A Debian developer noted that libkdcraw uses a bundled copy of libraw, which is affected by a double-free security issue, which we have fixed in our libraw package in Bug 10346: http://openwall.com/lists/oss-security/2013/06/04/2 Reproducible: Steps to Reproduce:
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10346Whiteboard: (none) => MGA3TOO, MGA2TOO
Ubuntu has issued an advisory for this today (June 18): http://www.ubuntu.com/usn/usn-1885-1/
URL: (none) => http://lwn.net/Vulnerabilities/553302/CC: (none) => balcaen.john
OpenSuSE has issued an advisory for this today (July 11): http://lists.opensuse.org/opensuse-updates/2013-07/msg00032.html
Depends on: (none) => 10600
For the record there's also CVE 2013-2127 (a buffer overflow) The patch for this one is already added on svn. The patch for the 2013-2126 is on the way (i'm currently waiting for kde's team review). One more thing it's going to be pushed with the 4.10.5 release update
For Mageia 3, yes 2127 is indeed relevant, and yes I know it'll be fixed with KDE. For Mageia 2, only CVE-2013-2126 should be relevant. What's the plan there?
(In reply to David Walser from comment #4) > For Mageia 2, only CVE-2013-2126 should be relevant. What's the plan there? It's the same patch as mga3 so waiting also for kde team review. As soon as it's ok i'll push it on mga2 core/updates_testing & open a bug report for QA team. sorry i forgot to mention it earlier :/
No problem, thanks. You can use this bug for the mgaw update.
(In reply to David Walser from comment #6) > No problem, thanks. You can use this bug for the mgaw update. mga2, whoops :o)
Depends on: (none) => 10768
Ok from Kde team, update pushed for mga2 ( #10768 )
Should be fixed in libkdcraw-4.10.95-1.mga4 for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
looks like it could be assigned to QA ?
Version: 3 => 2Whiteboard: MGA2TOO => (none)
Now fixed for Mageia 2 and Mageia 3.
Status: NEW => RESOLVEDResolution: (none) => FIXED
Version: 2 => 3Whiteboard: (none) => MGA2TOO