Bug 30114

Summary: shapelib new security issue CVE-2022-0699
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: shapelib-1.5.0-2.mga8.src.rpm CVE: CVE-2022-0699
Status comment:

Description David Walser 2022-03-03 22:24:14 CET 
openSUSE has issued an advisory today (March 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6B3VSER4WPCPULJGLJVI75SE2NKX4RQH/

Mageia 8 is also affected.
David Walser 2022-03-03 22:24:37 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and openSUSE

Comment 1 Nicolas Salguero 2022-03-07 13:56:47 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Double-free vulnerability in contrib/shpsort.c. (CVE-2022-0699)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0699
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6B3VSER4WPCPULJGLJVI75SE2NKX4RQH/
========================

Updated packages in core/updates_testing:
========================
lib(64)shp2-1.5.0-2.1.mga8
lib(64)shp-devel-1.5.0-2.1.mga8
shapelib-1.5.0-2.1.mga8

from SRPM:
shapelib-1.5.0-2.1.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Patches available from upstream and openSUSE => (none)
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-0699

Comment 2 Len Lawrence 2022-03-07 17:48:55 CET 
mga8, x64

AFAIK from the XML documentation, shapelib is a developers tool to overcome the rectangular bias of Xlib; i.e. to provide curves and circles, shadows and other things.

whatrequires lists gnudl, gpsbabel, marble, and roadmap as needing the shp2 library but before updating an strace of marble did not indicate that shp2 was involved in running it.  Might depend on circumstances.

Updated the  three packages and tried marble again, Earth view - open street map and atlas.  Toured Apollo sites on the moon.  The trace did not indicate any direct use of the lib64shp2 library.  Tried the open street map view in marble and printed out a map of a section of Copenhagen.  Still nothing in the trace.  However, marble is definitely working without regressions.

plplot might be a better bet but don't know how to use it.  roadmap probably needs a GPS device - none available.

Leaving this as it stands.  Inclined to assign OK but maybe somebody else would like a shot?

CC: (none) => tarazed25

Len Lawrence 2022-03-09 19:20:04 CET

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-03-09 21:48:08 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-11 01:42:25 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-03-11 09:52:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0096.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED