Bug 25945

Summary: libextractor new security issue CVE-2019-15531
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libextractor-1.9-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2019-12-23 23:46:16 CET 
Fedora has issued an advisory on September 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRQUHTSNOCKGRKPRXPUJ6FGTVZ2K5POL/

Mageia 7 is also affected.
David Walser 2019-12-23 23:46:29 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-12-24 07:14:45 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-12-24 07:22:06 CET 
Advisory:
========================

Updated libextractor packages fix security vulnerability:

GNU Libextractor through 1.9 has a heap-based buffer over-read in the function
EXTRACTOR_dvi_extract_method in plugins/dvi_extractor.c (CVE-2019-15531).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15531
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRQUHTSNOCKGRKPRXPUJ6FGTVZ2K5POL/
========================

Updated packages in core/updates_testing:
========================
extract-1.9-2.1.mga7
libextractor-common-1.9-2.1.mga7
libextractor3-1.9-2.1.mga7
libextractor_common1-1.9-2.1.mga7
libextractor-devel-1.9-2.1.mga7

from libextractor-1.9-2.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 Herman Viaene 2020-01-03 15:06:10 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
From MCC: libextractor is a library used to extract meta-data from files of arbitrary type.
So did some abritrary things.
$ extract P7212390.ORF
Trefwoorden voor bestand P7212390.ORF:
MIME-type - image/x-olympus-orf
$ extract RAW_NIKON_E5700_SRGB.NEF
Trefwoorden voor bestand RAW_NIKON_E5700_SRGB.NEF:
copyright-houder -        
MIME-type - image/tiff
aanmaakdatum - 2004:10:30 09:36:23
omschrijving -           
cameramerk - NIKON
cameramodel - E5700
door software gemaakt - Nikon Browser 6.2.1 W
afbeeldingsafmetingen - 120x160
MIME-type - image/tiff
MIME-type - image/tiff
onbekend - endianness=1234
video-afmetingen - 120x160
video-diepte - 32
pixelzijdenverhouding - 1/1
$ extract VerslagGB20160129.odt
Trefwoorden voor bestand VerslagGB20160129.odt:
MIME-type - application/vnd.oasis.opendocument.text
ingebedde bestandsnaam - mimetype
ingebedde bestandsnaam - Thumbnails/thumbnail.png
ingebedde bestandsnaam - layout-cache
ingebedde bestandsnaam - content.xml
ingebedde bestandsnaam - settings.xml
ingebedde bestandsnaam - meta.xml
ingebedde bestandsnaam - styles.xml
ingebedde bestandsnaam - manifest.rdf
ingebedde bestandsnaam - Configurations2/images/Bitmaps/
ingebedde bestandsnaam - Configurations2/toolpanel/
ingebedde bestandsnaam - Configurations2/progressbar/
ingebedde bestandsnaam - Configurations2/accelerator/current.xml
ingebedde bestandsnaam - Configurations2/floater/
ingebedde bestandsnaam - Configurations2/statusbar/
ingebedde bestandsnaam - Configurations2/toolbar/
ingebedde bestandsnaam - Configurations2/popupmenu/
ingebedde bestandsnaam - Configurations2/menubar/
ingebedde bestandsnaam - META-INF/manifest.xml
indeling - ZIP 2.0 (uncompressed)
MIME-type - application/vnd.oasis.opendocument.text
door software gemaakt - LibreOffice/4.4.7.2$Linux_X86_64 LibreOffice_project/40$Build-2
aantal bladzijden - 3
aanmaakdatum - 2016-02-01T10:21:30.685240352
onbekende datum - 2016-02-01T11:21:50.465500816
$ extract vrijwilligersmap.pdf
Trefwoorden voor bestand vrijwilligersmap.pdf:
MIME-type - application/pdf
maker - Adobe InDesign CS5.5 (7.5.2)
door software geproduceerd - Adobe PDF Library 9.9
aanmaakdatum - Fri May  3 12:55:29 2019 CEST
wijzigingsdatum - Fri May  3 12:55:50 2019 CEST
aantal bladzijden - 106
encoder-versie - 1.5

All look good.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-03 19:17:31 CET 
Herman, you are amazing. I looked at the same information you did, but never thought to just try extracting metadata from whatever was handy. 

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 12:57:58 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-05 16:40:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0015.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED