Bug 25941

Summary: mgetty new security issue CVE-2019-1010189
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, mhrambo3501, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mgetty-1.1.37-5.mga7.src.rpm CVE:
Status comment: Fixed upstream in 1.2.1

Description David Walser 2019-12-23 22:34:44 CET 
Fedora has issued an advisory on August 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YH7KTF6IB4LZURQHCOICNVE6YDAIHV62/

Mageia 7 is also affected.
David Walser 2019-12-23 22:34:54 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-24 21:32:32 CET 
Assigning this globally because the package has no registered nor obvious actual maintainer.

Assignee: bugsquad => pkg-bugs

David Walser 2020-01-14 17:53:30 CET

Status comment: (none) => Fixed upstream in 1.2.1

Comment 2 Mike Rambo 2020-02-06 20:33:53 CET 
Patched package uploaded for cauldron and Mageia 7.

Advisory:
========================

Updated mgetty package fixes security vulnerability:

mgetty prior to version 1.2.1 is affected by: Infinite Loop. The impact is: DoS, the program does never terminates. The component is: g3/g32pbm.c. The attack vector is: Local, the user should open a specially crafted file (CVE-2019-1010189).


References:
https://nvd.nist.gov/vuln/detail/CVE-2019-1010189
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YH7KTF6IB4LZURQHCOICNVE6YDAIHV62
========================

Updated packages in core/updates_testing:
========================
mgetty-1.2.1-1.mga7
mgetty-contrib-1.2.1-1.mga7
mgetty-sendfax-1.2.1-1.mga7
mgetty-viewfax-1.2.1-1.mga7
mgetty-voice-1.2.1-1.mga7

from mgetty-1.2.1-1.mga7.src.rpm

Past test procedure was for clean install https://bugs.mageia.org/show_bug.cgi?id=23567#c6

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => mrambo
Version: Cauldron => 7

Comment 3 Herman Viaene 2020-02-07 15:02:58 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Test as referred above
# cd /etc/
# ls mgetty+sendfax
dialin.config  faxheader  faxrunq.config  faxspool.rules.sample  login.config  mgetty.config  sendfax.config  voice.conf
tried to get some response from the command (no -h or --help or --version)
# mgetty -x 5 (debug level)
no feedback but some reaction in file /var/log/mgetty.log.unknown:
02/07 14:54:21  no line given: Success
02/07 14:54:21  Usage: mgetty [-x debug] [-s speed] [-r] line: Success

So OK'ing for lack of other tests because of such device not in my possession.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-02-07 19:14:38 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-09 19:17:45 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-02-09 20:15:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0076.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED