| Summary: | gambas3 new integer overflow security issue (CVE-2013-7447) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | lewyssmith, matteo.pasotti, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/675834/ | ||
| Whiteboard: | has_procedure advisory MGA5-64-OK | ||
| Source RPM: | gambas3 | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 17731 | ||
|
Description
David Walser
2016-02-12 21:54:07 CET
David Walser
2016-02-12 21:54:45 CET
Source RPM:
eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 =>
gambas3 Trying M5 x64 with XFCE. Preliminary info... http://gambaswiki.org/wiki/doc/whatisgambas?nh http://gambaswiki.org/wiki/doc/intro?nh but these two pages apart? What to install? I landed up with this mixture of specific and dependant packages: gambas3-devel-3.6.2-4.1.mga5 gambas3-examples-3.6.2-4.1.mga5 gambas3-gb-cairo-3.6.2-4.1.mga5 gambas3-gb-clipper-3.6.2-4.1.mga5 gambas3-gb-db-3.6.2-4.1.mga5 gambas3-gb-db-form-3.6.2-4.1.mga5 gambas3-gb-desktop-3.6.2-4.1.mga5 gambas3-gb-eval-highlight-3.6.2-4.1.mga5 gambas3-gb-form-3.6.2-4.1.mga5 gambas3-gb-form-dialog-3.6.2-4.1.mga5 gambas3-gb-form-mdi-3.6.2-4.1.mga5 gambas3-gb-form-stock-3.6.2-4.1.mga5 gambas3-gb-geom-3.6.2-4.1.mga5 gambas3-gb-gtk-3.6.2-4.1.mga5 gambas3-gb-gui-3.6.2-4.1.mga5 gambas3-gb-image-3.6.2-4.1.mga5 gambas3-gb-image-effect-3.6.2-4.1.mga5 gambas3-gb-markdown-3.6.2-4.1.mga5 gambas3-gb-qt4-3.6.2-4.1.mga5 gambas3-gb-qt4-ext-3.6.2-4.1.mga5 gambas3-gb-qt4-webkit-3.6.2-4.1.mga5 gambas3-gb-settings-3.6.2-4.1.mga5 gambas3-ide-3.6.2-4.1.mga5 gambas3-runtime-3.6.2-4.1.mga5 gambas3-script-3.6.2-4.1.mga5 of which just devel, examples, ide, runtime, script, gb-gtk, gb-qt4 would probably pull in anything else necessary to make it do almost everything. No man pages for the many commands installed: /usr/bin/gambas3 -> gambas3.gambas* /usr/bin/gambas3.gambas* /usr/bin/gbs3 -> gbs3.gambas* /usr/bin/gbs3.gambas* /usr/bin/gba3* /usr/bin/gbc3* /usr/bin/gbi3* /usr/bin/gbr3 -> gbx3* /usr/bin/gbs3 -> gbs3.gambas* /usr/bin/gbs3.gambas* /usr/bin/gbw3 -> gbs3.gambas* /usr/bin/gbx3* but $ <command> -h does give usage & parameter info. In addition, for testing, there is a clutch of sample projects provided in: /usr/share/gambas3/examples/*/ and a menu entry 'Gambas3' under 'Development' [same as for gambas3 command]. This shows a window in which 'examples' is included in the menu on the left. Clicking that shows a list of all the included examples. Would that more software did this sort of thing. Plus a tips of the day window. Alas: trying any one shows the project correctly, but an *empty* alert. So there is a basic 'how to drive it' problem. Right-clicking the project icon, Properties, Libraries may offer a clue: "WARNING! The project executable and the libraries it depends on must be stored inside the same directory. Otherwise the libraries will not be found." If we can find the key (doubtless simple), this should be super easy to test. Can anyone advise how to drive it? It looks a very decent package. CC:
(none) =>
lewyssmith Tested M5 x64 under XFCE: OK First good news: how to run those examples. The alleged 'empty' alert is NOT; but how to read white text on a pale yellow background? BTAIM It disappears when clicked. The toolbar above has a green right-pointing triangle. *This* kicks off the chosen project. If this requires a module not installed, it says so tidily. Everything yielded an error "Failed to create secure directory (/run/user/1001/pulse): Permission denied" often many times. This did not seem to matter. [I researched on their site how to run the examples, mailList & Forum. The only advice I found suggested either 'saving as' the opened project, then using the copy; or creating a new project as 'copy from an existing one', but I did not see this choice. No matter in the circumstances: the green triangle is what matters]. Updated all installed modules to 3.6.2-4.2.mga5. The program and the examples I tried all behaved as previously. Update OK. Whiteboard:
(none) =>
MGA5-64-OK Good work. An madb diff of the srpm shows the patch is applied here too. http://madb.mageia.org/rpm/diff/application/0/name/gambas3-3.6.2-4.2.mga5.src.rpm/source/1/release/5/arch/i586/t_media/5 Validating. Advisory uploaded. Please push to 5 updates, thanks. Keywords:
(none) =>
validated_update
David Walser
2016-02-16 20:25:26 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/675834/ An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0075.html Status:
NEW =>
RESOLVED |