Bug 24183

Summary: gthumb new security issue CVE-2018-18718
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, lewyssmith, mageia, marja11, nicolas.salguero, olav, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: gthumb-3.4.5-2.mga6.src.rpm CVE: CVE-2018-18718
Status comment:

Description David Walser 2019-01-15 02:48:23 CET 
openSUSE has issued an advisory on January 12:
https://lists.opensuse.org/opensuse-updates/2019-01/msg00031.html

Mageia 6 is also affected.
David Walser 2019-01-15 02:48:29 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-15 08:28:39 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, mageia, marja11, olav

Comment 2 Nicolas Salguero 2019-01-16 09:57:37 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer. (CVE-2018-18718)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18718
https://lists.opensuse.org/opensuse-updates/2019-01/msg00031.html
========================

Updated packages in core/updates_testing:
========================
gthumb-3.4.5-2.1.mga6
gthumb-devel-3.4.5-2.1.mga6

from SRPMS:
gthumb-3.4.5-2.1.mga6.src.rpm

CVE: (none) => CVE-2018-18718
Version: Cauldron => 6
Source RPM: gthumb-3.6.2-2.mga7.src.rpm => gthumb-3.4.5-2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 Len Lawrence 2019-01-16 17:19:02 CET 
Mageia 6, x86_64

Tried this before and after updates.

Slideshow mode for current directory.
$ gthumb -s
Works fine - shows first frame of animated gifs during the sequence.

Current directory.
$ gthumb
Surprisingly, it acts as a video player for some MKV files.  This directory contained two.  One worked as a video, the other did not.  All images shown as thumbnails.  Selecting and animated gif sets the gif running.
 
Thumbnail menu of specified directory.
$ gthumb Pictures
Selected image can be scaled in three ways.  Properties can be viewed, meta-data, colour profile.  Images can be tagged and descriptions or comments attached.  Some image editing options are provided.  Rotation requests may trigger warnings about distortions (e.g. if image sizes are not multiples of 8).

Looks like it is working as designed.

OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Lewis Smith 2019-01-16 21:20:06 CET 
Rapid work, Len: cleared same day!
Validating, advisory from c2.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-18 00:52:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0039.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED