Bug 30540

Summary: exo new security issue CVE-2022-32278
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: exo-4.16.0-1.mga8.src.rpm CVE:
Status comment: Patch available from upstream

Description David Walser 2022-06-12 00:00:08 CEST 
A security issue was fixed upstream in exo on June 6:
https://gitlab.xfce.org/xfce/exo/-/commit/cc047717c3b5efded2cc7bd419c41a3d1f1e48b6

Mageia 8 is also affected.
David Walser 2022-06-12 00:00:22 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 Jani Välimaa 2022-06-18 16:14:04 CEST 
Fixed in cauldron with exo-4.17.2-1.mga9.

Source RPM: exo-4.17.1-2.mga9.src.rpm => exo-4.16.0-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Jani Välimaa 2022-06-18 16:20:23 CEST 
Please test exo-4.16.0-1.1.mga8 from mga8 core/updates_testing.

SRPMS:
exo-4.16.0-1.1.mga8

RPMS:
exo-4.16.0-1.1.mga8
lib(64)exo2_0-4.16.0-1.1.mga8
lib(64)exo-devel-4.16.0-1.1.mga8

Assignee: jani.valimaa => qa-bugs

Comment 3 Herman Viaene 2022-06-20 16:52:00 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Found old bug 10657, but I don't get what it means.
On my own, tried
# urpmq --whatrequires exo
exo
lib64exo2_0
lib64exo2_0
thunar
thunar
xfce4-verve-plugin

Then went on:
$ strace -o exo.txt thunar
Opened a NFS-share connection and opened an .odp file.
This works OK, and trace shows usage of /usr/lib64/libexo-2.so.0
Furthermore the site https://docs.xfce.org/xfce/exo/start
says (I quote) :
"Exo is an Xfce library targeted at application development."
And that is territory out of my league.
So this test is somewhat more than a clean install, I gice the OK, unless someone else has other ideas.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 David Walser 2022-06-20 19:25:42 CEST 
Debian has issued an advisory for this on June 18:
https://www.debian.org/security/2022/dsa-5164
Comment 5 Thomas Andrews 2022-06-22 04:10:48 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-23 20:17:01 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-06-24 22:51:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0238.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED