Fedora has issued an advisory on October 22: http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated arora package fixes security vulnerability: Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text (CVE-2011-3367). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3367 http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html ======================== Updated packages in core/updates_testing: ======================== arora-0.11.0-2.1.mga1 arora-0.11.0-5.1.mga2 from SRPMS: arora-0.11.0-2.1.mga1.src.rpm arora-0.11.0-5.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
Psi is also affected by this vulnerability. Fedora has issued an advisory on November 27: http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html from http://lwn.net/Vulnerabilities/470760/ I have patched Psi in SVN, but it does not build in Cauldron. John, could you have a look at this?
CC: (none) => qa-bugsAssignee: qa-bugs => balcaen.johnSummary: arora missing update for security issue CVE-2011-3367 => arora and psi missing update for security issue CVE-2011-3367
I'm not using cauldron anymore so i can test. From the build log you should probably rebuild QCA2 first using the new qt4 macros & add 2 patchs on the spec : cat qca-2.0.3-fix-mkspec-install.patch (fix mkspec install) Index: CMakeLists.txt =================================================================== --- a/CMakeLists.txt +++ b/CMakeLists.txt 2012-08-10 22:09:35.968210189 -0300 @@ -140,7 +140,7 @@ endif(NOT WIN32) configure_file("crypto.prf.cmake" "${CMAKE_BINARY_DIR}/crypto.prf" @ONLY) -install(FILES "${CMAKE_BINARY_DIR}/crypto.prf" DESTINATION ${CMAKE_INSTALL_PREFIX}/mkspecs/features) +install(FILES "${CMAKE_BINARY_DIR}/crypto.prf" DESTINATION "${QT_MKSPECS_DIR}/features" ) install(FILES man/qcatool2.1 DESTINATION ${CMAKE_INSTALL_PREFIX}/share/man/man1) cat qca-2.0.3-gcc.patch ( fix gcc4.7 & it's from fedora) --- ./src/botantools/botan/botan/secmem.h.orig 2012-01-07 20:09:35.427999593 +0100 +++ ./src/botantools/botan/botan/secmem.h 2012-01-07 20:09:52.540001422 +0100 @@ -214,11 +214,11 @@ SecureVector(u32bit n = 0) { MemoryRegion<T>::init(true, n); } SecureVector(const T in[], u32bit n) - { MemoryRegion<T>::init(true); set(in, n); } + { MemoryRegion<T>::init(true); this->set(in, n); } SecureVector(const MemoryRegion<T>& in) - { MemoryRegion<T>::init(true); set(in); } + { MemoryRegion<T>::init(true); this->set(in); } SecureVector(const MemoryRegion<T>& in1, const MemoryRegion<T>& in2) - { MemoryRegion<T>::init(true); set(in1); append(in2); } + { MemoryRegion<T>::init(true); this->set(in1); append(in2); } }; /************************************************* & the spec should be changed like this : Index: SPECS/qca2.spec =================================================================== --- SPECS/qca2.spec (révision 280484) +++ SPECS/qca2.spec (copie de travail) @@ -2,21 +2,22 @@ %{?_without_sys_rootcerts: %{expand: %%global build_sys_rootcerts 0}} %define name_orig qca -%define qtcryptodir %{qt4plugins}/crypto +%define qtcryptodir %{_qt4_plugindir}/crypto %define source_ver %{version} Name: qca2 Version: 2.0.3 -Release: %mkrel 2 +Release: %mkrel 3 License: LGPL Summary: Straightforward and cross-platform crypto API for Qt Group: System/Libraries URL: http://delta.affinix.com/qca # From kde support module Source: %{name_orig}-%{source_ver}.tar.xz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot -BuildRequires: qt4-devel >= 2:4.5 +Patch100: qca-2.0.3-fix-mkspec-install.patch +Patch101: qca-2.0.3-gcc.patch +BuildRequires: pkgconfig(QtCore) <= 5.0.0 %if %{build_sys_rootcerts} BuildRequires: rootcerts %endif @@ -24,6 +25,7 @@ BuildRequires: libgcrypt-devel BuildRequires: libsasl-devel BuildRequires: nss-devel +BuildRequires: gnupg2 Obsoletes: qca >= 2.0 %description @@ -42,7 +44,7 @@ %defattr(0644,root,root,0755) %doc README COPYING INSTALL TODO %defattr(0755,root,root,0755) -%{qt4dir}/bin/qcatool2 +%{_bindir}/qcatool2 %_mandir/man1/* #------------------------------------------------------------------------------ @@ -59,10 +61,10 @@ %files -n %{name}-root-certificates %defattr(0644,root,root,0755) -%dir %{qt4dir}/share/qca -%dir %{qt4dir}/share/qca/certs -%doc %{qt4dir}/share/qca/certs/README -%{qt4dir}/share/qca/certs/rootcerts.pem +%dir %{_qt4_prefix}/share/qca +%dir %{_qt4_prefix}/share/qca/certs +%doc %{_qt4_prefix}/share/qca/certs/README +%{_qt4_prefix}/share/qca/certs/rootcerts.pem %endif #------------------------------------------------------------------------------ @@ -89,7 +91,7 @@ %doc README COPYING INSTALL TODO %dir %{qtcryptodir} %defattr(0755,root,root,0755) -%{qt4lib}/libqca.so.%{lib_major}* +%{_qt4_libdir}/libqca.so.%{lib_major}* #------------------------------------------------------------------------------ @@ -110,10 +112,10 @@ %files -n %{libdev} %defattr(0644,root,root,0755) %{_libdir}/pkgconfig/qca2.pc -%{qt4dir}/mkspecs/features/crypto.prf -%dir %{qt4include}/QtCrypto -%{qt4include}/QtCrypto/* -%{qt4lib}/libqca.so +%{_qt4_prefix}/mkspecs/features/crypto.prf +%dir %{_qt4_includedir}/QtCrypto +%{_qt4_includedir}/QtCrypto/* +%{_qt4_libdir}/libqca.so #------------------------------------------------------------------------------ @@ -132,7 +134,7 @@ %files plugin-gnupg %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-gnupg.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-gnupg.* #------------------------------------------------------------------------------ @@ -153,7 +155,7 @@ %files plugin-openssl %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-ossl.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-ossl.* #------------------------------------------------------------------------------ @@ -174,7 +176,7 @@ %files plugin-pkcs11 %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-pkcs11.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-pkcs11.* #------------------------------------------------------------------------------ @@ -194,7 +196,7 @@ %files plugin-cyrus-sasl %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-cyrus-sasl.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-cyrus-sasl.* #------------------------------------------------------------------------------ @@ -213,7 +215,7 @@ %files plugin-logger %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-logger.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-logger.* #------------------------------------------------------------------------------ @@ -232,7 +234,7 @@ %files plugin-gcrypt %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-gcrypt.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-gcrypt.* #------------------------------------------------------------------------------ @@ -251,7 +253,7 @@ %files plugin-nss %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-nss.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-nss.* #------------------------------------------------------------------------------ @@ -270,29 +272,21 @@ %files plugin-softstore %defattr(0644,root,root,0755) -%attr(0755,root,root) %{qt4plugins}/crypto/libqca-softstore.* +%attr(0755,root,root) %{_qt4_plugindir}/crypto/libqca-softstore.* #------------------------------------------------------------------------------ %prep %setup -q -n %{name_orig}-%{source_ver} +%apply_patches - %build -%cmake_qt4 \ - -DCMAKE_INSTALL_PREFIX=%{qt4dir} \ - -DLIB_INSTALL_DIR=%_libdir \ - -DPKGCONFIG_INSTALL_PREFIX=%_libdir/pkgconfig +%cmake_qt4 + %make %install %makeinstall_std -C build -# Make directory for plugins -install -d -m 755 %{buildroot}/%{qtcryptodir} - -mkdir -p %{buildroot}%{_mandir} -mv %{buildroot}%qt4dir/share/man/man1 %{buildroot}%{_mandir} With this psi should be able to detect qca. So far i don't have time to test psi build, probably next week.
