Bug 31492

Summary: libzen new security issue CVE-2020-36646
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libzen-0.4.38-1.mga8.src.rpm CVE: CVE-2020-36646
Status comment:

Description David Walser 2023-02-01 17:27:36 CET 
Debian-LTS has issued an advisory on January 29:
https://www.debian.org/lts/security/2023/dla-3290

The issue is fixed upstream in 0.4.39.
David Walser 2023-02-01 17:27:45 CET

Status comment: (none) => Fixed upstream in 0.4.39

Comment 1 Nicolas Salguero 2023-02-03 09:34:38 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability classified as problematic has been found in MediaArea ZenLib up to 0.4.38. This affects the function Ztring::Date_From_Seconds_1970_Local of the file Source/ZenLib/Ztring.cpp. The manipulation of the argument Value leads to unchecked return value to null pointer dereference. (CVE-2020-36646)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36646
https://www.debian.org/lts/security/2023/dla-3290
========================

Updated packages in core/updates_testing:
========================
lib(64)zen0-0.4.38-1.1.mga8
lib(64)zen-devel-0.4.38-1.1.mga8

from SRPM:
libzen-0.4.38-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-36646
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 0.4.39 => (none)

Comment 2 Thomas Andrews 2023-02-09 19:32:15 CET 
Tested in a mga8-64 Plasma guest in VirtualBox.

I installed mediainfo-gui-qt, which drew in lib64zen0 as a dependency. Ran mediainfo, and checked the information of several different media files.

Updated lib64zen0, and repeated the test, receiving the same results.

Looks OK here. Validating. Advisory in comment 1.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-14 21:20:31 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2023-02-14 23:45:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0046.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED