Bug 30364

Summary: libcaca new security issue CVE-2022-0856
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libcaca-0.99-0.beta19.10.mga9.src.rpm CVE: CVE-2022-0856
Status comment:

Description David Walser 2022-05-02 20:22:04 CEST 
openSUSE has issued an advisory on April 29:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PUXQNAUH2W6TRXYZGBDFHQTMXINVMOJB/

Mageia 8 is also affected.
David Walser 2022-05-02 20:22:20 CEST

Status comment: (none) => Patch available from openSUSE
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-05-07 20:28:14 CEST 
This SRPM has been updated by different paople, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-05-09 13:43:39 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service. (CVE-2022-0856)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0856
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PUXQNAUH2W6TRXYZGBDFHQTMXINVMOJB/
========================

Updated packages in core/updates_testing:
========================
caca-utils-0.99-0.beta19.5.3.mga8
lib(64)caca0-0.99-0.beta19.5.3.mga8
lib(64)caca-devel-0.99-0.beta19.5.3.mga8
python3-caca-0.99-0.beta19.5.3.mga8
ruby-caca-0.99-0.beta19.5.3.mga8

from SRPM:
libcaca-0.99-0.beta19.5.3.mga8.src.rpm

CVE: (none) => CVE-2022-0856
Status comment: Patch available from openSUSE => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2022-05-10 02:21:09 CEST 
Tested in a VirtualBox MGA8 Plasma guest. No installation issues.

Tried cacaview and cacafire, as outlined in Bug 24208 Comment 8. Both seemed to work. In Bug 29575, it was suggested that rather than its own built-in utilities, testers should try something that uses the library. After looking into it, I decided to try toilet.

Toilet (“The Other Implementation’s letters”) is a fun yet mostly useless command that takes small text input and outputs it a large ASCII art text in the terminal:

$ toilet Mageia
                                          
 m    m                        "          
 ##  ##  mmm    mmmm   mmm   mmm     mmm  
 # ## # "   #  #" "#  #"  #    #    "   # 
 # "" # m"""#  #   #  #""""    #    m"""# 
 #    # "mm"#  "#m"#  "#mm"  mm#mm  "mm"# 
                m  #                      
                 ""                       

There are special color and rotating effects available, too. I tried them, and they work, but I'm not sure they would reproduce well here. (Probably just as well.)

OKing this and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-11 23:58:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-05-12 12:26:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0172.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED