A CVE has been assigned for a very minor security issue in libcryptopp: http://openwall.com/lists/oss-security/2017/06/06/2 The message above contains a link to the upstream ticket which has patches to fix this. For some reason, even after accounting for the different line endings, I can't get the patch to apply, even though it looks OK. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa
Pushed fixed version [1] with a patch from Gentoo to core/updates_testing for mga5. [1] libcryptopp-5.6.3-1.4.mga5
Freeze push requested for Cauldron's libcryptopp-5.6.5-3.mga6.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Assigning to QA, but an advisory is still needed before it can be validated.
Assignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated libcryptopp packages fix security vulnerability: Crypto++'s Zinflate class, used by classes like Gunzip and Inflator, could perform an out-of-bounds read when decompressing data (CVE-2017-9434). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9434 http://openwall.com/lists/oss-security/2017/06/06/2 ======================== Updated packages in core/updates_testing: ======================== libcryptopp6-5.6.3-1.4.mga5 libcryptopp-devel-5.6.3-1.4.mga5 libcryptopp-progs-5.6.3-1.4.mga5 from libcryptopp-5.6.3-1.4.mga5.src.rpm
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing M5_64 Updated to: - lib64cryptopp6-5.6.3-1.4.mga5.x86_64 - libcryptopp-progs-5.6.3-1.4.mga5.x86_64 Testing as per https://bugs.mageia.org/show_bug.cgi?id=19937#c7 $ cryptest v > tmp/cryptest_v $ less tmp/cryptest_v looking especially for fail|FAIL|Fail other than "Failed tests = 0". fail: none FAIL: none Fail and not 'Failed tests = 0': none As normal, the self-tests end with: CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading Update deemed OK.
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues Run cryptest as above, no failure occured. OK.
CC: (none) => herman.viaeneWhiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0175.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED