Bug 24753

Summary: netpbm new security issue CVE-2018-8975
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, davidwhodgins, geiger.david68210, herman.viaene, marja11, mhrambo3501, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: netpbm-10.73.07-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-05-03 20:40:56 CEST 
openSUSE has issued an advisory on April 12:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00113.html

Mageia 6 is also affected.
David Walser 2019-05-03 20:41:03 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:15:47 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some submitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => cjw, geiger.david68210, marja11, mrambo, smelror

Comment 2 David GEIGER 2019-05-04 06:20:37 CEST 
Already fixed in current 10.86.02 release from Cauldron!
Comment 3 David GEIGER 2019-05-04 06:34:11 CEST 
mga6 fixed!
Comment 4 David Walser 2019-05-04 23:23:02 CEST 
Advisory:
========================

Updated netpbm packages fix security vulnerability:

The pm_mallocarray2 function allowed remote attackers to cause a denial of
service (heap-based buffer over-read) via a crafted image file (CVE-2018-8975).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8975
https://lists.opensuse.org/opensuse-updates/2019-04/msg00113.html
========================

Updated packages in core/updates_testing:
========================
netpbm-10.73.07-1.1.mga6
libnetpbm11-10.73.07-1.1.mga6
libnetpbm-devel-10.73.07-1.1.mga6

from netpbm-10.73.07-1.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Source RPM: netpbm-10.86.02-1.mga7.src.rpm => netpbm-10.73.07-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

Comment 5 Herman Viaene 2019-05-08 14:32:08 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref bug 20245 for testing, created small ppm file by drawing and exporting from xfig (posting as attachment)
At CLI:
$ ppmtojpeg testppm.ppm > testppm.jpg
$ ppmtobmp testppm.ppm > testppm.bmp
ppmtobmp: analyzing colors...
ppmtobmp: 2 colors found
ppmtobmp: Writing 1 bits per pixel with a color palette

Both jpg and bmp files display correctly in ristretto.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 Herman Viaene 2019-05-08 14:35:22 CEST 
<Some ugly words> even this simple drawing is too large: 1.6 Mb.
Comment 7 Dave Hodgins 2019-05-19 09:24:33 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2019-05-19 13:28:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED