Bug 8070

Summary: gegl new security issue CVE-2012-4433
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: fundawang, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/524704/
Whiteboard: MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK, MGA1-32-OK
Source RPM: gegl-0.2.0-6.mga3.src.rpm CVE:
Status comment:

Description David Walser 2012-11-14 00:25:56 CET 
RedHat has issued an advisory on November 12:
https://rhn.redhat.com/errata/RHSA-2012-1455.html

It is unclear exactly which versions are affected, but Mageia 1, Mageia 2, and Cauldron all may be.

The upstream commits to fix this are linked in the RedHat bug:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=856300
David Walser 2012-11-14 00:26:04 CET

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-11-16 23:09:29 CET 
All three versions are affected.  I have checked the patches into SVN to fix this.

It builds fine locally on Mageia 1 and Mageia 2.

It does not build in Cauldron, with this seeming to be the problem:
"unknown type name 'luaL_reg'

from:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20121116215912.luigiwalser.valstar.23507/log/gegl-0.2.0-7.mga3/build.0.20121116220006.log

Funda, could you please look into this?

Priority: Normal => High

Comment 2 David Walser 2012-11-17 17:30:39 CET 
Thanks for fixing the Cauldron package Funda.

Priority: High => Normal
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 3 David Walser 2012-11-17 17:38:05 CET 
Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated gegl packages fix security vulnerability:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the gegl utility processed .ppm (Portable Pixel Map) image
files. An attacker could create a specially-crafted .ppm file that, when
opened in gegl, would cause gegl to crash or, potentially, execute
arbitrary code (CVE-2012-4433).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4433
https://rhn.redhat.com/errata/RHSA-2012-1455.html
========================

Updated packages in core/updates_testing:
========================
gegl-0.1.2-3.1.mga1
libgegl0.1_0-0.1.2-3.1.mga1
libgegl0.1-devel-0.1.2-3.1.mga1
gegl-0.2.0-2.1.mga2
libgegl0.2_0-0.2.0-2.1.mga2
libgegl-devel-0.2.0-2.1.mga2

from SRPMS:
gegl-0.1.2-3.1.mga1.src.rpm
gegl-0.2.0-2.1.mga2.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs

Comment 4 Marc Lattemann 2012-11-18 13:24:58 CET 
no public PoC found and I have no really clue how to test?

tested on cli and convert pictures from png to ppm and ppm to png (e.g. # gegl gegl.png -o gegl.ppm) and played around with gegl plugin in gimp. Everything works fine. 
Are there any more specific tests needed or known?

CC: (none) => marc.lattemann

Comment 5 David Walser 2012-11-18 18:03:26 CET 
If you could reverse your command line test and make it use a PPM file as input, that will hit the affected code, so that would be good.
Comment 6 Marc Lattemann 2012-11-18 19:13:53 CET 
did both ways, but do not have a prepared ppm file for testing the overflow. So tested successfully on mga2 64bit. Will proceed testing the other versions.

Whiteboard: MGA1TOO => MGA1TOO, MGA2-64-OK

Comment 7 Marc Lattemann 2012-11-18 21:08:31 CET 
same tests performed for mga2 i586 and mga1 x86_64. But no gegl package found in Core_Update_testing for mga1 i586?

[root@localhost urpmi]# LC_ALL=C urpmi gegl
Package gegl-0.1.2-3.mga1.i586 is already installed
[root@localhost urpmi]# LC_ALL=C urpmi --media 'Core Updates Testing (distrib5)' gegl
No package named gegl

according to Sophie the package is there.
[20:05] <Latte> :v gegl -r 1
[20:05] <Sophie> Latte: 0.1.2-3.1.mga1 // core-updates_testing (Mga, 1, i586)
[20:05] <Sophie> Latte: 0.1.2-3.mga1 // core-release (Mga, 1, i586)

What am I doing wrong?

Whiteboard: MGA1TOO, MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK

Comment 8 David Walser 2012-11-18 21:20:12 CET 
I don't know, but I see it here:
http://mageia.c3sl.ufpr.br/distrib/1/i586/media/core/updates_testing/gegl-0.1.2-3.1.mga1.i586.rpm
Comment 9 Thomas Backlund 2012-11-18 21:54:41 CET 
maybe you forgot to update media hdlists...

urpmi.update "core updates testing"

CC: (none) => tmb

Comment 10 Marc Lattemann 2012-11-18 22:37:56 CET 
I don't know (I always using 'urpmi.update -a' after activating testing repos)  - some server don't seem to be up-to-date. However using server David mentioned I could install gegl from updates_testing and everything is working on mga1 i586 as well.


Validating update:

please use advisory from Comment 3

Can sysadmin push package to updates? Thanks.

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs
Whiteboard: MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK => MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK, MGA1-32-OK

Comment 11 Thomas Backlund 2012-11-21 20:58:16 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0335

Status: NEW => RESOLVED
Resolution: (none) => FIXED