Bug 30366

No regular maintainer, so assigning globally.

Assignee: bugsquad => pkg-bugs

Blender also affected:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/

Summary: curaengine, assimp, zxing-cpp new security issue CVE-2022-28041 => curaengine, assimp, zxing-cpp, blender new security issue CVE-2022-28041
Source RPM: curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm => curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm, blender-2.93.7-2.mga9.src.rpm

Fedora has issued an advisory for zxing-cpp today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2G6JJJQ5JABTPF5H2L5FQGLILYLIGPW6/

After checking, I can say that:
  - for Cauldron, only blender is affected;
  - for Mageia 9, only curaengine and blender are affected.

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => MGA9TOO

Suggested advisory:
========================

The updated packages fix a security vulnerability:

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2022-28041)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SEQGDVH43YW7AG7TRU2CTU5TMIYP27WP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/
========================

Updated packages in core/updates_testing:
========================
blender-3.3.8-1.1.mga9
curaengine-4.12.1-3.1.mga9

from SRPMS:
blender-3.3.8-1.1.mga9.src.rpm
curaengine-4.12.1-3.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Source RPM: curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm, blender-2.93.7-2.mga9.src.rpm => curaengine-4.12.1-3.mga9.src.rpm, blender-3.3.8-1.mga9.src.rpm
Status comment: Patch available from Fedora => (none)
CVE: (none) => CVE-2022-28041
Assignee: pkg-bugs => qa-bugs

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
For curaengine  got no farther than in bug 29622 getting the CuraEngine help to display its options.
For blender: opened up a new set, got a cube object for free, and was able to resize, move and rotate it. I got no further, but at least it  works.
Giving the OK, unless someone else has a better knowledge of this tool.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

@Herman: I can remember trying to work with blender for another update some time ago. I don't remember details, but I do remember that I didn't get much farther than you did. 

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

For blender there is no reason to still stuck with 3.3.8. There is a LTS with all the fixes, and fixes also several further crashes. Better to update directly to 3.3.16.

https://www.blender.org/download/lts/3-3/

CC: (none) => ghibomgx

Suggested advisory:
========================

The updated packages fix a security vulnerability:

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2022-28041)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SEQGDVH43YW7AG7TRU2CTU5TMIYP27WP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/
========================

Updated packages in core/updates_testing:
========================
blender-3.3.16-1.mga9
curaengine-4.12.1-3.1.mga9

from SRPMS:
blender-3.3.16-1.mga9.src.rpm
curaengine-4.12.1-3.1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs

BTW, in case of help to get the updated blender source code there is the script in SOURCES/ called get_git_blender-3.3_and_build_tgz.sh which needs to be bumped to the current version in the var BLENDER_VER=...; it will retrieve the source code (and fixes also the internal .h files because the internal code would use git otherwise), updated to the current version (+ patches).

I hate to make this but look the last version 3.3.17 is published today

If it doesn't fix any more security issues, it needn't hold up this update.

(In reply to David Walser from comment #12)
> If it doesn't fix any more security issues, it needn't hold up this update.

If I understand is just bugfix, fine

To all testers, please redo your test to validate again this update

RH mageia x86_64

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing blender-3.3.16-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/1: blender               ######################################################################################
      1/1: removing blender-3.3.8-1.mga9.x86_64
                                 ######################################################################################
writing /var/lib/rpm/installed-through-deps.list

The application start right, but Is hard to use for me, maybe latter see a tutorial

RH mageia 9 x86_64

LC_ALL=C urpmi curaengine
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  curaengine                     4.12.1       3.1.mga9      x86_64  
(medium "Core Release (distrib1)")
  lib64arcus3                    4.12.0       4.mga9        x86_64  
  lib64polyclipping22            6.4.2        4.mga9        x86_64  
5MB of additional disk space will be used.
2.2MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) Y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64arcus3-4.12.0-4.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64polyclipping22-6.4.2-4.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/lib64arcus3-4.12.0-4.mga9.x86_64.rpm                                                   
/var/cache/urpmi/rpms/lib64polyclipping22-6.4.2-4.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/curaengine-4.12.1-3.1.mga9.x86_64.rpm
Preparing...                     ######################################################################################
      1/3: lib64polyclipping22   ######################################################################################
      2/3: lib64arcus3           ######################################################################################
      3/3: curaengine            ######################################################################################

Following the previous criteria and validating

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0088.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED