Bug 30192

Different packagers have dealt with this, so assigning globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c. (CVE-2021-33293)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33293
https://www.debian.org/lts/security/2022/dla-2957
========================

Updated packages in core/updates_testing:
========================
lib(64)pano13_3-2.9.20-1.1.mga8
lib(64)pano13-devel-2.9.20-1.1.mga8
libpano13-tools-2.9.20-1.1.mga8

from SRPM:
libpano13-2.9.20-1.1.mga8.src.rpm

Status comment: Patches available from upstream and Debian => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-33293
Source RPM: libpano13-2.9.20-1.mga9.src.rpm => libpano13-2.9.20-1.mga8.src.rpm

There are both core and tainted versions of these packages. My Qarepo is only finding updates for the core packages. Is that my error, or was something missed?

CC: (none) => andrewsfarm

Doesn't look like the tainted version was built.
http://pkgsubmit.mageia.org/ only shows the core version.

CC: (none) => davidwhodgins
Keywords: (none) => feedback

Yes, sorry, I missed that there is a tainted version too.

Updated packages in tainted/updates_testing:
========================
lib(64)pano13_3-2.9.20-1.1.mga8.tainted
lib(64)pano13-devel-2.9.20-1.1.mga8.tainted
libpano13-tools-2.9.20-1.1.mga8.tainted

from SRPM:
libpano13-2.9.20-1.1.mga8.tainted.src.rpm

Mga8-64 Plasma, i5-2500, Intel graphics.

Referenced Bug 28997 for testing, using the Hugin panorama creator. For that bug I had last used Hugin years ago, probably back in Mandriva, as the test photos I used date back to before Mageia. Hugin had changed a great deal. This time, before testing I consulted that great repository of information, Youtube, for a basic tutorial on using the more recent Hugin.

Used qarepo to update to the core packages of libpano, with no installation issues. Ran Hugin and stitched together 8 images of Lake Champlain, taken from the summit of Mount Defiance, near Ticonderoga, NY, USA. Armed with my new knowledge, I did a much better job this time - except that for some inexplicable reason the resulting panorama was upside down. It was easily rotated using Gwenview, so I'm not going to block this update while I try to figure out why it happened. Probably user error, but I don't know where.

Giving the tainted version some time to show up on my preferred mirror before testing. It's not there yet.

No installation issues with the tainted version, either.

Attempted the same panorama as in Comment 6, but this time extra features seemed to make it harder to accomplish. At least it was right-side up this time, though a "tip" that showed when I started Hugin let me know how I could have righted the image in the previous test. I played with it for a while, trying this and that with no errors, but the end result this time wasn't as good as the one with the core packages had been. As before, I believe the problem is user error, rather than a problem with the update.

Giving this an OK, and validating. Advisory in Comment 2, with tainted information in Comment 5.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0115.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED