Bug 17739

Summary: eom: new integer overflow security issue (CVE-2013-7447)
Product: Mageia Reporter: Atilla ÖNTAŞ <tarakbumba>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/675834/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: eom-1.8.1-2.mga5 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 17731    

Description Atilla ÖNTAŞ 2016-02-11 23:05:01 CET 
I have uploaded a patched eom package for Mageia 5.

You can test this by:

1. Install gtk+2.0-2.24.26-3.mga5 from core/updates_testing which is also fixed to be ensure that it is not a gtk+2.0 issue.
2. Insall eom if it isn't installed.
2. Download the archive which contains a large image file from: https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1540811/+attachment/4561945/+files/image.tar
3. Unpack it and open the unpacked image (27000_27000_1437947845.png) in eom.
5. eom hangs and crashes.

After installing patched eom package this error should not occur.

Suggested advisory:
========================

Updated eom packages fix security vulnerability:

Due to a logic error, an attempt to allocate a large block of memory
fails in gdk_cairo_set_source_pixbuf, leading to a crash of eom (CVE-2013-7447).


References:
https://github.com/mate-desktop/eom/issues/93
https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1540811
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799275
https://bugzilla.gnome.org/show_bug.cgi?id=703220
https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6
http://openwall.com/lists/oss-security/2016/02/10/2
https://bugs.mageia.org/show_bug.cgi?id=17731
========================

Updated packages in core/updates_testing:
========================

eom-1.8.1-2.1.mga5
eom-devel-1.8.1-2.1.mga5

Source RPMs:
========================
eom-1.8.1-2.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Atilla ÖNTAŞ 2016-02-11 23:05:40 CET

Blocks: (none) => 17731
Source RPM: eom-1.8.1-2.mat6 => eom-1.8.1-2.mga5

David Walser 2016-02-12 00:49:15 CET

Severity: critical => major

Comment 1 Len Lawrence 2016-02-12 10:17:16 CET 
mga5  x86_64  Mate

Installed eom-1.8.1-2.1 after the gtk2 update in bug #17738.
Ran eom on the same files as used in the bug #17738 test and all
displayed correctly, including the 27000x27000 PNG image.

Installed eom-devel-1.8.1-2.1 after the fact because i had forgotten
install it beforehand.
# urpmi --search-media "Updates Testing" eom-devel

CC: (none) => tarazed25

Len Lawrence 2016-02-12 10:18:28 CET

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 2 Len Lawrence 2016-02-13 16:55:47 CET 
mga5  i586 in virtualbox  Mate

eom had already been tested against the updated gtk+2.0.
Updated eom to eom-1.8.1-2.1 and repeated the image display tests.
The very large PNG image displayed at 4%x4% of its actual size.  Displayed several images of different sizes; PNG, JPEG and SVG.
Comment 3 Len Lawrence 2016-02-13 17:16:43 CET 
Switched to KDE4 to make sure that as a Mate tool the update is Desktop agnostic.
The tests all ran fine but eom picked out a corrupt JPEG in my icons folder.  It objected to AngryGuyInABunnySuit.jpg because the header starts with four zero bytes.  identify also reports this but gqview ignores the problem and displays the icon anyway.  
$ file AngryGuyInBunnySuit.jpg 
AngryGuyInBunnySuit.jpg: MS Windows icon resource - 1 icon, 32x32
eog also traps this as well.
This update can be pushed to Mageia 5 Updates.
Len Lawrence 2016-02-13 17:17:16 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2016-02-15 12:02:28 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

David Walser 2016-02-16 20:25:06 CET

URL: (none) => http://lwn.net/Vulnerabilities/675834/

Comment 5 Mageia Robot 2016-02-17 20:22:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0070.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED