Bug 24184

Summary: libgxps new security issue CVE-2018-10767
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, mhrambo3501, olav, pkg-bugs, thierry.vignaud
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libgxps-0.2.5-1.2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-01-15 03:35:22 CET 
Fedora has issued an advisory on January 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MSIVWHXRZWTRZFL7N6763ECQ6L7FHAVB/

The issue was fixed upstream in 0.3.1.
Comment 1 David Walser 2019-01-15 03:56:35 CET 
It was supposedly fixed in:
https://access.redhat.com/errata/RHSA-2018:3140

but the only patch we're missing from that update:
https://git.centos.org/commit/rpms!libgxps.git/b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7

is:
https://git.centos.org/raw/rpms/libgxps.git/b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.patch

and the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1575188

does mention the patched function in the stack trace, but I'm not sure.

I've committed that patch in SVN anyway.
Comment 2 Marja Van Waes 2019-01-15 08:34:35 CET 
(In reply to David Walser from comment #1)
> It was supposedly fixed in:
> https://access.redhat.com/errata/RHSA-2018:3140
> 
> but the only patch we're missing from that update:
> https://git.centos.org/commit/rpms!libgxps.git/
> b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7
> 
> is:
> https://git.centos.org/raw/rpms/libgxps.git/
> b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.
> patch
> 
> and the RedHat bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1575188
> 
> does mention the patched function in the stack trace, but I'm not sure.
> 
> I've committed that patch in SVN anyway.

So you want someone to take a closer look, before submitting it & assigning to QA?

CC'ing some committers and all packagers collectively.

CC: (none) => mageia, marja11, olav, pkg-bugs, thierry.vignaud

Comment 3 Marja Van Waes 2019-02-03 08:38:00 CET 
(In reply to Marja Van Waes from comment #2)
> (In reply to David Walser from comment #1)
> > It was supposedly fixed in:
> > https://access.redhat.com/errata/RHSA-2018:3140
> > 
> > but the only patch we're missing from that update:
> > https://git.centos.org/commit/rpms!libgxps.git/
> > b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7
> > 
> > is:
> > https://git.centos.org/raw/rpms/libgxps.git/
> > b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.
> > patch
> > 
> > and the RedHat bug:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1575188
> > 
> > does mention the patched function in the stack trace, but I'm not sure.
> > 
> > I've committed that patch in SVN anyway.
> 
> So you want someone to take a closer look, before submitting it & assigning
> to QA?
> 
> CC'ing some committers and all packagers collectively.

There is no registered maintainer, so assigning to all packagers collectively, to decrease the chance that this will be forgotten.

Assignee: bugsquad => pkg-bugs

Comment 4 Mike Rambo 2019-11-06 21:19:33 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo