Bug 22281

Summary: swftools new security issue CVE-2017-7698
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: swftools-0.9.2-7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-12-29 06:01:33 CET 
Upstream committed a pull request to fix a security issue on May 8:
https://github.com/matthiaskramm/swftools/commit/c7747f4b10739bd365c3e79d153b99fbfac9a4ac

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated swftools package fix security vulnerability:

A Use After Free in the pdf2swf part of swftools 0.9.2 and earlier allows
remote attackers to execute arbitrary code via a malformed PDF document,
due to bundled code in Gfx.cc from Xpdf 3.02 (CVE-2017-7698).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7698
https://github.com/matthiaskramm/swftools/commit/c7747f4b10739bd365c3e79d153b99fbfac9a4ac
========================

Updated packages in core/updates_testing:
========================
swftools-0.9.2-7.2.mga5
swftools-0.9.2-9.1.mga6

from SRPMS:
swftools-0.9.2-7.2.mga5.src.rpm
swftools-0.9.2-9.1.mga6.src.rpm
David Walser 2017-12-29 06:01:43 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Herman Viaene 2017-12-30 10:57:43 CET 
MGA5-32 on Dell Latitude D600
No installation issues
Ref to bug 20846 Comment 4
Used at CLI
$ jpeg2swf /home/tester5/Afbeeldingen/*.jpg
and
$ gnash output.swf 
runs the images OK
OK for me

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Dave Hodgins 2018-01-01 08:30:21 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 2 Dave Hodgins 2018-01-03 15:01:35 CET 
Ok on M6 x86_64.

Validating the update.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-01-03 16:51:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0052.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED