Bug 22121

Summary: libtorrent-rasterbar new security issue CVE-2017-9847
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libtorrent-rasterbar-1.0.10-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-12-03 18:52:54 CET 
Fedora has issued an advisory today (December 3):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJKJFPCG3MZ3P2ZHGEX43X327IM4YL6K/

It's not clear which older versions may be affected, but the upstream bug has a PoC.  The issue was fixed in 1.1.5.
Comment 1 Marja Van Waes 2017-12-03 18:56:54 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2018-01-01 19:43:49 CET 
Ubuntu has yet to make an assessment of this for 1.0.x:
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9847.html

Debian says it is probably affected:
https://security-tracker.debian.org/tracker/CVE-2017-9847

Looking at the code, I disagree, I think 1.0.x is fine.  I'll reopen if someone ships and update for it.

Version: 6 => Cauldron
Resolution: (none) => FIXED
Status: NEW => RESOLVED