libksba 1.3.5 has some security hardening, described in the quoted part at the bottom of this message: http://openwall.com/lists/oss-security/2016/08/22/7 to address the issues described in this message: http://openwall.com/lists/oss-security/2016/08/20/3 Fedora has issued an advisory for this on September 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUORSGVTYHQQKX2AYN7ASGUMPKFCV3HJ/ I fixed this in Cauldron already on August 22, but we should update Mageia 5 too.
Assigning to all packagers collectively, since there is no registered maintainer for this package
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Updated package uploaded for Mageia 5. Testing information for this package is in a previous update, Bug 14663. (Test using gpg2). Advisory: ======================== Updated libksba packages fix security vulnerabilities: It was found that an unproportionate amount of memory is allocated when parsing crafted certificates in libskba, which may lead to DoS. Moreover in libksba 1.3.4, allocated memory is uninitialized and could potentially contain sensitive data left in freed memory block. References: http://openwall.com/lists/oss-security/2016/08/20/3 http://openwall.com/lists/oss-security/2016/08/22/7 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUORSGVTYHQQKX2AYN7ASGUMPKFCV3HJ/ ======================== Updated packages in core/updates_testing: ======================== libksba8-1.3.5-1.mga5 libksba-devel-1.3.5-1.mga5 from libksba-1.3.5-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: (none) => has_procedure
MGA5-32 on AcerD620 Xfce No installation issues Tested following bug11306 up to the deletion of the newly generated key. All successfull. Remark: I got warnings gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system! but those did not stop the test.
CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Testing Mageia5 x64 real hardware. Updated from installed lib64ksba8-1.3.4-1.mga5 to lib64ksba8-1.3.5-1.mga5 no probs. Using procedure given in https://bugs.mageia.org/show_bug.cgi?id=11306#c3 adapted for gpg2 & summarised below for up-to-date-ness. I must have a key of some sort already in place (for Advisories), so when the first passphrase/password was asked for (dialogue box), I was unsure whether it wanted a new one or the existing one. I gave the existing one. For simplicity, better to give a real/user name as a *single string* to save quoting it in later commands. Generate a key: $ gpg2 --gen-key [Lots of output & questions, where I accepted defaults where offered:] Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) [Enter] Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) [Enter] Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Lewis Smith Email address: lewyssmith@rubbish.fr Comment: Bug 19288 You selected this USER-ID: "Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. [Enigmatic dialogue, gave existing password] [Same errors, ignored, noted in Comment 3] gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system! We need to generate a lot of random bytes. etc etc [Long wait] gpg: /home/lewis/.gnupg/trustdb.gpg: trustdb created gpg: key 588DB37C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/588DB37C 2016-09-16 Key fingerprint = 0365 C16A 2FD1 F16F 471E 5925 1B18 24BC 588D B37C uid [ultimate] Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr> sub 2048R/500F5FEA 2016-09-16 Show it is there: $ gpg2 --list-keys /home/lewis/.gnupg/pubring.gpg ------------------------------ pub 2048R/588DB37C 2016-09-16 uid [ultimate] Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr> sub 2048R/500F5FEA 2016-09-16 Create a test file: $ echo "pgp2/lib64ksba8 test" > pgp2.txt $ cat pgp2.txt pgp2/lib64ksba8 test Encrypt it: $ gpg2 -e -r 'Lewis Smith' pgp2.txt $ ls pgp2* pgp2.txt pgp2.txt.gpg Then remove the original to allow for its subsequent decryption: $ rm pgp2.txt Decrypt the encrypted file: $ gpg2 pgp2.txt.gpg You need a passphrase to unlock the secret key for user: "Lewis Smith (Bug 19288) <lewyssmith@free.fr>" 2048-bit RSA key, ID 500F5FEA, created 2016-09-16 (main key ID 588DB37C) [Passphrase/password dialogue] [Same errors, ignored, noted in Comment 3] gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system! gpg: encrypted with 2048-bit RSA key, ID 500F5FEA, created 2016-09-16 "Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>" Check the result: $ ls pgp2* pgp2.txt pgp2.txt.gpg $ cat pgp2.txt pgp2/lib64ksba8 test Delete the keys: $ gpg2 --delete-secret-keys 'Lewis Smith' .. sec 2048R/588DB37C 2016-09-16 Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y $ gpg2 --delete-key 'Lewis Smith' .. pub 2048R/588DB37C 2016-09-16 Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr> Delete this key from the keyring? (y/N) y $ gpg2 --list-keys gpg: checking the trustdb gpg: no ultimately trusted keys found This all seems OK.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Update validated, advisory uploaded (which lacks CVEs).
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0310.html
Status: NEW => RESOLVEDResolution: (none) => FIXED