Bug 20524

Summary: R-base new security issue CVE-2016-8714
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lmenut, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK
Source RPM: R-base-3.1.2-2.mga5.src.rpm CVE:
Status comment:
Attachments: Extract from the sample session inthe R manual

Description David Walser 2017-03-19 16:10:47 CET 
Debian has issued an advisory today (March 19):
https://lists.debian.org/debian-security-announce/2017/msg00068.html

The DSA will be posted here:
https://www.debian.org/security/2017/dsa-3813

It may be fixed already in Cauldron, unless Debian also added a patch to 3.3.3.
Comment 1 Marja Van Waes 2017-03-19 17:19:25 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lmenut

Comment 2 David Walser 2017-07-09 02:09:57 CEST 
Luc built an update for this and never said anything.  Assigning to QA.

Advisory:
========================

Updated R-base packages fix security vulnerability:

Cory Duplantis discovered a buffer overflow in the R programming language. A
malformed encoding file may lead to the execution of arbitrary code during PDF
generation (CVE-2016-8714).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
https://www.debian.org/security/2017/dsa-3813
========================

Updated packages in core/updates_testing:
========================
R-base-3.1.2-2.1.mga5
libRmath-3.1.2-2.1.mga5
libRmath-devel-3.1.2-2.1.mga5

from R-base-3.1.2-2.1.mga5.src.rpm

Assignee: lmenut => qa-bugs
CC: (none) => lmenut

Comment 3 Len Lawrence 2017-07-31 19:23:26 CEST 
mga5  x86_64  Mate

Had a look at the introduction and R-lang manuals downloaded from 
https://www.r-project.org/about.html
and decided that it required too much time to learn to use.

Installed R and set up a work directory.
Just typing R brings up a command line prompt for interrogating the system or writing code statements.
$ cd work
$ R
> help()
q
> demo()
q
> help.start()
> q()
$

Help is extensive and demo outlines the demonstration programs available. 
help.start() launches a web page with comprehensive links and following
"packages" lists the packages in the standard library, all concerned with statistical analysis.  Other links cover the same ground as the PDF manuals.

Installed the updates and checked out the interfaces as above and tried out 
the sample session from Appendix A of the manual.  See the attachment for a partial sample interactive session.
That all went well and as there is not much else we can do with this it gets the OK.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-07-31 19:25:57 CEST 
Created attachment 9543 [details]
Extract from the sample session inthe R manual

Since R is a GNU project there should be no copyright issues, I hope.
Len Lawrence 2017-07-31 19:26:22 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 5 RĂ©mi Verschelde 2017-08-03 18:48:49 CEST 
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-08-03 21:06:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0236.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED