Bug 22914 - mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)
Summary: mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-20...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK
Depends on:
Reported: 2018-04-15 22:08 CEST by David Walser
Modified: 2018-05-21 16:51 CEST (History)
6 users (show)

See Also:
Source RPM: mbedtls-2.7.0-1.mga6.src.rpm
Status comment: Fixed upstream in 2.7.2


Description David Walser 2018-04-15 22:08:26 CEST
Upstream has released new versions on March 21:

There were several security and other bugfixes.

We should update to 2.7.2, and stay on the 2.7.x branch, even in Cauldron, as it is now an LTS branch:
David Walser 2018-04-15 22:08:34 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-15 22:16:10 CEST
Assigning to all packagers collectively, because the registered maintainer for this package is currently unavailable.

CC: (none) => marja11, oe, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-04-21 23:46:46 CEST
openSUSE has issued an advisory today (April 21):

Two of the security fixes have CVEs.

Summary: mbedtls new security issues fixed upstream in 2.7.2 => mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)

David Walser 2018-05-04 08:29:25 CEST

Status comment: (none) => Fixed upstream in 2.7.2

Stig-Ørjan Smelror 2018-05-08 10:35:45 CEST

Assignee: pkg-bugs => smelror

Comment 3 David Walser 2018-05-08 15:53:46 CEST
mbedtls-2.7.3-1.mga7 pushed to Cauldron by Stig-Ørjan.

Sysadmins, please remove mbedtls from mga6 core/updates_testing.  The wrong version was pushed there.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => sysadmin-bugs

Comment 4 Stig-Ørjan Smelror 2018-05-08 23:35:53 CEST

mbedtls has been updated to fix two security issues.

CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.



from mbedtls-2.7.3-1.mga6.src.rpm

Rebuilt for the new mbedtls.



Assignee: smelror => qa-bugs

Comment 5 claire robinson 2018-05-19 03:52:21 CEST
dolphin-emu was previously in core, but not in core release. Seems it is also in tainted and perhaps wasn't pushed as a tainted update, or perhaps should not have been built in core when it was last updated.

$ depcheck dolphin-emu
Mageia release 6 (Official) for x86_64
Core 32bit Updates
Core Updates
Core Updates Testing
Tainted 32bit Release
Tainted Release
Tainted Updates Testing

Could this be checked please.

Whiteboard: (none) => feedback

Comment 6 David Walser 2018-05-19 18:21:55 CEST
So that's an issue with the previous update, not this one.

Sysadmins, would it be possible to remove the previous update from core/updates after this one is pushed?

Whiteboard: feedback => (none)

Comment 7 Herman Viaene 2018-05-21 15:58:16 CEST
MGA6-32 on IBM Thinkpad R50e Xfce
Installation: strange, I do not see any bctoolbox at all in the repo, but I find two libbctoolbox packages of the version indicated in Comment 4.
Installed those with the rest of the packages and run the test as per bug 20561:
# mbedtls-selftest

  MD5 test #1: passed
  MD5 test #2: passed
.... and at the end:

  TIMING tests note: will take some time!
  TIMING test #1 (set_alarm / get_timer): passed
  TIMING test #2 (set/get_delay        ): passed
  TIMING test #3 (hardclock / get_timer): failed (ignored)

  Executed 23 test suites

  [ All tests PASS ]
If the bctoolbox issue can be resolved, then I'll agree to OK  this.

CC: (none) => herman.viaene

Comment 8 Len Lawrence 2018-05-21 16:37:14 CEST
@Herman, comment 7
$ sudo urpmi bctoolbox
Package lib64bctoolbox0-0.2.0-4.1.mga6.x86_64 is already installed

So it looks like it is just a library, a toolbox for programmers probably.
$ locate bctoolbox

So my advice is go ahead and OK it.

CC: (none) => tarazed25

Comment 9 Herman Viaene 2018-05-21 16:51:16 CEST
The master has spoken.

Whiteboard: (none) => MGA6-32-OK

Note You need to log in before you can comment on or make changes to this bug.