A CVE has been requested for a security issue fixed upstream in remind: http://openwall.com/lists/oss-security/2015/07/29/2 The issue is fixed in version 3.1.15. A patch to fix the issue is in the message above. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Updates submitted to the build system.
Thanks Shlomi! This can be tested now. See the link in Comment 0 (and the links therein) for more details. Advisory to come later. Updated packages in core/updates_testing: ======================== remind-03.01.13-2.1.mga4 remind-gui-03.01.13-2.1.mga4 remind-03.01.13-4.1.mga5 remind-gui-03.01.13-4.1.mga5 from SRPMS: remind-03.01.13-2.1.mga4.src.rpm remind-03.01.13-4.1.mga5.src.rpm
Assignee: shlomif => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOOCC: (none) => shlomifVersion: Cauldron => 5
In VirtualBox, M4, KDE, 32-bit Package(s) under test: remind remind-gui default install of remind & remind-gui Does not seem to come with a desktop icon. [root@localhost wilcal]# urpmi remind Package remind-03.01.13-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-2.mga4.i586 is already installed I can create, modify and delete reminders in the calendar. install remind & remind-gui from updates_testing [root@localhost wilcal]# urpmi remind Package remind-03.01.13-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-2.1.mga4.i586 is already installed I can create, modify and delete reminders in the calendar. I can create, modify and delete previously created reminders in the calendar.
CC: (none) => wilcal.int
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: remind remind-gui default install of remind & remind-gui Does not seem to come with a desktop icon. [root@localhost wilcal]# urpmi remind Package remind-03.01.13-2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-2.mga4.x86_64 is already installed I can create, modify and delete reminders in the calendar. install remind & remind-gui from updates_testing [root@localhost wilcal]# urpmi remind Package remind-03.01.13-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-2.1.mga4.i586 is already installed I can create, modify and delete reminders in the calendar. I can create, modify and delete previously created reminders in the calendar.
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: remind remind-gui default install of remind & remind-gui Does not seem to come with a desktop icon. [root@localhost wilcal]# urpmi remind Package remind-03.01.13-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-4.mga5.i586 is already installed I can create, modify and delete reminders in the calendar. install remind & remind-gui from updates_testing [root@localhost wilcal]# urpmi remind Package remind-03.01.13-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-4.1.mga5.i586 is already installed I can create, modify and delete reminders in the calendar. I can create, modify and delete previously created reminders in the calendar.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: remind remind-gui default install of remind & remind-gui Does not seem to come with a desktop icon. [root@localhost wilcal]# urpmi remind Package remind-03.01.13-4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-4.mga5.x86_64 is already installed I can create, modify and delete reminders in the calendar. install remind & remind-gui from updates_testing [root@localhost wilcal]# urpmi remind Package remind-03.01.13-4.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi remind-gui Package remind-gui-03.01.13-4.1.mga5.x86_64 is already installed I can create, modify and delete reminders in the calendar. I can create, modify and delete previously created reminders in the calendar.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for mga4 & mga5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Removing the validated_update keyword until an advisory is available.
Keywords: validated_update => (none)CC: (none) => davidwhodgins
Still no response to the CVE request. Here's an advisory for now. Advisory: ======================== Updated remind packages fix security vulnerability: Buffer overflow in remind before 3.1.15 in the DumpSysVar() function in src/var.c. References: http://openwall.com/lists/oss-security/2015/07/29/2 http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html
Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0299.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/653377/
CVE-2015-5957 finally assigned: http://openwall.com/lists/oss-security/2015/08/07/1 Could someone update the advisory in SVN? Advisory: ======================== Updated remind packages fix security vulnerability: Buffer overflow in remind before 3.1.15 in the DumpSysVar() function in src/var.c (CVE-2015-5957). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5957 http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html http://openwall.com/lists/oss-security/2015/08/07/1
Summary: remind new buffer overflow security issue fixed upstream in 3.1.15 => remind new buffer overflow security issue fixed upstream in 3.1.15 (CVE-2015-5957)
Advisory updated in svn.