Bug 29829

Summary: gegl new security issue CVE-2021-45463
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, hdetavernier, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: gegl-0.4.30-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-12-29 19:17:48 CET 
SUSE has issued an advisory on December 28:
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009954.html

The issue is fixed upstream in 0.4.34.
David Walser 2021-12-29 19:18:33 CET

Status comment: (none) => Fixed upstream in 0.4.34

Comment 1 Nicolas Lécureuil 2021-12-30 14:25:10 CET 
fixed in mga8

src:
    - gegl-0.4.34-1.mga8

Assignee: bugsquad => qa-bugs
CC: (none) => mageia
Status comment: Fixed upstream in 0.4.34 => (none)

Comment 2 Hugues Detavernier 2021-12-30 14:59:50 CET 
Mageia 8 X64 Gnome

No installation issue.

Cli is ok:

$ gegl 
usage: gegl [options] <file | -- [op [op] ..]>

  Options:
     -h, --help      this help information

     --list-all      list all known operations

     --exists        return 0 if the operation(s) exist

     --info          output information about the operation:
                     name, description, properties details.

     -i, --file      read xml from named file

I tested to generate a .jpg to.png with this command from:
https://www.gegl.org/gegl-chain.html

$ gegl test.jpg -o test.png -- noise-reduction unsharp-mask

(gegl:3237): GEGL-WARNING **: 14:53:23.115: (../gegl/buffer/gegl-tile-handler-cache.c:1076):gegl_tile_cache_destroy: runtime check failed: (g_queue_is_empty (&cache_queue))
EEEEeEeek! 2 GeglBuffers leaked

I've got a warning but it works.

CC: (none) => hdetavernier

Comment 3 Herman Viaene 2021-12-30 16:05:09 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
$ gegl 20170905_0008.JPG -o test20170905_0008.png
no feedback and generaed file is OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 David Walser 2021-12-30 16:08:19 CET 
GEGL is a library used by the GIMP, so make sure that's tested.

gegl-0.4.34-1.mga8
libgegl0.4_0-0.4.34-1.mga8
libgegl-gir0.4-0.4.34-1.mga8
libgegl-devel-0.4.34-1.mga8

from gegl-0.4.34-1.mga8.src.rpm
Comment 5 Herman Viaene 2021-12-31 10:29:30 CET 
Installed lib64 rpm's, opened a gif file in GIMP, applied GEGL operation "Negative darkroom", exported result as gif and this file displays OK in gwenview.
Comment 6 David Walser 2021-12-31 19:12:57 CET 
openSUSE has issued an advisory for this today (December 31):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G3NMUTGIH3QYFBHM25LC7HLI7HKVOYCU/
Comment 7 Thomas Andrews 2022-01-01 14:44:27 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-03 02:56:18 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-01-03 08:37:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0003.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED