Bug 22914 - mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)
Summary: mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-15 22:08 CEST by David Walser
Modified: 2018-05-24 18:31 CEST (History)
8 users (show)

See Also:
Source RPM: mbedtls-2.7.0-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 2.7.2


Attachments

Description David Walser 2018-04-15 22:08:26 CEST
Upstream has released new versions on March 21:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released

There were several security and other bugfixes.

We should update to 2.7.2, and stay on the 2.7.x branch, even in Cauldron, as it is now an LTS branch:
https://tls.mbed.org/tech-updates/blog/our-next-lts-branch-mbedtls-2.7
David Walser 2018-04-15 22:08:34 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-15 22:16:10 CEST
Assigning to all packagers collectively, because the registered maintainer for this package is currently unavailable.

CC: (none) => marja11, oe, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-04-21 23:46:46 CEST
openSUSE has issued an advisory today (April 21):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html

Two of the security fixes have CVEs.

Summary: mbedtls new security issues fixed upstream in 2.7.2 => mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)

David Walser 2018-05-04 08:29:25 CEST

Status comment: (none) => Fixed upstream in 2.7.2

Stig-Ørjan Smelror 2018-05-08 10:35:45 CEST

Assignee: pkg-bugs => smelror

Comment 3 David Walser 2018-05-08 15:53:46 CEST
mbedtls-2.7.3-1.mga7 pushed to Cauldron by Stig-Ørjan.

Sysadmins, please remove mbedtls from mga6 core/updates_testing.  The wrong version was pushed there.

CC: (none) => sysadmin-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 Stig-Ørjan Smelror 2018-05-08 23:35:53 CEST
Advisory
========

mbedtls has been updated to fix two security issues.

CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2018-9988
https://nvd.nist.gov/vuln/detail/CVE-2018-9989
https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html

mbedtls-2.7.3-1.mga6
lib64mbedtls-devel-2.7.3-1.mga6
lib64mbedtls10-2.7.3-1.mga6
mbedtls-debuginfo-2.7.3-1.mga6

from mbedtls-2.7.3-1.mga6.src.rpm

Rebuilt for the new mbedtls.

core/updates_testing
shadowsocks-libev-3.1.0-1.2.mga6
bctoolbox-0.2.0-4.2.mga6
hiawatha-10.4-1.2.mga6

tainted/updates_testing
dolphin-emu-5.0-5.2.mga6

Assignee: smelror => qa-bugs

Comment 5 claire robinson 2018-05-19 03:52:21 CEST
dolphin-emu was previously in core, but not in core release. Seems it is also in tainted and perhaps wasn't pushed as a tainted update, or perhaps should not have been built in core when it was last updated.

$ depcheck dolphin-emu
Mageia release 6 (Official) for x86_64
------------------
Core 32bit Updates
dolphin-emu-5.0-5.1.mga6
------------------
Core Updates
dolphin-emu-5.0-5.1.mga6
------------------
Core Updates Testing
dolphin-emu-5.0-5.2.mga6
------------------
Tainted 32bit Release
dolphin-emu-5.0-5.mga6.tainted
------------------
Tainted Release
dolphin-emu-5.0-5.mga6.tainted
------------------
Tainted Updates Testing
dolphin-emu-5.0-5.2.mga6.tainted


Could this be checked please.
Thanks

Whiteboard: (none) => feedback

Comment 6 David Walser 2018-05-19 18:21:55 CEST
So that's an issue with the previous update, not this one.

Sysadmins, would it be possible to remove the previous update from core/updates after this one is pushed?

Whiteboard: feedback => (none)

Comment 7 Herman Viaene 2018-05-21 15:58:16 CEST
MGA6-32 on IBM Thinkpad R50e Xfce
Installation: strange, I do not see any bctoolbox at all in the repo, but I find two libbctoolbox packages of the version indicated in Comment 4.
Installed those with the rest of the packages and run the test as per bug 20561:
# mbedtls-selftest

  MD5 test #1: passed
  MD5 test #2: passed
.... and at the end:

  TIMING tests note: will take some time!
  TIMING test #1 (set_alarm / get_timer): passed
  TIMING test #2 (set/get_delay        ): passed
  TIMING test #3 (hardclock / get_timer): failed (ignored)

  Executed 23 test suites

  [ All tests PASS ]
If the bctoolbox issue can be resolved, then I'll agree to OK  this.

CC: (none) => herman.viaene

Comment 8 Len Lawrence 2018-05-21 16:37:14 CEST
@Herman, comment 7
$ sudo urpmi bctoolbox
Package lib64bctoolbox0-0.2.0-4.1.mga6.x86_64 is already installed

So it looks like it is just a library, a toolbox for programmers probably.
$ locate bctoolbox
/usr/lib64/libbctoolbox.so.0
/usr/share/doc/lib64bctoolbox0
/usr/share/doc/lib64bctoolbox0/COPYING

So my advice is go ahead and OK it.

CC: (none) => tarazed25

Comment 9 Herman Viaene 2018-05-21 16:51:16 CEST
The master has spoken.

Whiteboard: (none) => MGA6-32-OK

Comment 10 Lewis Smith 2018-05-21 21:34:30 CEST
Advisory done as per comment 4; but note that the bug RPMs page has dolphin-emu in both core & tainted. Comments 5 & 6 have a bearing.

SRPMs from 'core-updates_testing'
========================
bctoolbox-0.2.0-4.2.mga6.src.rpm
dolphin-emu-5.0-5.2.mga6.src.rpm
hiawatha-10.4-1.2.mga6.src.rpm
mbedtls-2.7.3-1.mga6.src.rpm
shadowsocks-libev-3.1.0-1.2.mga6.src.rpm

SRPMs from 'tainted-updates_testing'
========================
dolphin-emu-5.0-5.2.mga6.tainted.src.rpm

CC: (none) => lewyssmith
Keywords: (none) => advisory, validated_update

Comment 11 Thomas Backlund 2018-05-24 17:55:21 CEST
(In reply to David Walser from comment #6)
> So that's an issue with the previous update, not this one.
> 
> Sysadmins, would it be possible to remove the previous update from
> core/updates after this one is pushed?

I moved it to tainted/updates to keep the downgrade option available...

CC: (none) => tmb

Comment 12 Mageia Robot 2018-05-24 18:31:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0253.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.