Bug 10566

Summary: autotrace new security issue CVE-2013-1953
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, fundawang, martynvidler, sysadmin-bugs, thomas
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/555458/
Whiteboard: MGA2TOO MGA3-32-ok MGA2-32-ok MGA2-64-ok MGA3-64-ok
Source RPM: autotrace-0.31.1-37.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-06-19 20:47:46 CEST 
OpenSuSE has issued an advisory today (June 19):
http://lists.opensuse.org/opensuse-updates/2013-06/msg00168.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-19 20:48:02 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-28 01:31:49 CEST 
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated autotrace packages fix security vulnerability:

Stack-based buffer overflow in bmp parser (CVE-2013-1953).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1953
http://lists.opensuse.org/opensuse-updates/2013-06/msg00168.html
========================

Updated packages in core/updates_testing:
========================
autotrace-0.31.1-34.1.mga2
libautotrace3-0.31.1-34.1.mga2
libautotrace-devel-0.31.1-34.1.mga2
autotrace-0.31.1-37.1.mga3
libautotrace3-0.31.1-37.1.mga3
libautotrace-devel-0.31.1-37.1.mga3

from SRPMS:
autotrace-0.31.1-34.1.mga2.src.rpm
autotrace-0.31.1-37.1.mga3.src.rpm

CC: (none) => thomas
Version: Cauldron => 3
Assignee: thomas => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 martyn vidler 2013-06-29 16:22:29 CEST 
Tested on MGA3 32


urpmi autotrace 0.31.1-37.mga3

Ran command autotrace autotrace -input-format BMP test5.bmp -output-file test5.svg
Created new file test5.svg

$MIRRORLIST: media/core/updates_testing/autotrace-0.31.1-37.1.mga3.i586.rpm
installing autotrace-0.31.1-37.1.mga3.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     ############################################
      1/1: autotrace             ############################################
      1/1: removing autotrace-0.31.1-37.mga3.i586


To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  autotrace                      0.31.1       37.1.mga3     i586
  libautotrace3                  0.31.1       37.1.mga3     i586

"NOTE libautotrace-devel-0.31.1-37.1.mga3.i586 Had to be installed seperatly is this correct".

sudo urpmi --media 'Core Updates Testing' libautotrace-devel-0.31.1-37.1.mga3
A requested package cannot be installed:
libautotrace-devel-0.31.1-37.1.mga3.i586 (due to unsatisfied devel(libm))
Continue installation anyway? (Y/n)

Rerun same test created test5.svg

CC: (none) => martynvidler
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-ok

Comment 3 martyn vidler 2013-06-29 17:11:52 CEST 
Tested MGA2 32

Completed as comment 2

Same results ok

Whiteboard: MGA2TOO MGA3-32-ok => MGA2TOO MGA3-32-ok MGA2-32-ok

Comment 4 martyn vidler 2013-06-30 10:53:54 CEST 
MGA3 64

installed autotrace 0.31.1-37.mga3
Updated

 rsync://www.mirrorservice.org/mageia.org/pub/mageia/distrib/3/x86_64/media/core/updates_testing/autotrace-0.31.1-37.1.mga3.x86_64.rpm
installing autotrace-0.31.1-37.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms    
Preparing...                     #############################################
      1/1: autotrace             #############################################
      1/1: removing autotrace-0.31.1-37.mga3.x86_64

sudo urpmi --media 'Core Updates Testing' libautotrace3-0.31.1.37.1.mga3
No package named libautotrace3-0.31.1.37.1.mga3

sudo urpmi --media 'Core Updates Testing' libautotrace-devel-0.31.1.37.mga3
No package named libautotrace-devel-0.31.1.37.mga3
Comment 5 claire robinson 2013-06-30 14:50:30 CEST 
The libs will be named lib64... rather than lib... on x86_64
Comment 6 martyn vidler 2013-06-30 18:42:56 CEST 
Thks Claire

Tested MGA3 64 and MGA2 64

Repeated above test 

Both 64 bit arch's passed

Validating for update

Whiteboard: MGA2TOO MGA3-32-ok MGA2-32-ok => MGA2TOO MGA3-32-ok MGA2-32-ok MGA2-64-ok MGA3-64-ok

Comment 7 Dave Hodgins 2013-06-30 20:53:33 CEST 
http://svnweb.mageia.org/advisories/10566.adv?view=markup&sortby=date
has been uploaded.

Could someone from the sysadmin team push 10566.adv

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Nicolas Vigier 2013-07-01 21:23:43 CEST 
http://advisories.mageia.org/MGASA-2013-0195.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:36 CEST

CC: boklm => (none)