Bug 23702

Summary: exempi new security issue CVE-2018-12648
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, mageia, marja11, mhrambo3501, smelror, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: exempi-2.4.5-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-16 00:16:13 CEST 
Fedora has issued an advisory on October 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WFS4YRRYY745JRYSEGGT7JFJTVC4F62H/

Mageia 6 is also affected.
David Walser 2018-10-16 00:16:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:50:57 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

CC: (none) => mageia, marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-10-17 20:37:06 CEST 
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated exempi package fixes security vulnerability:

It was found that the WEBP::GetLE32 function in
XMPFiles/source/FormatSupport/WEBP_Support.hpp in Exempi 2.4.5 has a
NULL pointer dereference (CVE-2018-12648).


References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WFS4YRRYY745JRYSEGGT7JFJTVC4F62H/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12648
========================

Updated packages in core/updates_testing:
========================
lib64exempi3-2.4.5-1.1.mga6
lib64exempi-devel-2.4.5-1.1.mga6

from exempi-2.4.5-1.1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=22801#c6

Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CC: (none) => mrambo

Comment 3 Herman Viaene 2018-10-20 12:58:18 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
As per bug22801 Comment 4, opened pictures with eom and checked the metadata.
Seems OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 4 PC LX 2018-10-22 10:19:05 CEST 
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tests:
- Extracting PSD metadata with exempi.
- Using tellico (depends on lib64exempi3).
- Using eom (depends on lib64exempi3).

$ uname -a
Linux marte 4.14.76-desktop-1.mga6 #1 SMP Sat Oct 13 23:34:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep exempi | sort
lib64exempi3-2.4.5-1.1.mga6
$ find -ipath '*.psd' -exec exempi -x '{}' ';'
processing file x.psd
dump_xmp for file x.psd
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.5.0">
<SNIP>

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 5 Thomas Andrews 2018-10-26 01:00:12 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:55:41 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2018-10-26 20:48:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0416.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED