openSUSE has issued an advisory on July 29: https://lists.opensuse.org/opensuse-updates/2017-07/msg00108.html These CVEs were originally posted to oss-security last year: http://openwall.com/lists/oss-security/2016/06/25/4 http://openwall.com/lists/oss-security/2016/12/15/5 I'm not 100% sure if they've all been fixed in 2.0.0 (in Mageia 6).
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Indeed these fixes weren't in 2.0.0. They were committed upstream later. Advisory: ======================== Updated libical packages fix security vulnerabilities: libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file (CVE-2016-5824). The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function (CVE-2016-5827). libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file (CVE-2016-9584). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5824 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9584 https://lists.opensuse.org/opensuse-updates/2017-07/msg00108.html ======================== Updated packages in core/updates_testing: ======================== libical1-1.0-4.1.mga5 libicalss1-1.0-4.1.mga5 libicalvcal1-1.0-4.1.mga5 libical-devel-1.0-4.1.mga5 libical2-2.0.0-2.1.mga6 libicalss2-2.0.0-2.1.mga6 libicalvcal2-2.0.0-2.1.mga6 libical-devel-2.0.0-2.1.mga6 from SRPMS: libical-1.0-4.1.mga5.src.rpm libical-2.0.0-2.1.mga6.src.rpm
Version: 5 => 6Assignee: pkg-bugs => qa-bugsWhiteboard: (none) => MGA5TOO
Keywords: (none) => advisoryCC: (none) => davidwhodgins
MGA5-32 on Dell Latitude D600 Xfce No installation issues # urpmq --whatrequires libical1 found a.o. orage $ strace -o libical.txt orage ** Message: Orage **: 11:11:26 wakeup timer init 0 ** Message: Orage **: 11:11:27 Wekkerlijst gemaakt voor hoofdbestand van Orage: ** Message: Orage **: 11:11:27 0 wekkers toegevoegd. 0 gebeurtenissen verwerkt. ** Message: Orage **: 11:11:27 Gevonden 0 wekkers, waarvan 0 actief (Gezocht 0 herhalende wekkers). ** Message: Orage **: 11:12:08 NEW appointment: 20180102 ** Message: Orage **: 11:13:05 Added: O00.Orage-20180102T101305Z0-1000@mach6.hviaene.thuis ** Message: Orage **: 11:13:26 Archiveren niet ingeschakeld. Aan het afsluiten I created an event in orage and found a call to libical and libicalss in the trace file. OK for me.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Testing M6/64 BEFORE update: lib64ical2-2.0.0-2.mga6 lib64icalss2-2.0.0-2.mga6 lib64icalvcal2-2.0.0-2.mga6.x86_64 Tried orage, minimal usage worked: open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libicalss.so.2", O_RDONLY|O_CLOEXEC) = 3 Tried Evolution, which worked for most things, calendar functions included; but not for e-mail. $ strace evolution 2>&1 | grep libical open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libicalvcal.so.2", O_RDONLY|O_CLOEXEC) = 17 Put this down to Evolution - it got its e-mail account knickers in a twist, even after un installation & re-installation AFTER update: lib64ical2-2.0.0-2.1.mga6 lib64icalss2-2.0.0-2.1.mga6 lib64icalvcal2-2.0.0-2.1.mga6.x86_64 Orage worked OK (discovered how to add & play with an event). Evolution calendar worked OK. Tried AbiWord to insert a date in a document. $ strace abiword 2>&1 | grep libical open("/lib64/libical.so.2", O_RDONLY|O_CLOEXEC) = 3 Looks good for an OK. And in the circumstances, validation.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0021.html
Status: NEW => RESOLVEDResolution: (none) => FIXED