Bug 22025 - konversation new security issue CVE-2017-15923
Summary: konversation new security issue CVE-2017-15923
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-14 23:04 CET by David Walser
Modified: 2017-11-19 12:20 CET (History)
5 users (show)

See Also:
Source RPM: konversation-1.7.2-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-14 23:04:57 CET
Upstream has issued an advisory on November 11:
https://konversation.kde.org/

Debian has issued an advisory for this on November 13:
https://www.debian.org/security/2017/dsa-4033

The issue is fixed upstream in 1.7.3, already in Cauldron.

A patch for 1.5.x (Mageia 5) can be obtained from upstream's git or Debian.
David Walser 2017-11-14 23:05:08 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2017-11-15 21:17:38 CET
Done also for mga5 and mga6!
Comment 2 David Walser 2017-11-15 23:10:10 CET
Advisory:
========================

Updated konversation package fixes security vulnerability:

Joseph Bisch discovered that Konversation could crash when parsing certain IRC
color formatting codes (CVE-2017-15923).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15923
https://konversation.kde.org/
https://www.debian.org/security/2017/dsa-4033
========================

Updated packages in core/updates_testing:
========================
konversation-1.5.1-1.1.mga5
konversation-1.7.3-1.mga6

from SRPMS:
konversation-1.5.1-1.1.mga5.src.rpm
konversation-1.7.3-1.mga6.src.rpm

Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 3 Herman Viaene 2017-11-16 14:16:28 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues
Started konversation and connected to #mageia, posted and got a reply.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 4 Herman Viaene 2017-11-16 16:17:49 CET
MGA6-32 on Asus A6000VM MATE
No installation issues
Connected to #mageia-qa, could post, got no answer. Presumed to be working.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 5 William Kenney 2017-11-16 19:49:53 CET
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
konversation

default install of konversation

[root@localhost wilcal]# urpmi konversation
Package konversation-1.7.2-1.mga6.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

install konversation from updates_testing

[root@localhost wilcal]# urpmi konversation
Package konversation-1.7.3-1.mga6.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

CC: (none) => wilcal.int

William Kenney 2017-11-16 19:50:09 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK

Comment 6 William Kenney 2017-11-16 20:00:27 CET
In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
konversation

default install of konversation

[root@localhost wilcal]# urpmi konversation
Package konversation-1.5.1-1.mga5.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.

install konversation from updates_testing

[root@localhost wilcal]# urpmi konversation
Package konversation-1.5.1-1.1.mga5.x86_64 is already installed

Konversation opens and I can get to #mageia, #mageia-qa & #mageia-meeting
and post a message to all of them.
William Kenney 2017-11-16 20:00:48 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Comment 7 William Kenney 2017-11-16 20:01:47 CET
This update works fine.
Testing complete for Mageia 5 & 6, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Lewis Smith 2017-11-19 11:01:55 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2017-11-19 12:20:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0419.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.