Bug 31888

Summary: freeimage new security issue CVE-2021-33367
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: freeimage-3.18.0-4.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-05-07 00:52:30 CEST 
Fedora has issued an advisory on April 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3J53PSY2COHTTC63ACPFJBI46XH7VBFI/

Mageia 8 is also affected.
David Walser 2023-05-07 00:52:45 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-05-07 18:07:30 CEST 
Done for both mga8 and cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-05-07 19:43:29 CEST 
libfreeimage-devel-3.18.0-4.1.mga8
libfreeimage3-3.18.0-4.1.mga8

from freeimage-3.18.0-4.1.mga8.src.rpm

Status comment: Patch available from Fedora => (none)
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8
Source RPM: freeimage-3.18.0-8.mga9.src.rpm => freeimage-3.18.0-4.mga8.src.rpm

Comment 3 Len Lawrence 2023-05-14 17:14:32 CEST 
mga8, x86_64

Updated the 64-bit libraries.
Slade is one of the applications which require lib64freeimage3 so that was installed.  It is a build framework for DOOM type games (?).  Nothing known about that subject around here but the interface can be launched easily enough.
Wrapped it in strace and played with thhe menus and options.  It does not get started without an archive although there must be some way to create one.

After closing down:
$ grep freeimage slade.trace
openat(AT_FDCWD, "/lib64/libfreeimage.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libfreeimage-3.18.0.so", O_RDONLY) = 13
openat(AT_FDCWD, "/usr/lib64/libfreeimage-3.18.0.so", O_RDONLY) = 15
openat(AT_FDCWD, "/usr/lib64/libfreeimage-3.18.0.so", O_RDONLY) = 15

So the library is being accessed.

Giving this a pass.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2023-05-15 23:59:42 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-16 18:58:30 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-05-16 21:19:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0170.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED