Bug 31257

Summary: nautilus new security issue CVE-2022-37290
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nautilus-3.38.2-1.mga8.src.rpm CVE: CVE-2022-37290
Status comment:

Description David Walser 2022-12-09 17:51:08 CET 
SUSE has issued an advisory today (December 9):
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013210.html

Mageia 8 is also affected.
David Walser 2022-12-09 17:51:20 CET

Whiteboard: (none) => MGA8TOO

David Walser 2022-12-09 17:57:59 CET

Status comment: (none) => Patch available from openSUSE

Comment 2 Marja Van Waes 2022-12-11 23:47:55 CET 
Gnome package, so assigning to the GNOME maintainers

CC: (none) => marja11
Assignee: bugsquad => gnome

Comment 3 David Walser 2023-01-05 20:11:03 CET 
Ubuntu has issued an advisory for this today (January 5):
https://ubuntu.com/security/notices/USN-5786-1
Comment 4 Nicolas Salguero 2023-01-06 16:56:29 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive. (CVE-2022-37290)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37290
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013210.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T67HDP7NSPOPJ53IEWDVYIBF6BRGKCJ3/
https://ubuntu.com/security/notices/USN-5786-1
========================

Updated packages in core/updates_testing:
========================
lib(64)nautilus1-3.38.2-1.1.mga8
lib(64)nautilus-gir3.0-3.38.2-1.1.mga8
lib(64)nautilus-devel-3.38.2-1.1.mga8
nautilus-3.38.2-1.1.mga8

from SRPM:
nautilus-3.38.2-1.1.mga8.src.rpm

Assignee: gnome => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-37290
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from openSUSE => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8
Source RPM: nautilus-43.0-2.mga9.src.rpm => nautilus-3.38.2-1.mga8.src.rpm

Comment 5 Herman Viaene 2023-01-09 12:06:06 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
This laptop has MATE and Xfce as DE, I keep as far as possible from Gnome.
But nautilus seems to display OK as far as the file structure on this laptop is concerned, including the display of remote NFS-shares.
I think it is OK, but if some Gnome user comes along and has other tests, plse feel free to do and give the OK.

CC: (none) => herman.viaene

Comment 6 David Walser 2023-01-10 16:07:37 CET 
Fedora has issued an advisory for this today (January 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PX5CVF4FAHFA6UNKHFBBLOP2NUMIQJAY/
Comment 7 Herman Viaene 2023-01-16 12:02:26 CET 
One week passed, everyone seems satisfied, so OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2023-01-16 17:27:00 CET 
I don't care for Gnome either, but I keep a vbox guest around for when I can't avoid it. 

I updated nautilus, with no installation issues. Ran it, navigated a bit, and it seems to be OK, confirming Herman's effort.

Validating. Advisory in comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-01-24 01:33:13 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2023-01-24 09:00:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0011.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED