Bug 18437 - libksba new security issues CVE-2016-4574 and CVE-2016-4579
Summary: libksba new security issues CVE-2016-4574 and CVE-2016-4579
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/687395/
Whiteboard: has_procedure advisory mga5-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-11 18:11 CEST by David Walser
Modified: 2016-05-18 22:15 CEST (History)
1 user (show)

See Also:
Source RPM: libksba-1.3.3-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-05-11 18:11:26 CEST
libksba 1.3.4 fixes a couple of security issues and a bug.  From the NEWS file:

Noteworthy changes in version 1.3.4 (2016-05-03) [C19/A11/R4]
------------------------------------------------

 * Fixed two OOB read access bugs which could be used to force a DoS.

 * Fixed a crash due to faulty curve OID lookup code.

 * Synced the list of supported curves with those of Libgcrypt.

 * New configure option --enable-build-timestamp; a build timestamp is
   not anymore used by default.

The two OOB read access have been assigned CVEs:
http://openwall.com/lists/oss-security/2016/05/10/4
http://openwall.com/lists/oss-security/2016/05/11/10

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libksba packages fix security vulnerabilities:

An out-of-bounds read access in _ksba_dn_to_str() in libksba 1.3.3, due to an
incomplete fix for CVE-2016-4356, could result in denial of service
(CVE-2016-4574).

In liksba 1.3.3, the returned length of the object from _ksba_ber_parse_tl()
(ti.length) was not always checked against the actual buffer length, thus
leading to a read access after the end of the buffer, which could result in
denial of service (CVE-2016-4579).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4579
http://openwall.com/lists/oss-security/2016/05/10/4
http://openwall.com/lists/oss-security/2016/05/11/10
========================

Updated packages in core/updates_testing:
========================
libksba8-1.3.4-1.mga5
libksba-devel-1.3.4-1.mga5

from libksba-1.3.4-1.mga5.src.rpm
Comment 1 David Walser 2016-05-11 18:12:01 CEST
Testing information for this package is in a previous update, Bug 14663.

(Test using gpg2).

Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2016-05-12 12:05:05 CEST
Follow: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 replacing gpg with gpg2 commands.
Comment 3 claire robinson 2016-05-12 13:34:19 CEST
Testing complete mga5 64

Used first half of the procedure, up to recreating the file.

Whiteboard: has_procedure => has_procedure mga5-64-ok

David Walser 2016-05-13 18:22:23 CEST

URL: (none) => http://lwn.net/Vulnerabilities/687395/

Comment 4 David Walser 2016-05-14 05:28:04 CEST
Tested using the same part of the procedure as Claire, Mageia 5 i586.

Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok

Comment 5 David Walser 2016-05-17 21:21:01 CEST
LWN reference for CVE-2016-4579:
http://lwn.net/Vulnerabilities/687714/
Comment 6 David Walser 2016-05-17 21:24:23 CEST
Fedora has issued an advisory for this on May 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RMTIMWWDRTHPLGRGF4GHZ3AHGJ5PX2CX/

Severity: normal => major

Comment 7 claire robinson 2016-05-18 18:12:59 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 claire robinson 2016-05-18 18:31:36 CEST
advisory uploaded

Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure advisory mga5-32-ok mga5-64-ok

Comment 9 Mageia Robot 2016-05-18 22:15:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0181.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.