Bug 26962 - evolution-data-server new security issues CVE-2020-14928 and CVE-2020-16117
Summary: evolution-data-server new security issues CVE-2020-14928 and CVE-2020-16117
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-16 23:46 CEST by David Walser
Modified: 2020-08-28 16:48 CEST (History)
4 users (show)

See Also:
Source RPM: evolution-data-server-3.32.2-1.mga7.src.rpm
CVE: CVE-2020-14928, CVE-2020-16117
Status comment:


Attachments

Description David Walser 2020-07-16 23:46:49 CEST
Debian and Debian-LTS have issued advisories on July 15 and today (July 16):
https://lists.debian.org/debian-security-announce/2020/msg00131.html
https://www.debian.org/security/2020/dsa-4725
https://www.debian.org/lts/security/2020/dla-2281

The issue is fixed upstream in 3.36.4.

We could possibly use the Debian backported patch.
Comment 1 Lewis Smith 2020-07-17 21:17:39 CEST
This needs to be assigned globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-07-20 14:09:08 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928
https://lists.debian.org/debian-security-announce/2020/msg00131.html
https://www.debian.org/security/2020/dsa-4725
https://www.debian.org/lts/security/2020/dla-2281
========================

Updated packages in core/updates_testing:
========================
evolution-data-server-3.32.2-1.1.mga7
lib(64)camel1.2_62-3.32.2-1.1.mga7
lib(64)ebook1.2_19-3.32.2-1.1.mga7
lib(64)ecal1.2_19-3.32.2-1.1.mga7
lib(64)ebook-contacts1.2_2-3.32.2-1.1.mga7
lib(64)edata-book1.2_25-3.32.2-1.1.mga7
lib(64)edata-cal1.2_29-3.32.2-1.1.mga7
lib(64)edataserver1.2_24-3.32.2-1.1.mga7
lib(64)edataserverui1.2_2-3.32.2-1.1.mga7
lib(64)ebackend1.2_10-3.32.2-1.1.mga7
lib(64)edataserver1.2-devel-3.32.2-1.1.mga7
lib(64)evolution-data-server-gir1.2-3.32.2-1.1.mga7
Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.1.mga7

from SRPMS:
evolution-data-server-3.32.2-1.1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-14928

Comment 3 Herman Viaene 2020-08-04 13:57:39 CEST
Loaded the packages with QARepo, then select evolution-data-serv in MCC to install, and after a while error message :
The "drakrpm" program has crashed with the following error:

  detecting looping forever while trying to resolve dependencies.
  Aborting... Try again with '-vv --debug' options at /usr/lib64/perl5/vendor_perl/URPM/Resolve.pm line 1287.
  Perl's trace:
  drakbug::bug_handler() called from /usr/share/perl5/vendor_perl/Gtk3.pm:524
  Gtk3::__ANON__() called from /usr/lib/libDrakX/mygtk3.pm:1550
  mygtk3::main() called from /usr/lib/libDrakX/ugtk3.pm:857
  ugtk3::main() called from /usr/share/perl5/vendor_perl/Rpmdrake/gui.pm:609
  Rpmdrake::gui::ask_browse_tree_given_widgets_for_rpmdrake() called from /usr/libexec/drakrpm:835
  main::run_treeview_dialog() called from /usr/libexec/drakrpm:859

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-08-04 14:00:54 CEST
This does not happen when disabling local QA-repo and enabling Core Updates Testng directly in MCC.
Comment 5 Herman Viaene 2020-08-04 14:06:26 CEST
Possible cause of the loop(I guess it's rather a timeout): I did not include the evolution-data-server-tests when uploading the Qa-repo.
Comment 6 Herman Viaene 2020-08-04 14:11:59 CEST
Consulted prrevious bugs 10896 and 14425 , but I don't find much info on how to test this. Come and see later........
Comment 7 Herman Viaene 2020-08-04 14:15:12 CEST
Copy from https://developer.gnome.org/eds/stable/

"Evolution-Data-Server is a collection of libraries and services for storing addressbooks and calendars. In this reference manual you will find documentation on using the client libraries as well as implementing backends for calendars and addressbooks. "

Looks like developer stuff, agree on clean install???
Comment 8 David Walser 2020-08-05 00:07:55 CEST
How about we fix another issue while we're figuring that out?

