Bug 29575

Summary: libcaca new security issues CVE-2021-30498, CVE-2021-30499
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libcaca-0.99-0.beta19.5.1.mga8.src.rpm CVE: CVE-2021-30498, CVE-2021-30499
Status comment:

Description David Walser 2021-10-21 23:45:51 CEST 
Ubuntu has issued an advisory today (October 21):
https://ubuntu.com/security/notices/USN-5119-1

Mageia 8 is also affected.
David Walser 2021-10-21 23:46:09 CEST

Status comment: (none) => Patches available from Ubuntu and upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-10-23 20:54:49 CEST 
This SRPM has no registered maintainer, and has been commited by various packagers, so having to assign the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-10-25 09:44:07 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A flaw was found in libcaca. A heap buffer overflow in export.c in function export_tga might lead to memory corruption and other potential consequences. (CVE-2021-30498)

A flaw was found in libcaca. A buffer overflow of export.c in function export_troff might lead to memory corruption and other potential consequences. (CVE-2021-30499)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30499
https://ubuntu.com/security/notices/USN-5119-1
========================

Updated packages in core/updates_testing:
========================
caca-utils-0.99-0.beta19.5.2.mga8
lib(64)caca0-0.99-0.beta19.5.2.mga8
lib(64)caca-devel-0.99-0.beta19.5.2.mga8
python3-caca-0.99-0.beta19.5.2.mga8
ruby-caca-0.99-0.beta19.5.2.mga8

from SRPM:
libcaca-0.99-0.beta19.5.2.mga8.src.rpm

Status comment: Patches available from Ubuntu and upstream => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-30498, CVE-2021-30499
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-10-26 11:30:16 CEST 
MGA8-64 Plasma on Lenovo B50
No real installation issues.
The text displayed in MCC for caca-utils needs to be updated since it refers to cacaball and cacamoir and cacaplas which are not provided.
Tried some commands that work OK:
cacaview P5211854.gif 
displays recognizable image onn the terminal
cacafire and cacademo do OK.
$ caca-config --version
0.99.beta19
but
$ cacaclock
Could not open font
and 
$ man cacaaclock
There is no page on cacaclock
So I'm in the dark wwhat this font thingie really is.
If it can be confirmed that the "missing" commands mentioned above really should not be there, I will not object the OK.

CC: (none) => herman.viaene

Comment 4 David Walser 2021-10-26 15:10:56 CEST 
I wouldn't worry about its own built-in commands.  Try something that uses the library.  I believe mplayer can use it for one its ascii art output options.
Herman Viaene 2021-10-27 09:02:49 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-10-27 22:18:11 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-10-29 18:13:26 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-10-29 21:33:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0496.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED