20809 – libetpan new security issue CVE-2017-8825

Bug 20809 - libetpan new security issue CVE-2017-8825

Summary: libetpan new security issue CVE-2017-8825

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory MGA5-32-OK MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-05-09 03:43 CEST by David Walser
Modified:	2017-06-28 12:12 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	libetpan-1.7.2-1.mga6.src.rpm
CVE:	CVE-2017-8825
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-09 03:43:47 CEST

A security issue fixed upstream in libetpan has been announced:
http://openwall.com/lists/oss-security/2017/05/08/6

The issue is fixed in 1.8.

The message above contains a link to the upstream commit that fixed the issue.

Mageia 5 is also affected.

David Walser 2017-05-09 03:43:54 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-05-09 07:41:53 CEST

Fixed in cauldron

Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Version: Cauldron => 5

Nicolas Lécureuil 2017-05-09 07:42:01 CEST

CVE: (none) => CVE-2017-8825

Comment 2 Marja Van Waes 2017-05-09 11:49:51 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Mike Rambo 2017-06-14 20:18:24 CEST

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libetpan package fixes security vulnerability:

It was discovered that libetpan, a C language mail access and handling library that is used in a number of MUAs, contained a NULL dereference vulnerability in the MIME handling code (CVE-2017-8825)

References:
http://openwall.com/lists/oss-security/2017/05/08/6
========================

Updated packages in core/updates_testing:
========================
lib64etpan17-1.6-1.1.mga5
lib64etpan-devel-1.6-1.1.mga5
libetpan-debuginfo-1.6-1.1.mga5

from libetpan-1.6-1.1.mga5.src.rpm

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-06-18 08:05:34 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Herman Viaene 2017-06-19 13:48:02 CEST

MGA5-32 on Asus A6000VM Xfce
No installation issues.
Claws mail is dependent on libetpan17.
Opened claw mail and sent message (including an attachment) and with
$ strace -o libetpan17 claws-mail 
found in the trace file
open("/lib/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

So OK for me.

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2017-06-27 20:33:52 CEST

Testing M5_64

 $ urpmq -i lib64etpan17
The purpose of this mail library is to provide a portable, efficient
framework for different kinds of mail access.
 $ urpmq --whatrequires lib64etpan17
 claws-mail
I use Claws-mail routinely.

BEFORE the update: ib64etpan17-1.6-1.mga5

AFTER the update: lib64etpan17-1.6-1.1.mga5
 $ strace claws-mail 2>&1 | grep libetpan
open("/lib64/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

Sent a few messages to myself at 2 addresses, with attachment. All looks OK.
Validating; already advisoried.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-28 12:12:42 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0191.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.