Bug 30944

Various packagers have dealt with this SRPM, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Hi,

Version 1.4.6 already contains the fix for CVE-2021-42523 so Cauldron is not affected.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Suggested advisory:
========================

The updated packages fix a security vulnerability:

There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it. (CVE-2021-42523)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42523
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GDIFQ2MG4MYMILUVYH7MTM5YKO2AMDS/
========================

Updated packages in core/updates_testing:
========================
colord-1.4.5-1.1.mga8
colord-extra-profiles-1.4.5-1.1.mga8
lib(64)colord2-1.4.5-1.1.mga8
lib(64)colord-devel-1.4.5-1.1.mga8
lib(64)colord-gir1.0-1.4.5-1.1.mga8

from SRPM:
colord-1.4.5-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from openSUSE => (none)
CVE: (none) => CVE-2021-42523

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous updates, no wiki andd googling colord does not bring me very far.
As the title in MCC says, this is a daemon, so
# systemctl -l status colord
● colord.service - Manage, Install and Generate Color Profiles
     Loaded: loaded (/usr/lib/systemd/system/colord.service; static)
     Active: active (running) since Fri 2022-10-07 09:52:29 CEST; 42min ago
   Main PID: 3426 (colord)
      Tasks: 3 (limit: 4364)
     Memory: 4.1M
        CPU: 1.087s
     CGroup: /system.slice/colord.service
             └─3426 /usr/libexec/colord

Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Starting Manage, Install and Generate Color Profiles...
Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Started Manage, Install and Generate Color Profiles.
Oct 07 09:52:30 mach7.hviaene.thuis colord[3426]: failed to search file: failed to load file: Error opening file /usr/share/color/icc/colord/ColorMatchRGB.icc;63>

Note that I did not give a start command.
Reading tells me this is about color profiling and I know very little on the subject. I wonder whether this "Error opening file" points to a file that should be provided by default or what.
One remark: nothing seems to bother my system.
I also stumbled on a related package color-kde, but running its command

colord-kde-icc-importer

(colord-kde-icc-importer:5864): Gtk-WARNING **: 10:30:48.784: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
QCommandLineParser: already having an option named "v"
QCommandLineParser: already having an option named "h"
QCommandLineParser: already having an option named "help-all"
Usage: colord-kde-icc-importer [options] +file
An application to install ICC profiles

Options:
  -h, --help                 Displays help on commandline options.
  --help-all                 Displays help including Qt specific options.
  -v, --version              Displays version information.
  --author                   Show author information.
  --license                  Show license information.
  --desktopfile <file name>  The base file name of the desktop entry for this
                             application.
  --yes                      Do not prompt the user if he wants to install

Arguments:
  file                       Color profile to install
And here my ignorance on the subject kicks in again.

CC: (none) => herman.viaene

@Herman regarding comment 4:
Like you I have no knowledge  of this subject.
It looks like colord is started at boot because the status on this machine shows that colord was already running - no error report.
The file ColorMatchRGB.icc does not exist at /usr/share/color/icc or anywhere else but there are several other colour profiles there.
No sign of colord-kde-icc-importer here.

Installed the updates and restarted colord - no error.
You can ignore the missing file for this update - it may indicate that something on your system is needing it - not your problem if you do not normally deal with  colour profiles.

CC: (none) => tarazed25

The files are in the source tar file used by the srpm during the build of
the binary program, not in the rpm package. Testing that colors are normal on
the monitor is sufficient.

CC: (none) => davidwhodgins

Since neither Herman nor Len reported abnormal monitor colors, going by Comment 6 I see no reason to ask them to test again.

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Tested MGA8 VM

I have not colord daemon installed, but I installed the libcolord2-1.4.5-1.1.mga8 package that was shown in the drakrpm-update using the updates testing repo

No strange behaviours nor issues with the VM
Nor errors in the journald

This app/daemon is used to change the monitor and maybe the printer color profile, this only maybe is used for graphics designers, as did not change nothing in the previous test, is OK

CC: (none) => neoser10

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0366.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED