Bug 20561 - mbedtls new security issue CVE-2017-2784
Summary: mbedtls new security issue CVE-2017-2784
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2017-03-23 14:58 CET by David Walser
Modified: 2017-03-27 23:28 CEST (History)
3 users (show)

See Also:
Source RPM: mbedtls-1.3.18-1.mga5.src.rpm
Status comment:


Description David Walser 2017-03-23 14:58:43 CET
Upstream has issued an advisory on March 10:

The issue (and others) is fixed in 1.3.19:

openSUSE has issued an advisory for this on March 22:

Updates for Mageia 5 and Cauldron checked into SVN.  Freeze push requested.

Eventual advisory for this update below.


Updated mbedtls packages fix security vulnerabilities:

In mbedTLS before 1.3.19, if a malicious peer supplies a certificate with a
specially crafted secp224k1 public key, then an attacker can cause the server
or client to attempt to free block of memory held on stack. Depending on the
platform, this could result in a Denial of Service (client crash) or potentially
could be exploited to allow remote code execution with the same privileges as
the host application (CVE-2017-2784).

The mbedtls package has been updated to version 1.3.19, fixing this issue as
well as other security issues and bugs.


Updated packages in core/updates_testing:

from mbedtls-1.3.19-1.mga5.src.rpm
Comment 1 David Walser 2017-03-23 14:59:05 CET
The previous update was simply tested by running the mbedtls-selftest command.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2017-03-24 00:15:08 CET
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory, packages, and testing information in Comment 0 and Comment 1.

Assignee: bugsquad => qa-bugs

Dave Hodgins 2017-03-25 00:43:06 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 3 Len Lawrence 2017-03-27 17:52:52 CEST
The preupdate packages were already installed.
Ran the mbedtls-selftest command and all tests were passed.
Installed the updates on x86_64 and ran the test command again.

Tailend of output:

  DHM parameter load: passed

  ENTROPY test: passed

  PBKDF2 (SHA1) #0: passed
  PBKDF2 (SHA1) #1: passed
  PBKDF2 (SHA1) #2: passed
  PBKDF2 (SHA1) #3: passed
  PBKDF2 (SHA1) #4: passed
  PBKDF2 (SHA1) #5: passed

  PBKDF2 (SHA1) #0: passed
  PBKDF2 (SHA1) #1: passed
  PBKDF2 (SHA1) #2: passed
  PBKDF2 (SHA1) #3: passed
  PBKDF2 (SHA1) #4: passed
  PBKDF2 (SHA1) #5: passed

  TIMING tests note: will take some time!
  TIMING test #1 (m_sleep   / get_timer): passed
  TIMING test #2 (set_alarm / get_timer): passed
  TIMING test #3 (hardclock / get_timer): passed
  TIMING test #4 (net_usleep/ get_timer): passed

  [ All tests passed ]

CC: (none) => tarazed25

Len Lawrence 2017-03-27 17:53:08 CEST

Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Comment 4 Len Lawrence 2017-03-27 18:08:36 CEST
Installed missing pre-update packages on i586 in virtualbox and ran the selftest.  All OK.

Installed the update and ran the mbedtls-selftest command again.  All tests passed.

OK for both architectures.  Can be validated.
Len Lawrence 2017-03-27 18:09:21 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-03-27 23:28:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.