Debian-LTS has issued an advisory on August 2:
https://www.debian.org/lts/security/2020/dla-2309

It fixes one new issue, fixed upstream in 3.35.91.

CVE: CVE-2020-14928 => CVE-2020-14928, CVE-2020-16117
Summary: evolution-data-server new security issue CVE-2020-14928 => evolution-data-server new security issues CVE-2020-14928 and CVE-2020-16117
Severity: normal => major
Assignee: qa-bugs => nicolas.salguero
CC: (none) => qa-bugs

Comment 9 Nicolas Salguero 2020-08-07 10:16:59 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928)

In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. (CVE-2020-16117)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16117
https://lists.debian.org/debian-security-announce/2020/msg00131.html
https://www.debian.org/security/2020/dsa-4725
https://www.debian.org/lts/security/2020/dla-2281
https://www.debian.org/lts/security/2020/dla-2309
========================

Updated packages in core/updates_testing:
========================
evolution-data-server-3.32.2-1.2.mga7
lib(64)camel1.2_62-3.32.2-1.2.mga7
lib(64)ebook1.2_19-3.32.2-1.2.mga7
lib(64)ecal1.2_19-3.32.2-1.2.mga7
lib(64)ebook-contacts1.2_2-3.32.2-1.2.mga7
lib(64)edata-book1.2_25-3.32.2-1.2.mga7
lib(64)edata-cal1.2_29-3.32.2-1.2.mga7
lib(64)edataserver1.2_24-3.32.2-1.2.mga7
lib(64)edataserverui1.2_2-3.32.2-1.2.mga7
lib(64)ebackend1.2_10-3.32.2-1.2.mga7
lib(64)edataserver1.2-devel-3.32.2-1.2.mga7
lib(64)evolution-data-server-gir1.2-3.32.2-1.2.mga7
Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.2.mga7

from SRPMS:
evolution-data-server-3.32.2-1.2.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs

David Walser 2020-08-07 13:28:10 CEST

CC: qa-bugs => (none)

Comment 10 Aurelien Oudelet 2020-08-21 11:51:58 CEST
How about this security bug? Has it been tested?

CC: (none) => ouaurelien

Comment 11 Thomas Andrews 2020-08-27 22:48:01 CEST
64-bit Plasma install, Evolution not installed. Evolution-data-server had been installed previously, perhaps for another update test.

The following 11 packages are going to be installed:

- evolution-data-server-3.32.2-1.2.mga7.x86_64
- evolution-data-server-tests-3.32.2-1.2.mga7.x86_64
- lib64camel1.2_62-3.32.2-1.2.mga7.x86_64
- lib64ebackend1.2_10-3.32.2-1.2.mga7.x86_64
- lib64ebook-contacts1.2_2-3.32.2-1.2.mga7.x86_64
- lib64ebook1.2_19-3.32.2-1.2.mga7.x86_64
- lib64ecal1.2_19-3.32.2-1.2.mga7.x86_64
- lib64edata-book1.2_25-3.32.2-1.2.mga7.x86_64
- lib64edata-cal1.2_29-3.32.2-1.2.mga7.x86_64
- lib64edataserver1.2_24-3.32.2-1.2.mga7.x86_64
- lib64edataserverui1.2_2-3.32.2-1.2.mga7.x86_64

No installation issues. Attempted to run several of the tests, but most came back with errors, missing configurations and/or files, things like that. I suspect that's because evolution is not installed, and believe it is to be expected. 

Looking online at the manual for this package, I see that it is quite lengthy and comprehensive, far too much for my feeble abilities to learn for this test, and much of what I saw looking to be beyond the scope of QA.

OKing, and validating, based on a clean install and on the few tests that did run. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2020-08-28 15:26:43 CEST

CC: ouaurelien => (none)
Keywords: (none) => advisory

Comment 12 Mageia Robot 2020-08-28 16:48:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0351.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.