Bug 25963

Summary: hunspell new security issue CVE-2019-16707
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, shlomif, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: hunspell-1.7.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-27 03:07:30 CET 
Fedora has issued an advisory on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UD4AJ4M74VT3I6L37E4P5DNYZYBZIOVM/

Mageia 7 is also affected.
David Walser 2019-12-27 03:07:48 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-27 10:18:59 CET 
Assigning globally; CC Shlomi as the last maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => shlomif

Comment 2 David GEIGER 2019-12-27 10:29:01 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-12-27 16:03:49 CET 
Advisory:
========================

Updated hunspell packages fix security vulnerability:

Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring
in suggestmgr.cxx (CVE-2019-16707).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16707
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UD4AJ4M74VT3I6L37E4P5DNYZYBZIOVM/
========================

Updated packages in core/updates_testing:
========================
hunspell-1.7.0-1.1.mga7
libhunspell1.7_0-1.7.0-1.1.mga7
libhunspell-devel-1.7.0-1.1.mga7

from hunspell-1.7.0-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs

Comment 4 Thomas Andrews 2019-12-27 20:08:18 CET 
64-bit Plasma system.

Packages installed cleanly, using the qarepo tool. 

Checked Libreoffice Writer, and it uses hunspell for spell checking. Opened a new document, typed in several misspelled words, all of which were identified. Hunspell did not offer the correct spelling for one, but that one was so badly misspelled that it isn't surprising.

Just to confirm that hunspell was being used, I went into the Writer option and unchecked the "Use Hunspell" box. That turned spellcheck off altogether.

This one looks OK for 64-bit. Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-12-31 16:55:53 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-12-31 17:52:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0421.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED