Bug 31536

Summary: pkgconf new security issue CVE-2023-24056
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, ngompa13, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: pkgconf-1.7.3-2.mga8.src.rpm CVE: CVE-2023-24056
Status comment:

Description David Walser 2023-02-10 17:12:52 CET 
openSUSE has issued an advisory today (February 10):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/

The issue is fixed upstream in 1.8.1 and 1.9.4:
https://gitea.treehouse.systems/ariadne/pkgconf/tags

Mageia 8 is also affected.
David Walser 2023-02-10 17:13:26 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.8.1 and 1.9.4

Comment 1 Lewis Smith 2023-02-10 20:43:25 CET 
It is unclear who maintains this nowadays, so assigning this update globally.
CC'ing Neal who is/was the oficial maintainer.

CC: (none) => ngompa13
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-03-01 09:34:12 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes. (CVE-2023-24056)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/
========================

Updated packages in core/updates_testing:
========================
lib(64)pkgconf3-1.7.3-2.1.mga8
lib(64)pkgconf-devel-1.7.3-2.1.mga8
pkgconf-1.7.3-2.1.mga8
pkgconf-m4-1.7.3-2.1.mga8
pkgconf-pkg-config-1.7.3-2.1.mga8

from SRPM:
pkgconf-1.7.3-2.1.mga8.src.rpm

CVE: (none) => CVE-2023-24056
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status: NEW => ASSIGNED
Source RPM: pkgconf-1.8.0-2.mga9.src.rpm => pkgconf-1.7.3-2.mga8.src.rpm
Status comment: Fixed upstream in 1.8.1 and 1.9.4 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Thomas Andrews 2023-03-01 19:52:56 CET 
No installation issues in a mga8-64 VirtualBox Plasma guest. 

Urpmq on the packages is of no help, and looking for previous updates isn't any better. The pkgconf.org website has this to say:

"pkgconf is a program which helps to configure compiler and linker flags for development frameworks." And,

"libpkgconf is a library which provides access to most of pkgconf’s functionality, to allow other tooling such as compilers and IDEs to discover and use frameworks configured by pkgconf. It features a stable library ABI and API designed for building bindings and other tools."

Sure sounds like developer territory to me, far beyond my competence. Giving this an OK based on the clean install, and I'm going to validate. If there is a way for someone like me to test, please advise.

Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-03-01 20:11:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-03-01 22:16:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0077.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED