Bug 10566 - autotrace new security issue CVE-2013-1953
: autotrace new security issue CVE-2013-1953
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/555458/
: MGA2TOO MGA3-32-ok MGA2-32-ok MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-19 20:47 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
5 users (show)

See Also:
Source RPM: autotrace-0.31.1-37.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-19 20:47:46 CEST
OpenSuSE has issued an advisory today (June 19):
http://lists.opensuse.org/opensuse-updates/2013-06/msg00168.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-28 01:31:49 CEST
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated autotrace packages fix security vulnerability:

Stack-based buffer overflow in bmp parser (CVE-2013-1953).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1953
http://lists.opensuse.org/opensuse-updates/2013-06/msg00168.html
========================

Updated packages in core/updates_testing:
========================
autotrace-0.31.1-34.1.mga2
libautotrace3-0.31.1-34.1.mga2
libautotrace-devel-0.31.1-34.1.mga2
autotrace-0.31.1-37.1.mga3
libautotrace3-0.31.1-37.1.mga3
libautotrace-devel-0.31.1-37.1.mga3

from SRPMS:
autotrace-0.31.1-34.1.mga2.src.rpm
autotrace-0.31.1-37.1.mga3.src.rpm
Comment 2 martyn vidler 2013-06-29 16:22:29 CEST
Tested on MGA3 32


urpmi autotrace 0.31.1-37.mga3

Ran command autotrace autotrace -input-format BMP test5.bmp -output-file test5.svg
Created new file test5.svg

$MIRRORLIST: media/core/updates_testing/autotrace-0.31.1-37.1.mga3.i586.rpm
installing autotrace-0.31.1-37.1.mga3.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     ############################################
      1/1: autotrace             ############################################
      1/1: removing autotrace-0.31.1-37.mga3.i586


To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Updates Testing")
  autotrace                      0.31.1       37.1.mga3     i586
  libautotrace3                  0.31.1       37.1.mga3     i586

"NOTE libautotrace-devel-0.31.1-37.1.mga3.i586 Had to be installed seperatly is this correct".

sudo urpmi --media 'Core Updates Testing' libautotrace-devel-0.31.1-37.1.mga3
A requested package cannot be installed:
libautotrace-devel-0.31.1-37.1.mga3.i586 (due to unsatisfied devel(libm))
Continue installation anyway? (Y/n)

Rerun same test created test5.svg
Comment 3 martyn vidler 2013-06-29 17:11:52 CEST
Tested MGA2 32

Completed as comment 2

Same results ok
Comment 4 martyn vidler 2013-06-30 10:53:54 CEST
MGA3 64

installed autotrace 0.31.1-37.mga3
Updated

 rsync://www.mirrorservice.org/mageia.org/pub/mageia/distrib/3/x86_64/media/core/updates_testing/autotrace-0.31.1-37.1.mga3.x86_64.rpm
installing autotrace-0.31.1-37.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms    
Preparing...                     #############################################
      1/1: autotrace             #############################################
      1/1: removing autotrace-0.31.1-37.mga3.x86_64

sudo urpmi --media 'Core Updates Testing' libautotrace3-0.31.1.37.1.mga3
No package named libautotrace3-0.31.1.37.1.mga3

sudo urpmi --media 'Core Updates Testing' libautotrace-devel-0.31.1.37.mga3
No package named libautotrace-devel-0.31.1.37.mga3
Comment 5 claire robinson 2013-06-30 14:50:30 CEST
The libs will be named lib64... rather than lib... on x86_64
Comment 6 martyn vidler 2013-06-30 18:42:56 CEST
Thks Claire

Tested MGA3 64 and MGA2 64

Repeated above test 

Both 64 bit arch's passed

Validating for update
Comment 7 Dave Hodgins 2013-06-30 20:53:33 CEST
http://svnweb.mageia.org/advisories/10566.adv?view=markup&sortby=date
has been uploaded.

Could someone from the sysadmin team push 10566.adv
Comment 8 Nicolas Vigier 2013-07-01 21:23:43 CEST
http://advisories.mageia.org/MGASA-2013-0195.html

Note You need to log in before you can comment on or make changes to this bug.