| Summary: | cimg new security issue CVE-2020-25693 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, joequant, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | cimg-2.5.7-1.mga7.src.rpm | CVE: | CVE-2020-25693 |
| Status comment: | |||
|
Description
David Walser
2020-11-23 16:59:38 CET
David Walser
2020-11-23 16:59:43 CET
Whiteboard:
(none) =>
MGA7TOO cimg-2.9.3-1.mga8 (and gmic) uploaded for Cauldron by David Geiger. CC:
(none) =>
geiger.david68210 Hi, thanks for reporting this bug. As there is no maintainer for this package I added committers in CC. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: Multiple heap buffer overflows. (CVE-2020-25693) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25693 https://www.debian.org/lts/security/2020/dla-2462 ======================== Updated packages in core/updates_testing: ======================== cimg-2.5.7-1.1.mga7 cimg-devel-2.5.7-1.1.mga7 from SRPM: cimg-2.5.7-1.1.mga7.src.rpm CC:
(none) =>
nicolas.salguero mga7, x86_64 Installed the two packages then updated them from updates testing. Used updatedb and mlocate to track down the examples provided and made a local copy of the /usr/share/doc/cimg-devel/examples/ folder. Ran `make linux` which built most of the test programs from the C++ scripts. ./tutorial provided a picture of a red parrot with the invitation to move the mouse over it. Scanning the image in the X direction painted the RGB intensity profiles in real time in another window. ./jawbreaker is some sort of game with coloured buttons. It responded - cannot say any more than that. $ ./image_surface3d - Load file 'logo.bmp' - Create image surface - Compute image isophotes - Enter interactive loop. Reminder : + Use mouse to rotate and zoom object + key 'F' : Toggle fullscreen + key 'Q' or 'ESC' : Quit + Any other key : Change rendering type Rotation and zooming worked fine but 'F' did not work nor did 'Q'. $ ./image2ascii ASCII art works, So does ./tetris. $ ./fade_images Image fading: this = 0x7ffda2f1ce40, size = (211,242,1,3) [149 Kio], data = (unsigned char*)0x129cc30..0x12c2291 (non-shared) = [ 190 189 190 189 189 190 190 190 ... 145 146 138 136 140 143 143 143 ], min = 0, max = 222, mean = 123.514, std = 56.0126, coords_min = (80,208,0,0), coords_max = (127,77,0,1). Various things happened to the image - difficult to describe. $ ./curve_editor2d - No input image specified, use default 512x512 image. Showed a circle and filled square. Left mouse button distorted the circle and turned the square into a polygon. There is a menu for keyboard functions, like P to toggle control point visibility and T for tangents. $ ./gaussian_fit1d demonstrates "Levenberg-Marquardt Gaussian fitting for those in the know. ./scene3d shows rendering of 3D shapes. And so on and so forth. To venture a personal opinion, this is an extremely impressive little package which appears to be working as designed. Full marks. CC:
(none) =>
tarazed25 Validating update Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0443.html Status:
ASSIGNED =>
RESOLVED |