Bug 30430

Summary: supertux, squirrel new security issue CVE-2022-30292
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, marja11, matteo.pasotti, rverschelde, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: supertux-0.6.2-8.mga9.src.rpm, squirrel-3.2-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-05-14 18:26:24 CEST 
Fedora has issued an advisory today (May 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WBUYGYXDQX3OSAYHP4TCG3JS7PJTIE75/

It also affects the squirrel package.

Mageia 8 is also affected.
David Walser 2022-05-14 18:26:49 CEST

Status comment: (none) => Patches available from upstream and Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-05-17 13:13:24 CEST 
Assinging to the supertux maintainer, CC'ing the squirrel maintainer

CC: (none) => marja11, matteo.pasotti
Assignee: bugsquad => rverschelde

Nicolas Lécureuil 2022-05-18 10:04:17 CEST

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 David Walser 2022-05-18 18:28:05 CEST 
What Nicolas meant to say was he patched this in Cauldron in:
squirrel-3.2-2.mga9
supertux-0.6.2-9.mga9

For Mageia 8, squirrel has been patched, but supertux is pending.

libsquirrel0-3.1-2.1.mga8
squirrel-3.1-2.1.mga8
libsquirrel-devel-3.1-2.1.mga8

from squirrel-3.1-2.1.mga8.src.rpm
Comment 3 Nicolas Lécureuil 2022-05-19 21:52:09 CEST 
fixed super tux just pushed into mga8

Status comment: Patches available from upstream and Fedora => (none)
Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 4 David Walser 2022-05-20 02:52:32 CEST 
supertux-0.6.2-4.1.mga8
supertux-data-0.6.2-4.1.mga8

from supertux-0.6.2-4.1.mga8.src.rpm
Comment 5 Len Lawrence 2022-05-23 09:20:08 CEST 
mga8, x64

squirrel is a programming language aimed at video game developers.
http://www.squirrel-lang.org/
Not much QA can do with this without getting involved in programming.
It updates cleanly anyway, as does supertux.
Played the game but did not get very far - the functions I tried worked as far
as I could tell.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-05-23 14:06:02 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-25 02:33:35 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-05-25 20:47:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED