Bug 30856

Summary: libconfuse new security issue CVE-2022-40320
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, marja11, nicolas.salguero, pkg-bugs, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libconfuse-3.3-1.mga8.src.rpm CVE: CVE-2022-40320
Status comment:

Description David Walser 2022-09-16 19:18:37 CEST 
Fedora has issued an advisory today (September 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EDUT2V62V2XF2IT5TJFPB6P3EQ6X5VLL/

Mageia 8 is also affected.
David Walser 2022-09-16 19:18:53 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Marja Van Waes 2022-09-17 13:30:41 CEST 
Assigning to the registered maintainer, mjack, but CC'ing all packagers collectively because I haven't seen the maintainer in years. Jack, I hope everything is well with you!

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => jackal.j

Comment 2 Nicolas Salguero 2022-10-19 13:38:39 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read. (CVE-2022-40320)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40320
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EDUT2V62V2XF2IT5TJFPB6P3EQ6X5VLL/
========================

Updated packages in core/updates_testing:
========================
libconfuse-3.3-1.1.mga8
lib(64)confuse2-3.3-1.1.mga8
lib(64)confuse-devel-3.3-1.1.mga8

from SRPM:
libconfuse-3.3-1.1.mga8.src.rpm

Assignee: jackal.j => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from Fedora => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-40320
Source RPM: libconfuse-3.3-2.mga9.src.rpm => libconfuse-3.3-1.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 3 Len Lawrence 2022-10-22 20:59:49 CEST 
mga8, x11
Installed the libraries then updated them from testing.
$ rpm -q lib64confuse2
lib64confuse2-3.3-1.1.mga8

There is a POC for CVE-2022-40320 which is really out of our scope.  The cfgtest files in examples do not run (against the poc file). 

tilda is a drop down terminal without decorations.
$ strace -o tilda.trace tilda
<modified various preferences - centred the drop down window after changing its size and transparency via the menus>
$ exit

$ grep confuse tilda.trace
openat(AT_FDCWD, "/lib64/libconfuse.so.2", O_RDONLY|O_CLOEXEC) = 3

That indicates use of lib64confuse2 I think.

That is enough for an OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2022-10-23 01:17:55 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-23 23:21:42 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-10-24 00:49:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0387.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED