Bug 30077

Summary: htmldoc new security issue CVE-2022-0534
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: htmldoc-1.9.14-1.mga8.src.rpm CVE: CVE-2022-0534
Status comment:

Description David Walser 2022-02-21 23:59:12 CET 
openSUSE has issued an advisory on February 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3NVMNRQWPBYKG2XDRDYA4JPEMALW53MA/

The issue is fixed upstream in 1.9.15.

Mageia 8 is also affected.
David Walser 2022-02-21 23:59:30 CET

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.9.15
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-02-22 10:12:11 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability was found in htmldoc version 1.9.15 where the stack out-of-bounds read takes place in gif_get_code() and occurs when opening a malicious GIF file, which can result in a crash (segmentation fault). (CVE-2022-0534)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0534
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3NVMNRQWPBYKG2XDRDYA4JPEMALW53MA/
========================

Updated packages in core/updates_testing:
========================
htmldoc-1.9.15-1.mga8
htmldoc-nogui-1.9.15-1.mga8

from SRPM:
htmldoc-1.9.15-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-0534
Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.9.15 => (none)

Comment 2 Herman Viaene 2022-02-22 15:34:10 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
used htmldoc to convert oe of my own webpages tp pdf. First try failed with message "Did you rememeber to set webpage mode?" After selecting that option in the Input tab, I could generate a deent looking pdf file.
So OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2022-02-22 20:38:28 CET 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2022-02-22 22:26:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0082.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 5 David Walser 2022-04-18 21:56:16 CEST 
This update also fixed CVE-2022-24191:
https://bugzilla.suse.com/show_bug.cgi?id=1198204