Bug 29416 - libesmtp new security issue CVE-2019-19977
Summary: libesmtp new security issue CVE-2019-19977
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-26 18:31 CEST by David Walser
Modified: 2021-11-10 23:54 CET (History)
5 users (show)

See Also:
Source RPM: libesmtp-1.0.6-12.mga8.src.rpm
CVE: CVE-2019-19977
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-26 18:31:35 CEST 
SUSE has issued an advisory on August 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html

Mageia 8 is also affected.
David Walser 2021-08-26 18:32:07 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-26 20:49:10 CEST 
'libesmtp' has no registered nor evident maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-09-03 19:34:38 CEST 
openSUSE has issued an advisory for this today (September 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/

Status comment: (none) => Patch available from openSUSE

Comment 3 Nicolas Salguero 2021-09-06 09:43:38 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. (CVE-2019-19977)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19977
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009358.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TGZ4L5IPYNOJTWC7WZTAMPSFHIGKXQAE/
========================

Updated packages in core/updates_testing:
========================
lib(64)esmtp6-1.0.6-12.1.mga8
lib(64)esmtp-devel-1.0.6-12.1.mga8

from SRPM:
libesmtp-1.0.6-12.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-19977
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Patch available from openSUSE => (none)
Version: Cauldron => 8

Comment 4 Herman Viaene 2021-09-30 15:08:24 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
No previous updates or wiki entry, so
# urpmq --whatrequires lib64esmtp6
lib64esmtp-devel
lib64esmtp-devel
lib64esmtp6
pacemaker
syslog-ng-smtp
[root@mach5 ~]# urpmq --whatrequires-recursive lib64esmtp6
crmsh
crmsh-test
drbd-utils-pacemaker
lib64esmtp-devel
lib64esmtp-devel
lib64esmtp6
lib64pacemaker-devel
pacemaker
syslog-ng-smtp

Pacemaker has to do with clusters of computers and crmsh is just a CLI to pacemaker, and syslog-ng-smtp has to do with sending log messages from an smtp server. All out f my league........

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-11-05 15:05:44 CET 
Same here, Herman. I'm going to pass it on based on your clean install.

Validating. Advisory in Comment 3.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-11-07 22:41:29 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-11-10 23:54:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0503.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.