Bug 21802 - weechat new security issue CVE-2017-14727
Summary: weechat new security issue CVE-2017-14727
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-02 23:43 CEST by David Walser
Modified: 2017-10-18 22:20 CEST (History)
7 users (show)

See Also:
Source RPM: weechat-1.9-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-02 23:43:14 CEST
openSUSE has issued an advisory on September 30:
https://lists.opensuse.org/opensuse-updates/2017-09/msg00123.html

The issue was fixed upstream in 1.9.1 and in a commit linked from the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1060140

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-02 23:43:23 CEST

CC: (none) => jani.valimaa
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Mike Rambo 2017-10-06 15:45:11 CEST
Upgraded cauldron to 1.9.1. Added upstream patch to mga6 to fix the CVE. Working on modifying the patch for mga5 (or finding another distro who has already done so).

Assignee: pkg-bugs => mrambo
CC: (none) => mrambo

Comment 2 Mike Rambo 2017-10-06 17:02:57 CEST
Updated package uploaded for cauldron. Patched package uploaded for Mageia 6 and 5.

Advisory:
========================

Patched weechat package fixes security vulnerabilities:

It was discovered that logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash via strftime date/time specifiers, because a buffer is not initialized (CVE-2017-14727).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14727
https://security-tracker.debian.org/tracker/CVE-2017-14727
========================

Updated packages in core/updates_testing:
========================
weechat-1.7.1-1.1.mga6
weechat-aspell-1.7.1-1.1.mga6
weechat-charset-1.7.1-1.1.mga6
weechat-devel-1.7.1-1.1.mga6
weechat-guile-1.7.1-1.1.mga6
weechat-lua-1.7.1-1.1.mga6
weechat-perl-1.7.1-1.1.mga6
weechat-python-1.7.1-1.1.mga6
weechat-ruby-1.7.1-1.1.mga6
weechat-tcl-1.7.1-1.1.mga6

weechat-0.4.1-7.2.mga5
weechat-aspell-0.4.1-7.2.mga5
weechat-charset-0.4.1-7.2.mga5
weechat-devel-0.4.1-7.2.mga5
weechat-guile-0.4.1-7.2.mga5
weechat-lua-0.4.1-7.2.mga5
weechat-perl-0.4.1-7.2.mga5
weechat-python-0.4.1-7.2.mga5
weechat-ruby-0.4.1-7.2.mga5
weechat-tcl-0.4.1-7.2.mga5

from:
weechat-1.7.1-1.1.mga6.src.rpm
weechat-0.4.1-7.2.mga5.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=20756#c7

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Keywords: (none) => has_procedure
Assignee: mrambo => qa-bugs
Version: Cauldron => 6

Comment 3 PC LX 2017-10-07 17:07:34 CEST
Installed and tested without issues.

Tests included connecting to a server, joining a chat room, reading and posting messages and transfer files.

I don't usually use weechat, so can't say if all is working as expected, but all I tried seemed to work correctly.

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.89-desktop-1.mga5 #1 SMP Wed Sep 27 16:25:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q weechat
weechat-0.4.1-7.2.mga5

CC: (none) => mageia

PC LX 2017-10-07 17:07:40 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Len Lawrence 2017-10-08 19:29:36 CEST
Testing on mga6 for x86_64.

Needed a refresher on this one.  Installed everything in the list and familiarized myself with the interface and as before joined the Mageia QA channel without a password.    Nobody talking, waited a while and left.

Installed the updates and invoked weechat again.
Modified some of the default irc settings after consulting /help and /set irc.*.
Set an alias for chat.freenode.net and connected to freenode then
/join #mageia-qa.
Posted a couple of messages and left the chatroom.

We should really check out the scripting facilities but I suspect that might require too much involvement.

It all looks perfectly OK.

CC: (none) => tarazed25

Len Lawrence 2017-10-08 19:29:53 CEST

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 5 Lewis Smith 2017-10-09 20:16:57 CEST
Advisory from comments 2 + 0.
Validating as it has a good test for each of Mageia 5 & 6.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 6 Dave Hodgins 2017-10-14 01:12:20 CEST
Closing as Mageia robot failed to do so due to lack of permissions, which has
now been fixed.

Resolution: (none) => FIXED
CC: (none) => davidwhodgins
Status: NEW => RESOLVED

Comment 7 Mageia Robot 2017-10-18 22:20:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0369.html

Note You need to log in before you can comment on or make changes to this bug.