| Summary: | igraph new security issue CVE-2018-20349 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, shlomif, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | igraph-0.7.1-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-12-23 22:05:49 CET
David Walser
2019-12-23 22:07:15 CET
Whiteboard:
(none) =>
MGA7TOO No recent maintainer activity, so assigning globally; CC Shlomi as the registered maintainer and historical committer. CC:
(none) =>
shlomif Fixed in igraph-0.7.1-3.mga8 in Cauldron by Shlomi. Mageia 7 still needs fixed. Version:
Cauldron =>
7 Patched package uploaded for Mageia 7 by Shlomi. Advisory: ======================== Updated igraph packages fix security vulnerability: The igraph_i_strdiff function in igraph_trie.c in igraph through 0.7.1 has an NULL pointer dereference that allows attackers to cause a denial of service (application crash) via a crafted object (CVE-2018-20349). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20349 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NCGDUNQYLSZLSGN6JJBORVFW46U3A75Y/ ======================== Updated packages in core/updates_testing: ======================== igraph-0.7.1-2.1.mga7 igraph-devel-0.7.1-2.1.mga7 from igraph-0.7.1-2.1.mga7.src.rpm Assignee:
pkg-bugs =>
qa-bugs Mageia7, x86_64 CVE-2018-20349 https://github.com/igraph/igraph/issues/1141 Download and compile graphml.c. $ gcc graphml.c -I/usr/include/igraph -ligraph -o graphml $ ./graphml igraph_trie-igraph_i_strdiff-112.crash No crash. $ gdb graphml (gdb) run igraph_trie-igraph_i_strdiff-112.crash Starting program: /data/qa/igraph/graphml igraph_trie-igraph_i_strdiff-112.crash Missing separate debuginfos, use: debuginfo-install glibc-2.29-19.mga7.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [Inferior 1 (process 10972) exited with code 01] Not a particularly useful result. Updated both packages and recompiled the test script. $ ./graphml igraph_trie-igraph_i_strdiff-112.crash As before, no crash. Following up later. CC:
(none) =>
tarazed25 Follow-on from comment 4: There are example programs in /usr/share/doc/igraph-devel/examples/simple/ Tried matrix.c and a few other examples and compared outputs to those from the pre-compiled programs. $ cp /usr/share/doc/igraph-devel/examples/simple/single_target_shortest_path.c . $ gcc single_target_shortest_path.c -I/usr/include/igraph -ligraph -o single_target_shortest_path $ ./single_target_shortest_path 0 3 4 4 3 0 4 3 0 3 4 0 1 2 3 4 0 1 2 3 $ cat /usr/share/doc/igraph-devel/examples/simple/single_target_shortest_path.out 0 3 4 4 3 0 4 3 0 3 4 0 1 2 3 4 0 1 2 3 In all cases the outputs were the same. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-01-05 14:39:42 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0013.html Status:
NEW =>
RESOLVED |