Bug 31246

Summary: matio new security issues CVE-2020-36428 and CVE-2021-36977
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: matio-1.5.21-1.mga8.src.rpm CVE: CVE-2020-36428, CVE-2021-36977
Status comment:

Description David Walser 2022-12-08 15:26:08 CET 
openSUSE has issued an advisory today (December 8):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DWEPRACQNMJHSGWUZQ5LKNVGWSZ6FMCB/

The issues are fixed upstream in 1.5.22.
David Walser 2022-12-08 15:26:23 CET

Status comment: (none) => Fixed upstream in 1.5.22

Comment 1 Nicolas Salguero 2022-12-09 10:22:21 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

matio (aka MAT File I/O Library) 1.5.18 through 1.5.21 has a heap-based buffer overflow in ReadInt32DataDouble (called from ReadInt32Data and Mat_VarRead4). (CVE-2020-36428)

matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry), related to use of HDF5 1.12.0. (CVE-2021-36977)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36977
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DWEPRACQNMJHSGWUZQ5LKNVGWSZ6FMCB/
========================

Updated packages in core/updates_testing:
========================
lib(64)matio11-1.5.23-1.mga8
lib(64)matio-devel-1.5.23-1.mga8
matio-1.5.23-1.mga8

from SRPM:
matio-1.5.23-1.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-36428, CVE-2021-36977
Status comment: Fixed upstream in 1.5.22 => (none)
CC: (none) => nicolas.salguero
Assignee: geiger.david68210 => qa-bugs

Comment 2 Herman Viaene 2022-12-10 10:56:37 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
According to our MCC: "matio is an ISO C library (with a limited Fortran 90 interface) for reading and writing Matlab MAT files."
So this is developers stuff, OK on clean install.
I see on bug 29164 that Len did some exercise in that area, so if anyone judges it's necessary to do a similar test on this update, plse feel free to withdraw the OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-12-10 14:07:29 CET 
Validating. Advisory in comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Len Lawrence 2022-12-10 15:38:23 CET 
In reply to comment 2:
No, you all right on this one Herman.  As stated, the test in the previous bug was a very primitive one, so no worries.

CC: (none) => tarazed25

Dave Hodgins 2022-12-13 02:09:57 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-12-13 23:11:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0465.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED