Bug 27969

Summary: matio possible new security issue CVE-2019-20052
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-20052
Whiteboard: MGA7-64-OK
Source RPM: matio-1.5.16-1.1.mga7.src.rpm CVE: CVE-2019-20052
Status comment:

Description Zombie Ryushu 2020-12-29 08:17:05 CET 
A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case.
Zombie Ryushu 2020-12-29 08:17:19 CET

CVE: (none) => CVE-2019-20052

Comment 1 David Walser 2020-12-29 17:08:25 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052

Fix is here:
https://github.com/tbeu/matio/commit/a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3

It's not clear what versions (if any) are actually affected.

Whiteboard: (none) => MGA7TOO
Summary: matio security flaw CVE-2019-20052 => matio possible new security issue CVE-2019-20052
Status comment: (none) => Patch available from upstream
Assignee: bugsquad => geiger.david68210
Severity: normal => major
CC: (none) => nicolas.salguero

Comment 2 Nicolas Lécureuil 2020-12-30 20:08:20 CET 
Fixed in cauldron.

Package pushed in mga7:

src:
    matio-1.5.16-1.2.mga7

Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 7
CC: (none) => mageia

Comment 3 David Walser 2020-12-30 23:58:24 CET 
Advisory:
========================

Updated matio packages fix security vulnerability:

A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because
SafeMulDims does not consider the rank==0 case (CVE-2019-20052).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052
========================

Updated packages in core/updates_testing:
========================
matio-1.5.16-1.2.mga7
libmatio9-1.5.16-1.2.mga7
libmatio-devel-1.5.16-1.2.mga7

from matio-1.5.16-1.2.mga7.src.rpm

Status comment: Patch available from upstream => (none)

Comment 4 Len Lawrence 2021-01-01 19:00:53 CET 
mga7, x86_64

CVE-2019-20052
https://github.com/tbeu/matio/issues/131
$ matdump 006-memleak 
InflateRankDims: inflate returned data error
InflateVarNameTag: inflate returned data error
Empty
InflateRankDims: Reading dimensions expected type MAT_T_INT32
InflateRankDims: Reading dimensions expected type MAT_T_INT32
      Name: 
      Rank: 0
InflateRankDims: inflate returned data error
Segmentation fault (core dumped)

Updated packages.
$ rpm -q matio
matio-1.5.16-1.2.mga7

$ matdump 006-memleak 
InflateRankDims: inflate returned data error
InflateVarNameTag: inflate returned data error
Empty
InflateRankDims: Reading dimensions expected type MAT_T_INT32
      Name: 
      Rank: 0
InflateRankDims: inflate returned data error
Segmentation fault (core dumped)

There is only a minor difference which gives the impression that the patch does not work.  Upstream had difficulty verifying the fix or even the issue.

So, what do we do in a case like this - just carry on regardless?
I probably shall anyway.

CC: (none) => tarazed25

Comment 5 David Walser 2021-01-01 20:31:18 CET 
Someone needs to tell upstream that it's not fixed.

Whiteboard: (none) => feedback

Len Lawrence 2021-01-02 00:51:12 CET

Keywords: (none) => feedback
Whiteboard: feedback => (none)

Comment 6 Aurelien Oudelet 2021-02-04 18:58:38 CET 
Upstream BR is closed since dec. 2019!

CC: (none) => ouaurelien
Source RPM: matio-1.5.17-3.mga8.src.rpm => matio-1.5.16-1.1.mga7.src.rpm

Comment 7 Aurelien Oudelet 2021-02-19 10:37:51 CET 
Re ping. We should fix this.
@Packager can you take a look?
Aurelien Oudelet 2021-03-01 17:12:14 CET

Status: NEW => NEEDINFO

Aurelien Oudelet 2021-03-01 17:12:49 CET

Status: NEEDINFO => NEW

David Walser 2021-06-21 22:11:01 CEST

Depends on: (none) => 29164

Comment 8 David Walser 2021-06-21 22:11:42 CEST 
Incomplete fix bug filed as Bug 29164.  Let's push this update.

Keywords: feedback => (none)

Comment 9 Aurelien Oudelet 2021-06-22 22:13:50 CEST 
(In reply to David Walser from comment #8)
> Incomplete fix bug filed as Bug 29164.  Let's push this update.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 10 Thomas Backlund 2021-06-23 20:06:01 CEST 
what's the plan here...

it stated it needs to be pushed, 

but bug 29164 got added as blocker, so this one wont be pushed then..
Comment 11 David Walser 2021-06-23 20:07:11 CEST 
This one should be pushed.  The other bug isn't assigned to QA.
Comment 12 Thomas Backlund 2021-06-23 20:15:06 CEST 
ok, dropping the dep

Depends on: 29164 => (none)

Comment 13 Mageia Robot 2021-06-25 16:45:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0285.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED