| Summary: | netpbm new security issues CVE-2017-2579 and CVE-2017-258[0167] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/715042/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | netpbm-10.71.02-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-02-05 15:42:36 CET
David Walser
2017-02-05 15:42:44 CET
Whiteboard:
(none) =>
MGA5TOO (In reply to David Walser from comment #0) > CVEs have been assigned for multiple security issues in netpbm: > http://openwall.com/lists/oss-security/2017/02/05/7 > > It says the issues were found in an older branch, but it's not clear if any > have been fixed in later versions or if those just haven't been tested. Maybe one of our packagers is willing to investigate. Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 I checked with Bryan Henderson upstream. "The two Svgtopam vulnerabilities exist in both those releases. The current Stable release (10.73.07) has them fixed." I will try to package 10.73.07 for both cauldron and 5. CC:
(none) =>
mrambo Update to 10.73.07 uploaded and freeze push requested. Mga5 is taking longer. Updated package uploaded for Mageia 5. I did not find any past test procedures for this package but David Hodgins suggested on IRC that I use xfig or tuxpaint for my pre-testing. This may help QA also. Advisory: ======================== Version 10.73.07 fixes security vulnerabilities: * Out-of-bounds write in writeRasterPbm() (CVE-2017-2581) * Out-of-bounds read in expandCodeOntoStack() (CVE-2017-2579) * Out-of-bounds write of heap data in addPixelToRaster() (CVE-2017-2580) * Null pointer dereference in stringToUint (CVE-2017-2586) * Insufficient size check of memory allocation in createCanvas() (CVE-2017-2587) References: http://openwall.com/lists/oss-security/2017/02/05/7 ======================== Updated packages in core/updates_testing: ======================== lib64netpbm11-10.73.07-1.mga5 lib64netpbm-devel-10.73.07-1.mga5 netpbm-10.73.07-1.mga5 netpbm-debuginfo-10.73.07-1.mga5 from netpbm-10.73.07-1.mga5.src.rpm Version:
Cauldron =>
5
Dave Hodgins
2017-02-11 22:58:22 CET
CC:
(none) =>
davidwhodgins MGA5-32 on Asus A6000VM Xfce No installation issues. Found no trace of netpbm in using xfig, but found info in netpbm website as to usage of its commands. So, i created a small ppm graphic with xfig and then at CLI: $ ppmtojpeg testnet.ppm > testnet.jpg And found the jpg to have the correct graphics. ppmtojpeg being one of the programs of netpbm. CC:
(none) =>
herman.viaene Fedora has issued an advisory for this today (February 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDK3BDMKIQL2NQ3SJZXPBEN2LSOUSSEE/ LWN reference: https://lwn.net/Vulnerabilities/714504/ Also used xfig to export a drawing as a ppm file, then used ppmtobmp to convert it, using xv to view the result. Validating the update Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0058.html Status:
NEW =>
RESOLVED
David Walser
2017-02-21 11:54:20 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/715042/ |