Bug 25653 - freetds new security issue CVE-2019-13508
Summary: freetds new security issue CVE-2019-13508
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-03 03:07 CET by David Walser
Modified: 2019-12-23 19:36 CET (History)
5 users (show)

See Also:
Source RPM: freetds-1.00.83-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-03 03:07:11 CET 
Ubuntu has issued an advisory on October 30:
https://usn.ubuntu.com/4173-1/

Mageia 7 is also affected.
David Walser 2019-11-03 03:07:19 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-11-03 05:18:46 CET 
This is already fixed upstream in 1.1.16 release from Cauldron:

"FreeTDS through 1.1.11 has a Buffer Overflow."

Source RPM: freetds-1.1.16-1.mga8.src.rpm => freetds-1.00.83-2.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210

Comment 2 David GEIGER 2019-11-03 05:21:16 CET 
And now mga7 fixed.
Comment 3 David Walser 2019-11-03 06:04:07 CET 
Advisory:
========================

Updated freetds packages fix security vulnerability:

Felix Wilhelm discovered that FreeTDS incorrectly handled certain types after a
protocol downgrade. A remote attacker could use this issue to cause FreeTDS to
crash, resulting in a denial of service, or possibly execute arbitrary code
(CVE-2019-13508).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508
https://usn.ubuntu.com/4173-1/
========================

Updated packages in core/updates_testing:
========================
libfreetds0-1.00.83-2.1.mga7
libfreetds0-unixodbc-1.00.83-2.1.mga7
libfreetds-devel-1.00.83-2.1.mga7
freetds-doc-1.00.83-2.1.mga7

from freetds-1.00.83-2.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Herman Viaene 2019-11-05 10:24:42 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
I read from www.freetds.org "FreeTDS is a set of libraries for Unix and Linux that allows your programs to natively talk to Microsoft SQL Server and Sybase databases".
I don't have these databases available, but found some sample at https://www.freetds.org/userguide/perl.htm
Installed package perl-dBD-Sybase and used the sample progam there, giving
$ perl freetdstest.pl 
Unable for connect to server OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (44)
Server JDBC, database 
Message String: Server name not found in configuration files.
OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (45)
Server JDBC, database 
Message String: Unknown host machine name.
OpenClient message: LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (41)
Server JDBC, database 
Message String: Unable to connect: Adaptive Server is unavailable or does not exist

Meaning probably that the Sybase's public JDBC server isn'tt there anymore, but anyway, the feedback seems sensible enough.
OK'ing unless someonehas a better idea to test.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-11-07 16:23:02 CET 
I'm going to go with it, Herman. Validating. Advisory in Comment 3.

Keywords: (none) => validated_backport
CC: (none) => andrewsfarm

Thomas Backlund 2019-11-07 21:48:50 CET

Keywords: validated_backport => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 6 Mageia Robot 2019-11-08 00:38:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0319.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2019-12-23 19:36:27 CET 
It looks like the Ubuntu comment (Comment 1) was incorrect and the fix was actually included in 1.1.11.  Just noting that.
Note You need to log in before you can comment on or make changes to this bug.