Bug 29937

Summary: zxing-cpp new security issues CVE-2021-28021 and CVE-2021-4271[56]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: zxing-cpp-1.1.1-2.mga8.src.rpm CVE: CVE-2021-28021, CVE-2021-42715, CVE-2021-42716
Status comment:

Description David Walser 2022-01-24 16:11:57 CET 
openSUSE has issued an advisory today (January 24):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPIWID3WJ3SMCA23W52QU3RW6AU7JCA7/

Mageia 8 is also affected.
David Walser 2022-01-24 16:12:10 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-24 20:56:32 CET 
DavidG is the best person for this update.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2022-02-15 11:43:35 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. (CVE-2021-28021)

An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files. (CVE-2021-42715)

An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location. (CVE-2021-42716)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42716
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPIWID3WJ3SMCA23W52QU3RW6AU7JCA7/
========================

Updated packages in core/updates_testing:
========================
lib(64)zxing1-1.1.1-2.1.mga8
lib(64)zxing-devel-1.1.1-2.1.mga8

from SRPM:
zxing-cpp-1.1.1-2.1.mga8.src.rpm

Status: NEW => ASSIGNED
Source RPM: zxing-cpp-1.2.0-1.mga9.src.rpm => zxing-cpp-1.1.1-2.mga8.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs
CVE: (none) => CVE-2021-28021, CVE-2021-42715, CVE-2021-42716

Comment 3 Len Lawrence 2022-02-16 20:57:15 CET 
mga8, x64
Acquired a poc file for CVE-2021-28021 in the hope of finding a way to use the library.  The poc is a mangled JPEG file.  AFAICS testing it would require writing a C++ script to exercise the vulnerable code - a bit out of scope for QA.
$ urpmq --whatrequires lib64zxing1 | uniq
gstreamer1.0-plugins-bad
kaidan
lib64kpimitinerary5
lib64zxing-devel
lib64zxing1

Installed kaidan.  Turns out that this is a simple chat program to exchange texts via the jabber protocol so requires a corresponding server across the network.  Might work talking to myself over the LAN.  Need to think about this.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2022-02-16 21:35:06 CET 
kaidan does not start from the system menu.
There is a README.md file but that does not help.
$ kaidan
Cyclic dependency detected between "file:///usr/lib64/qt5/qml/org/kde/kirigami.2/Units.qml" and "file:///usr/lib64/qt5/qml/org/kde/kirigami.2/Units.qml"
QQmlApplicationEngine failed to load component
qrc:/qml/main.qml:91:27: Type ChatPage unavailable
qrc:/qml/ChatPage.qml:319:2: Type SendMediaSheet unavailable
qrc:/qml/elements/SendMediaSheet.qml:79:5: Type NewMediaLoader unavailable
qrc:/qml/elements/NewMediaLoader.qml:34:1: module "QtPositioning" is not installed

$ kaidan -h
Usage: kaidan [options] [xmpp-uri]
Kaidan - A simple, user-friendly Jabber/XMPP client for every device!

Options:
  -h, --help         Displays help on commandline options.
  --help-all         Displays help including Qt specific options.
  -v, --version      Displays version information.
  --disable-xml-log  Disable output of full XMPP XML stream.
  -m, --multiple     Allow multiple instances to be started.

Arguments:
  xmpp-uri           An XMPP-URI to open (i.e. join a chat).

Out of my depth here.  Backing down.
Updated the two libraries without any issues.
Sending this out on the basis of a clean install.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-02-17 21:50:07 CET 
Odd that it doesn't want you talking to yourself. I do it all the time, mostly because sometimes I'm the only one who'll listen!

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-02-18 00:07:17 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-02-18 01:15:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0074.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED