Bug 22939

Summary: anki new security issue fixed upstream in 2.0.47
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, herman.viaene, lewyssmith, rverschelde, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: anki-2.0.45-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-04-22 16:28:40 CEST 
Fedora has issued an advisory on April 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JP37EMDUZGFO2KTU74CCRBYDBGUGHQIZ/

The issue was fixed upstream in 2.0.47.

Mageia 5 is also affected (but doesn't need to be updated).
David Walser 2018-04-22 16:28:59 CEST

CC: (none) => geiger.david68210, rverschelde

Comment 1 David GEIGER 2018-04-22 20:17:08 CEST 
Done!
Comment 2 David Walser 2018-04-23 00:15:37 CEST 
Advisory:
========================

Updated anki package fixes security vulnerability:

Anki 2.0.47 fixes a security issue in .apkg imports.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JP37EMDUZGFO2KTU74CCRBYDBGUGHQIZ/
========================

Updated packages in core/updates_testing:
========================
anki-2.0.47-1.mga6

from anki-2.0.47-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2018-04-25 16:56:13 CEST 
MGA6-32 on Dell Latitude D600 MATE
No installation issues
Started anki at CLI, downloaded a file of geography cards and imported that one in anki, and play the cards. Works OK AFAICS. The help function was quite usefull for me to get going.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Lewis Smith 2018-04-25 20:48:42 CEST 
Testing M6 x64

Anki: Flashcard program for using space repetition learning
 https://apps.ankiweb.net/docs/manual.html
is a very good page telling you how to do everything. Including how to download & import a card deck.

BEFORE update: anki-2.0.45-1.mga6
Installed this, which made 72 pkgs including both Qt4 & Qt5 python thingies. It is in the Education menu.
Followed its instructions to add a new deck (opens a browser; no need to Login or Sign up - the Download button is lower down), downloaded & imported it. Played a little.

AFTER update: anki-2.0.47-1.mga6.noarch
It retained its first deck. I downloaded & imported another, which seemed odd as the questions were statements, with blank answers; perhaps designed to add one's own notes. Imported yet another deck, and that worked OK - as did the original one.

Looks OK.

Advisory done from comment 2, but:
- no CVE.
- The Fedora reference cites the following things; are they included in this update (the security issue apart)? Should they be mentioned?:
Update to new upstream release 2.0.50.
 * fix a security issue in .apkg imports
 * fix a problem with plugin download
 * use python send2trash module from system
 * use correct shebang for python2 * upstream changelog:

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2018-04-30 21:09:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0216.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED