Two potential security issues in DirectFB have been issued CVEs: http://openwall.com/lists/oss-security/2014/05/15/9 http://openwall.com/lists/oss-security/2014/05/15/10 No fixes are available yet. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1098528 No progress on this upstream AFAICT.
CC: (none) => remi
Still no reaction from upstream.
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO
OpenSuSE has issued an advisory for this today (April 30): http://lists.opensuse.org/opensuse-updates/2015-04/msg00060.html Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested.
URL: (none) => http://lwn.net/Vulnerabilities/642649/
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated directfb packages fix security vulnerabilities: Multiple integer signedness errors in the Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers a stack-based buffer overflow (CVE-2014-2977). The Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers an out-of-bounds write (CVE-2014-2978). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2978 http://lists.opensuse.org/opensuse-updates/2015-04/msg00060.html ======================== Updated packages in core/updates_testing: ======================== libdirectfb1.7_0-1.7.0-2.1.mga4 libdirectfb-devel-1.7.0-2.1.mga4 directfb-doc-1.7.0-2.1.mga4 from directfb-1.7.0-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)Severity: normal => critical
No PoC. From the website.. "DirectFB is a thin library that provides hardware graphics acceleration, input device handling and abstraction, integrated windowing system with support for translucent windows and multiple display layers, not only on top of the Linux Framebuffer Device. It is a complete hardware abstraction layer with software fallbacks for every graphics operation that is not supported by the underlying hardware. DirectFB adds graphical power to embedded systems and sets a new standard for graphics under Linux." Test with any of these.. $ urpmq --whatrequires lib64directfb1.7_0 | uniq gpac gstreamer0.10-directfb gstreamer1.0-directfb lib64SDL1.2_0 lib64cairo-devel lib64dfb++1.2_0 lib64directfb-devel lib64directfb1.7_0 lib64xine2 links-graphic links-hacked linkx mplayer vlc-plugin-common
Whiteboard: (none) => has_procedure
Testing complete mga4 64 Using vlc under strace.. $ strace -o strace.txt vlc $ grep directfb strace.txt stat("/usr/lib64/vlc/plugins/video_output/libdirectfb_plugin.so", {st_mode=S_IFREG|0755, st_size=11192, ...}) = 0 open("/usr/lib64/vlc/plugins/video_output/libdirectfb_plugin.so", O_RDONLY|O_CLOEXEC) = 5 open("/lib64/libdirectfb-1.7.so.0", O_RDONLY|O_CLOEXEC) = 5 open("/usr/lib64/libdirectfb-1.7.so.0.0.0", O_RDONLY) = 6
Whiteboard: has_procedure => has_procedure mga4-64-ok
Confirmed patches applied. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0176.html
Status: NEW => RESOLVEDResolution: (none) => FIXED