Bug 20378 - libice new security issue CVE-2017-2626
Summary: libice new security issue CVE-2017-2626
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
: 25731 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-03-01 12:20 CET by David Walser
Modified: 2019-11-24 01:14 CET (History)
5 users (show)

See Also:
Source RPM: libice-1.0.9-4.mga6.src.rpm
CVE: CVE-2017-2626
Status comment:


Attachments

Description David Walser 2017-03-01 12:20:51 CET
Upstream has issued an advisory on February 28:
http://openwall.com/lists/oss-security/2017/02/28/3
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/

More info available here:
http://openwall.com/lists/oss-security/2017/03/01/1

Mageia 5 is also affected.
David Walser 2017-03-01 12:21:02 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Thierry Vignaud 2017-03-01 14:23:33 CET
I added BR on libbsd-devel for cauldron:
http://svnweb.mageia.org/packages?view=revision&revision=1088368
Nicolas Lécureuil 2017-04-24 16:19:42 CEST

Version: Cauldron => 5
CC: (none) => mageia
CVE: (none) => CVE-2017-2626
Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2017-08-11 12:33:33 CEST
pushed in updates_testing for mageia 5

src.rpm:    libice-1.0.9-3.1.mga5

Assignee: thierry.vignaud => qa-bugs

Comment 3 David Walser 2017-08-11 14:14:59 CEST
Advisory:
========================

Updated libice packages fix security vulnerability:

libICE depends on arc4random() to generate the session cookies, thereby using a
weak mechanism to generate entropy (CVE-2017-2626).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
========================

Updated packages in core/updates_testing:
========================
libice6-1.0.9-3.1.mga5
libice-devel-1.0.9-3.1.mga5

from libice-1.0.9-3.1.mga5.src.rpm
Comment 4 Herman Viaene 2017-08-25 14:38:13 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Loads of progs have a dependency on libice6. Traced a simple case: open some txt file with pluma.
Found call to libICE.so.6 in the trace, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Lewis Smith 2017-08-25 21:23:23 CEST
@David
Aout to do the advisory, I noticed that the CVE-ID is not consistent. Neither 2625 nor 2626 go anywhere, both are RESERVED.
Ah.The reference includes (among others) both, but libICE is equated to 2626.
All that for the record. Advisory done with 2626.
And because this is M5 only, validating also.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-08-25 22:36:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2017-08-25 23:00:57 CEST
Lewis, there are no inconsistencies, as I consistently used 2626 here, which is the correct CVE for libice.  Note that most CVEs say RESERVED because no description has been posted, but it also means that it *has* been assigned for something.
Comment 8 David Walser 2017-08-25 23:03:11 CEST
Ahh nevermind, I see it.
Comment 9 David Walser 2019-11-24 01:14:59 CET
*** Bug 25731 has been marked as a duplicate of this bug. ***

CC: (none) => zombie.ryushu


Note You need to log in before you can comment on or make changes to this bug.