Sounds like 6.1.8 should be safe:
https://mail.kde.org/pipermail/nepomuk/2013-December/004854.html

7.1.0 is not though, it drops supports for i586, but Frugalware had skipped 6.1.7 like everyone else, but did go back to 6.1.8 after trying 7.x:
http://www4.frugalware.org/pub/linux/distributions/frugalware/frugalware-2.0/source/apps/virtuoso/Changelog

I've checked the update into SVN for Mageia 4, Mageia 5, and Cauldron, but not pushed to the build system yet.

I was going to try to run the nepomuk-core test suite like the upstream mailing list reference I posted said, but I can't figure out how to run it.
Comment 5 David Walser 2015-07-05 01:01:25 CEST
I figured out how to run the nepomuk-core test suite.

Check out nepomuk-core from SVN:
mgarepo co -d 4 nepomuk-core

Build it locally:
cd nepomuk-core
bm -ls
(as root) urpmi SRPMS/nepomuk-core-4.12.5-1.mga4.src.rpm
bm -l

Run test suite:
cd BUILD/nepomuk-core-4.12.5
cd build/autotests; ctest -VV

With virtuoso-opensource 6.1.6:

100% tests passed, 0 tests failed out of 10

Total Test time (real) = 417.31 sec

With virtuoso-opensource 6.1.8:

100% tests passed, 0 tests failed out of 10

Total Test time (real) = 484.30 sec
Comment 6 David Walser 2015-07-05 02:12:18 CEST
Correction to the test procedure.  Had to have virtuoso-opensource, nepomuk-core, and x11-server-xvfb installed.

Run test suite:
cd BUILD/nepomuk-core-4.12.5
cd build/autotests
cd lib/tools
source runNepomukTest.sh (this killed my shell)
(new shell session)
cd nepomuk-core/BUILD/nepomuk-core-4.12.5/build/autotests
ctest -VV
Comment 7 David Walser 2015-07-05 02:23:59 CEST
Mageia 5, it's 4.14.3 instead of 4.12.5.

With virtuoso-opensource 6.1.6:

100% tests passed, 0 tests failed out of 10

Total Test time (real) = 460.72 sec

With virtuoso-opensource 6.1.8:

100% tests passed, 0 tests failed out of 10

Total Test time (real) = 471.97 sec
Comment 8 David Walser 2015-07-05 02:44:08 CEST
Just in case there's any concern over the times, I ran it again on mga4:

100% tests passed, 0 tests failed out of 10

Total Test time (real) = 431.43 sec

Also, I don't know if the runNepomukTest.sh was needed, and I had also done source nepomuk-sandbox-begin.sh in that same directory, and don't know if that was needed.

I guess I fiddled a bit, but I got it to run and have run several successful tests on Mageia 4 and Mageia 5 i586.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK

Comment 9 David Walser 2015-07-05 02:55:09 CEST
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

I have run successful tests, see the previous comments for how.

Advisory:
========================

Updated virtuoso-opensource packages fix security vulnerabilities:

The virtuoso-opensource package has been updated to version 6.1.8 and two
additional upstream patches from versions 7.1.0 and 7.2.0 with additional
fixes for unspecified security issues have been added.

References:
http://openwall.com/lists/oss-security/2015/05/05/12
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews2013
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews
========================

Updated packages in core/updates_testing:
========================
virtuoso-opensource-6.1.8-1.mga4
virtuoso-opensource-applications-6.1.8-1.mga4
virtuoso-opensource-jars-6.1.8-1.mga4
virtuoso-opensource-6.1.8-1.mga5
virtuoso-opensource-applications-6.1.8-1.mga5
virtuoso-opensource-jars-6.1.8-1.mga5

from SRPMS:
virtuoso-opensource-6.1.8-1.mga4.src.rpm
virtuoso-opensource-6.1.8-1.mga5.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 10 Dave Hodgins 2015-07-05 03:54:47 CEST
Advisory committed to svn, and update validated.

Someone from the sysadmin team please push 15853.adv to updats.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2015-07-09 00:03:44 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0269.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-07-09 19:04:31 CEST

URL: (none) => http://lwn.net/Vulnerabilities/650633/


Note You need to log in before you can comment on or make changes to this bug.