Bug 33205

Summary:	stb new security issue CVE-2023-45681 / CVE-2023-47212
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	stb-0-0.git20240213.1.mga10.src.rpm	CVE:	CVE-2023-45681, CVE-2023-47212
Status comment:	Patch available from Fedora

Description Nicolas Salguero 2024-05-13 15:41:43 CEST

Fedora has issued an advisory on May 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MHQQXX27ACLLYUQHWSL3DVCOGUK5ZA4/

Mageia 9 is also affected.

The fix is: https://src.fedoraproject.org/rpms/stb/raw/964fb3861ef6c418ef0f189b9cc047aabf83f16c/f/1559.patch

Nicolas Salguero 2024-05-13 15:42:18 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-45681, CVE-2023-47212
Status comment: (none) => Patch available from Fedora
Source RPM: (none) => stb-0-0.git20240213.1.mga10.src.rpm

Comment 1 Lewis Smith 2024-05-16 20:57:32 CEST

No one packager in view, assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-05-17 16:02:24 CEST

Assigning to the registered maintainer!

CC: (none) => geiger.david68210
Assignee: pkg-bugs => smelror

Comment 3 David GEIGER 2024-05-18 07:52:00 CEST

Fixed for Cauldron and mga9 too!


Assigning to QA,


Packages in 9/Core/Updates_testing:
======================
stb-devel-0-0.git20230129.4.1.mga9.noarch.rpm


From SRPMS:
stb-0-0.git20230129.4.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: smelror => qa-bugs
Version: Cauldron => 9

katnatek 2024-05-18 19:11:29 CEST

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-05-19 01:34:15 CEST

This is described as "single-file public domain libraries for C/C++" and urpmq doesn't come up with anything that requires it.

MGA9-64 Plasma in VirtualBox. Installed without issues, updated using qarepo, also without issues. Removed it, also without issues.

This is developer stuff. Validating on the clean install.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-05-22 01:18:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0186.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED