Bug 31234

Summary:	advancecomp new security issues CVE-2022-3501[4-9] and CVE-2022-35020
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, dan, davidwhodgins, herman.viaene, sysadmin-bugs
Version:	8	Keywords:	advisory, has_procedure, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	advancecomp-2.1-6.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-12-06 18:19:51 CET

Fedora has issued an advisory on December 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KQHLMLFHPV5C7PTBZML6U72QT6VNEOEF/

The issues are fixed upstream in 2.4.

David Walser 2022-12-06 18:20:06 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.4

Comment 1 Dan Fandrich 2022-12-06 21:11:36 CET

The only changes since ver. 2.1 were security updates and bug fixes with no new features, so I took the liberty of updating directly to ver. 2.4. advancecomp-2.4-1.mga8 is now available in updates_testing.

Here is a simple regression test (this doesn't check for the bug fix but just ensures the code still works with the patch):

$ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo ok

This will display "ok" on the last line, with no error messages showing, if all is well.


Advisory:
========================
advancecomp has been updated to fix a number of bugs and security issues: CVE-2022-35014, CVE-2022-35015, CVE-2022-35016, CVE-2022-35017,
CVE-2022-35018, CVE-2022-35019, CVE-2022-35020

Updated packages:
========================
advancecomp-2.4-1.mga8.i586.rpm
advancecomp-2.4-1.mga8.x86_64.rpm
advancecomp-2.4-1.mga8.aarch64.rpm

Assignee: dan => qa-bugs
CC: (none) => dan
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => MGA8TOO has_procedure

David Walser 2022-12-06 21:23:50 CET

Keywords: (none) => has_procedure
Whiteboard: MGA8TOO has_procedure => (none)

Comment 2 David Walser 2022-12-06 21:24:26 CET

Are there upstream release notes we can include in the references?

Status comment: Fixed upstream in 2.4 => (none)

Comment 3 Dan Fandrich 2022-12-06 21:35:28 CET

The release notes don't contain any more details. Even the commit logs are pretty sparse. Here are the CVE descriptions, which are also mostly useless:

CVE-2022-35014 Advancecomp v2.3 contains a segmentation fault.
CVE-2022-35015 Advancecomp v2.3 was discovered to contain a heap buffer overflow via le_uint32_read at /lib/endianrw.h.
CVE-2022-35016 Advancecomp v2.3 was discovered to contain a heap buffer overflow.
CVE-2022-35017 Advancecomp v2.3 was discovered to contain a heap buffer overflow.
CVE-2022-35018 Advancecomp v2.3 was discovered to contain a segmentation fault.
CVE-2022-35019 Advancecomp v2.3 was discovered to contain a segmentation fault.
CVE-2022-35020 Advancecomp v2.3 was discovered to contain a heap buffer overflow via the component __interceptor_memcpy at /sanitizer_common/sanitizer_common_interceptors.inc.

Comment 4 Herman Viaene 2022-12-10 13:25:53 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Following bug25908
$ advzip --shrink-normal --add yann2 20100206\ Yannick/*.JPG
20100206 Yannick/greyscale.JPG
20100206 Yannick/P2061409.JPG
........

$ file yann2
yann2: Zip archive data, at least v2.0 to extract
[tester8@mach7 Pictures]$ advzip -l  yann2
Archive:  yann2
  Length   Method    Size  Ratio   Date   Time   CRC-32    Name
 --------  ------  ------- -----   ----   ----   ------    ----
  3232940  Defl:X  3228047   0%  09-26-22 15:06  31fa5535  greyscale.JPG
  5782055  Defl:X  5756929   0%  11-11-13 07:42  92e6bdf4  P2061409.JPG
  5328667  Defl:X  5323833   0%  11-11-13 07:42  9aa2530b  P2061410.JPG
  and more ....
 --------          -------  ---                            -------
 68256757         67897471   0%                            13 files
[tester8@mach7 Pictures]$ advzip -z -3  yann2 
    67898799    67898799 100% yann2
    67898799    67898799 100%
Hmm, took a while and the result seems even a bit larger than the original one.

$ cp yann2 /tmp
[tester8@mach7 Pictures]$ cd /tmp
[tester8@mach7 tmp]$ advzip -x yann2 
greyscale.JPG
P2061409.JPG
and more....
All images seem to come trhu unharmed AFAICS

$ advmng --add 8  yann.mng *.png
Unsupported bit depth/color type, 8/0
In bug 25908 this command didn't give a satisfying result either, so no regression
So OK for me.

CC: (none) => herman.viaene

Herman Viaene 2022-12-10 13:26:35 CET

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-12-10 14:02:07 CET

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-13 02:06:51 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Dave Hodgins 2022-12-17 21:14:27 CET Comment hidden (obsolete)

After a netinstall ...
[dave@x9v ~]$ systemctl --user status pipewire.service pipewire.socket wireplumber.service |grep Loaded
     Loaded: loaded (/usr/lib/systemd/user/pipewire.service; disabled; preset: disabled)
     Loaded: loaded (/usr/lib/systemd/user/pipewire.socket; enabled; preset: enabled)
     Loaded: loaded (/usr/lib/systemd/user/wireplumber.service; enabled; preset: enabled)

Comment 7 Mageia Robot 2022-12-18 02:26:34 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0479.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED