Bug 33072

Summary: indent new security issue CVE-2024-0911
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: indent-2.2.13-1.1.mga9.src.rpm CVE: CVE-2024-0911
Status comment:

Description Nicolas Salguero 2024-04-09 10:29:41 CEST 
SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968977/

Debian has the following patch: https://sources.debian.org/src/indent/2.2.13-4/debian/patches/04-fix-a-heap-buffer-underread-in-set-buf-break.patch/

Mageia 9 is also affected.
Nicolas Salguero 2024-04-09 10:30:07 CEST

Status comment: (none) => Patch available from Debian
Source RPM: (none) => indent-2.2.13-2.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-0911

Comment 1 Lewis Smith 2024-04-09 21:16:41 CEST 
Thanks for the exact patch ref. It is short & sweet.
No one packager in view, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-04-10 11:21:07 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash. (CVE-2024-0911)

References:
https://lwn.net/Articles/968977/
========================

Updated package in core/updates_testing:
========================
indent-2.2.13-1.2.mga9

from SRPM:
indent-2.2.13-1.2.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: indent-2.2.13-2.mga10.src.rpm => indent-2.2.13-1.1.mga9.src.rpm
Status comment: Patch available from Debian => (none)
Version: Cauldron => 9

katnatek 2024-04-10 20:20:37 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-04-12 02:25:12 CEST 
MGA9-64 in VirtualBox. No installation issues. Followed Herman's lead in bug 31884 comment 5 for testing:

Created a short test file testindent.c with Kwrite:

#if X
#if Y
#define Z 1
#else
#define Z 0
#endif
#endif

Ran the command: $ indent testindent.c -o testindentform.c -ppi 3

The resulting form in testindentform.c:

#if X
#   if Y
#      define Z 1
#   else
#      define Z 0
#   endif
#endif

Looks good. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2024-04-12 22:45:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0122.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED