Bug 16815

Summary: pixman new buffer overflow security issue fixed upstream in 0.32.8 (CVE-2015-5297)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, wilcal.int, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/658600/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: pixman-0.32.6-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-23 21:30:18 CEST 
Upstream has issued an advisory on September 22:
http://lists.x.org/archives/xorg-announce/2015-September/002637.html

The issue is fixed in version 0.32.8.

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated pixman packages fix security vulnerability:

The pixman library before 0.32.8 is vulnerable to a buffer overflow which can
affect 32-bit systems.

References:
http://lists.x.org/archives/xorg-announce/2015-September/002637.html
========================

Updated packages in core/updates_testing:
========================
libpixman1_0-0.32.8-1.mga5
libpixman-devel-0.32.8-1.mga5

from pixman-0.32.8-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Yann Cantin 2015-09-24 21:48:22 CEST 
mga5 x86_64

Installed packages :
lib64pixman-devel-0.32.8-1.mga5.x86_64.rpm
lib64pixman1_0-0.32.8-1.mga5.x86_64.rpm

Firefox launch OK.

lsof | grep firefox | grep pixman  shows /usr/lib64/libpixman-1.so.0.32.8

Update OK.

CC: (none) => yann.cantin
Whiteboard: (none) => MGA5-64-OK

Comment 2 claire robinson 2015-09-24 22:00:42 CEST 
(In reply to Yann Cantin from comment #1)
> 
> lsof | grep firefox | grep pixman  shows /usr/lib64/libpixman-1.so.0.32.8
> 

That's a handy tip, easier than strace. Could you add it here please..
https://wiki.mageia.org/en/QA_Tips_and_Tricks
Comment 3 William Kenney 2015-09-25 16:28:42 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
libpixman1_0

default install of libpixman1_0

[root@localhost wilcal]# urpmi libpixman1_0
Package libpixman1_0-0.32.6-3.mga5.i586 is already installed

KDE Desktop applications display properly 
lsof | grep firefox | grep pixman: /usr/lib/libpixman-1.so.0.32.6
VLC plays videos correctly, LibreOffice/Write display properly.

install libpixman1_0 from updates_testing

Stop then restart X

[root@localhost wilcal]# urpmi libpixman1_0
Package libpixman1_0-0.32.8-1.mga5.i586 is already installed

KDE Desktop applications display properly 
lsof | grep firefox | grep pixman: /usr/lib/libpixman-1.so.0.32.8
VLC plays videos correctly, LibreOffice/Write display properly.

CC: (none) => wilcal.int

William Kenney 2015-09-25 16:28:59 CEST

Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK

Comment 4 William Kenney 2015-09-25 16:29:57 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-09-25 18:04:23 CEST 
Advisory uploaded.

Thanks for adding that Yann.

Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK

claire robinson 2015-09-25 18:09:26 CEST

Whiteboard: advisory MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 6 Mageia Robot 2015-09-25 20:44:18 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0385.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-28 19:42:52 CEST

URL: (none) => http://lwn.net/Vulnerabilities/658600/

Comment 7 David Walser 2018-12-26 02:14:09 CET 
This is CVE-2015-5297:
https://usn.ubuntu.com/3843-1/

Summary: pixman new buffer overflow security issue fixed upstream in 0.32.8 => pixman new buffer overflow security issue fixed upstream in 0.32.8 (CVE-2015-5297)