CC: (none) => balcaen.johnAssignee: balcaen.john => bugsquad
cat psi-0.14-fix-gcc4.7.patch --- iris/src/irisnet/corelib/netinterface_unix.cpp.orig 2012-01-07 19:46:39.493999646 +0100 +++ iris/src/irisnet/corelib/netinterface_unix.cpp 2012-01-07 19:46:57.251002321 +0100 @@ -33,6 +33,7 @@ #include <net/route.h> #include <netinet/in.h> #include <errno.h> +#include <unistd.h> // for solaris #ifndef SIOCGIFCONF Should do the trick for psi (again from fedora to fix gcc4.7 build)
Thanks John! Fixed qca2 package uploaded for Mageia 2 and Cauldron. Patched psi package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated arora and psi packages fix security vulnerability: Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text (CVE-2011-3367). Psi is also affected by this vulnerability and has been patched as well. Finally, qca2 in Mageia 2 has been fixed so that Psi will build with it. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3367 http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html ======================== Updated packages in core/updates_testing: ======================== arora-0.11.0-2.1.mga1 psi-0.14-8.1.mga1 psi-iconsets-0.14-8.1.mga1 psi-smileysets-0.14-8.1.mga1 psi-lang-pack-pl-0.14-8.1.mga1 psi-lang-pack-fr-0.14-8.1.mga1 psi-lang-pack-cs-0.14-8.1.mga1 psi-lang-pack-ru-0.14-8.1.mga1 psi-lang-pack-de-0.14-8.1.mga1 psi-lang-pack-es-0.14-8.1.mga1 psi-lang-pack-mk-0.14-8.1.mga1 psi-lang-pack-it-0.14-8.1.mga1 psi-lang-pack-zh-0.14-8.1.mga1 psi-lang-pack-pt_br-0.14-8.1.mga1 psi-lang-pack-sl-0.14-8.1.mga1 psi-lang-pack-en-0.14-8.1.mga1 psi-lang-pack-be-0.14-8.1.mga1 psi-lang-pack-ur_PK-0.14-8.1.mga1 psi-lang-pack-ja-0.14-8.1.mga1 psi-lang-pack-sv-0.14-8.1.mga1 arora-0.11.0-5.1.mga2 psi-0.14-9.1.mga2 psi-iconsets-0.14-9.1.mga2 psi-smileysets-0.14-9.1.mga2 psi-lang-pack-pl-0.14-9.1.mga2 psi-lang-pack-fr-0.14-9.1.mga2 psi-lang-pack-cs-0.14-9.1.mga2 psi-lang-pack-ru-0.14-9.1.mga2 psi-lang-pack-de-0.14-9.1.mga2 psi-lang-pack-es-0.14-9.1.mga2 psi-lang-pack-mk-0.14-9.1.mga2 psi-lang-pack-it-0.14-9.1.mga2 psi-lang-pack-zh-0.14-9.1.mga2 psi-lang-pack-pt_br-0.14-9.1.mga2 psi-lang-pack-sl-0.14-9.1.mga2 psi-lang-pack-en-0.14-9.1.mga2 psi-lang-pack-be-0.14-9.1.mga2 psi-lang-pack-ur_PK-0.14-9.1.mga2 psi-lang-pack-ja-0.14-9.1.mga2 psi-lang-pack-sv-0.14-9.1.mga2 qca2-2.0.3-2.1.mga2 libqca2-2.0.3-2.1.mga2 libqca-devel-2.0.3-2.1.mga2 qca2-plugin-gnupg-2.0.3-2.1.mga2 qca2-plugin-openssl-2.0.3-2.1.mga2 qca2-plugin-pkcs11-2.0.3-2.1.mga2 qca2-plugin-cyrus-sasl-2.0.3-2.1.mga2 qca2-plugin-logger-2.0.3-2.1.mga2 qca2-plugin-gcrypt-2.0.3-2.1.mga2 qca2-plugin-nss-2.0.3-2.1.mga2 qca2-plugin-softstore-2.0.3-2.1.mga2 from SRPMS: arora-0.11.0-2.1.mga1.src.rpm psi-0.14-8.1.mga1.src.rpm arora-0.11.0-5.1.mga2.src.rpm psi-0.14-9.1.mga2.src.rpm qca2-2.0.3-2.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete on Mageia 1 i586. No poc, that I could find. jabber.org is not working, so I created a new account at jabber.me for testing psi, and was able to join a chat room. For arora, it isn't working with icedtea-web, but I've confirmed this is not a regression. Other standard browser testing, including flash is working.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA1-32-OK has_procedure
I'll be testing Mageia 1 x86-64, and then Mageia 2 shortly.
Testing complete on Mageia 1 x86-64. Testing Mageia 2 shortly.
Whiteboard: MGA1TOO MGA1-32-OK has_procedure => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK
Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpms arora-0.11.0-5.1.mga2.src.rpm psi-0.14-9.1.mga2.src.rpm qca2-2.0.3-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpms arora-0.11.0-2.1.mga1.src.rpm psi-0.14-8.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated arora and psi packages fix security vulnerability: Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text (CVE-2011-3367). Psi is also affected by this vulnerability and has been patched as well. Finally, qca2 in Mageia 2 has been fixed so that Psi will build with it. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3367 http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070892.html http://lists.fedoraproject.org/pipermail/package-announce/2011-December/070582.html https://bugs.mageia.org/show_bug.cgi?id=7002
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK => MGA1TOO MGA1-32-OK has_procedure MGA1-64-OK MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0220
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED