Bug 28997

Done for Cauldron , mga8 and mga7!

So win the prize! Assigning to you.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Fedora has issued an advisory for this on April 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JE6YZSXNVD6WZ3AG3ENL2DIHQFF24LYX/

Updated packages in core *and tainted* updates_testing:
libpano13-tools-2.9.20-1.mga7
libpano13_3-2.9.20-1.mga7
libpano13-devel-2.9.20-1.mga7
libpano13_3-2.9.20-1.mga8
libpano13-tools-2.9.20-1.mga8
libpano13-devel-2.9.20-1.mga8

from SRPMS:
libpano13-2.9.20-1.mga7.src.rpm
libpano13-2.9.20-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Fixed upstream in 2.9.20 => (none)

A look back at previous update bugs referencing libpano revealed that it almost always involved Hugin, a panorama stitcher. Hugin was already installed on my MGA7 test system, as was the tainted version of libpano13-tools.

Using qarepo, I updated libpano13-tools to the core version, then ran Hugin and used it to stitch together a series of photos of Lake Champlain taken from the top of Mount Defiance, near Ticonderoga, New York.

Then I again updated libpano13-tools, this time to the tainted version, and again stitched together seperate copies of the same photos, again successfully.

This is OK for mga7 64-bit.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => andrewsfarm

Performed the same tests in mga8. While the results were different, it appeared to me that was from user error, rather than from anything due to the update package. It's been a while since I used Hugin, and it has become much more complicated, with many possible settings, and it's quite possible that the defaults don't work with this series of photos as they once did.

I did not see any errors during processing, so I'm going to give this an mga8 OK, and validate.

CC: (none) => sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update

Advisory:
========================

Updated libpano13 packages fix a security vulnerability:

Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20.rc2 and earlier can lead to read and write arbitrary memory values (CVE-2021-20307).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28997
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20307
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JE6YZSXNVD6WZ3AG3ENL2DIHQFF24LYX/
- https://www.debian.org/lts/security/2021/dla-2624
========================

For Mageia 7:

Updated packages in 7/core/updates_testing:
========================
libpano13-tools-2.9.20-1.mga7
lib(64)pano13_3-2.9.20-1.mga7
lib(64)pano13-devel-2.9.20-1.mga7

from SRPMS:
libpano13-2.9.20-1.mga7.src.rpm
========================

Updated packages in 7/tainted/updates_testing:
========================
libpano13-tools-2.9.20-1.mga7.tainted
lib(64)pano13_3-2.9.20-1.mga7.tainted
lib(64)pano13-devel-2.9.20-1.mga7.tainted

from SRPM:
libpano13-2.9.20-1.mga7.tainted.src.rpm
================================================

For Mageia 8:

Updated packages in 8/core/updates_testing:
========================
libpano13_3-2.9.20-1.mga8
lib(64)pano13-tools-2.9.20-1.mga8
lib(64)pano13-devel-2.9.20-1.mga8

from SRPM:
libpano13-2.9.20-1.mga8.src.rpm
========================

Updated packages in 8/tainted/updates_testing:
========================
lib(64)pano13-devel-2.9.20-1.mga8.tainted
lib(64)pano13_3-2.9.20-1.mga8.tainted
libpano13-tools-2.9.20-1.mga8.tainted

from SRPM:
libpano13-2.9.20-1.mga8.tainted.src.rpm

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-20307

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0230.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED