Bug 32273

Summary: indent new security issues, including CVE-2023-40305
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: indent-2.2.13-1.mga9.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-09-11 14:11:57 CEST 
Fedora has issued an advisory on September 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MIUH3F63KQJWYR3FLKRZUYYRJOY6FYX/

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-09-11 14:12:32 CEST

Source RPM: (none) => indent-2.2.13-1.mga9.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Nicolas Salguero 2023-09-11 14:37:31 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file. (CVE-2023-40305)

GNU indent 2.2.13 has a heap overread in lexi().

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40305
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MIUH3F63KQJWYR3FLKRZUYYRJOY6FYX/
========================

Updated package in {8|9}/core/updates_testing:
========================
indent-2.2.13-1.1.mga{8|9}

from SRPM:
indent-2.2.13-1.1.mga{8|9}.src.rpm

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-09-18 09:20:15 CEST

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: nicolas.salguero => qa-bugs

Comment 2 Herman Viaene 2023-09-18 16:59:39 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
followed test from bug 31884:
original reading
#if X
#if Y
#define Z 1
#else
#define Z 0
#endif
#endif
Comand executed:
$ indent indent.c -o testcindentform.c -ppi 3
results in testcindentform.c reading
#if X
#   if Y
#      define Z 1
#   else
#      define Z 0
#   endif
#endif
So good to go.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

PC LX 2023-09-20 17:53:35 CEST

CC: (none) => mageia

Comment 3 Thomas Andrews 2023-09-24 02:34:55 CEST 
MGA9-64 Plasma in Virtualbox:

No installation issues. Attempted to use Herman's test in a cookbook fashion, as I know not what I do...

Created an unindented file testindent.c:

#if X
#if Y
#define Z 1
#else
#define Z 0
#endif
#endif
 
Ran the command $  indent testindent.c -o testindentform.c -ppi 3

Opened testindentform.c with kwrite:

#if X
#   if Y
#      define Z 1
#   else
#      define Z 0
#   endif
#endif

Result same as Herman's, so OKing for MGA9. Validating. Advisory in comment 1.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Marja Van Waes 2023-09-30 15:34:13 CEST

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Mageia Robot 2023-09-30 21:18:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0274.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED