| Summary: | glib2.0 new security issues CVE-2023-24593 and CVE-2023-25180 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, thierry.vignaud |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | glib2.0-2.66.8-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-04-17 15:25:49 CEST
David Walser
2023-04-17 15:26:04 CEST
Status comment:
(none) =>
Patch available from Fedora Unsure where to push this, so doing so glabally. CC'ing tv who did a fix some months ago. Assignee:
bugsquad =>
pkg-bugs Hi, By following the link given in comment 0, I found that link: https://bugzilla.redhat.com/show_bug.cgi?id=2181192 which gives that link: https://bugzilla.redhat.com/show_bug.cgi?id=2181183 which gives that link: https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835 which gives that link: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 which gives that link: https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf which says the commit was added in version 2.74.4. So Cauldron is not affected by that CVE. Whiteboard:
MGA8TOO =>
(none) SUSE has issued an advisory on April 19: https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html It fixes this issue and one new one, which will need to be checked against Cauldron. Version:
8 =>
Cauldron Hi, That new CVE also refers to: https://bugzilla.redhat.com/show_bug.cgi?id=2181182 It is also fixed by the same commit so Cauldron is not affected by that CVE. Best regards, Version:
Cauldron =>
8 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Denial of service caused by handling a malicious text-form variant. (CVE-2023-24593) Denial of service caused by malicious serialised variant. (CVE-2023-25180) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25180 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FRPEEZJKIVRRCTBOO42O6IY44O5UU3MT/ https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.66.8-1.1.mga8 glib2.0-tests-2.66.8-1.1.mga8 glib-gettextize-2.66.8-1.1.mga8 lib(64)gio2.0_0-2.66.8-1.1.mga8 lib(64)glib2.0_0-2.66.8-1.1.mga8 lib(64)glib2.0-devel-2.66.8-1.1.mga8 lib(64)glib2.0-static-devel-2.66.8-1.1.mga8 from SRPM: glib2.0-2.66.8-1.1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 28612 for testing: symlink.tar file contains only a symlink, no "real" file. Extracting it results in the link appearing pointing to /tmp/moo which does not exist. So works as expected. Tried zenity, $ identify 19761105TrouwLodeNoella/D053.jpg 19761105TrouwLodeNoella/D053.jpg JPEG 1656x988 1656x988+0+0 8-bit sRGB 125813B 0.000u 0:00.002 played mpg file with parole, all works OK. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in comment 5. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2023-05-21 02:51:03 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0176.html Status:
ASSIGNED =>
RESOLVED This update also fixed:
CVE-2023-29499
CVE-2023-32611
CVE-2023-32665
https://ubuntu.com/security/notices/USN-6165-1
*** Bug 32034 has been marked as a duplicate of this bug. *** |