Fedora has issued advisories on March 6: https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130342.html https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130347.html Sorry I missed these earlier. Version 1.0.2 in Cauldron should be OK, but Mageia 3 and Mageia 4 are affected. There's more discussion of the issues on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1069396 Reproducible: Steps to Reproduce:
CC: (none) => shlomifWhiteboard: (none) => MGA3TOO
Pushed fixed pkgs to core/updates_testing for mga4 [1] and mga3 [2]. New releases uses fixed wrapper script to launch the program. mga4 release also adds missing requires for gnome-icon-theme-symbolic. mga3 release also fixes app icon symlink and a crash when some icons are missing from icon theme. [1] catfish-0.8.2-2.1.mga4 [2] catfish-0.3.2-6.1.mga3
Assignee: jani.valimaa => qa-bugs
Thanks Jani! BTW Jani, do you have any comment on which CVEs affect which release and if the .pyc issue is relevant for us? Preliminary advisory... Advisory: ======================== Updated catfish package fixes security vulnerabilities: Untrusted search path vulnerability in Catfish allows local users to gain privileges via a Trojan horse catfish.py in the current working directory (CVE-2014-2093, CVE-2014-2014-2094, CVE-2014-2095, CVE-2014-2096). Additionally, the Mageia 3 update fixes the application icon symlink and a crash when some icons are missing from the icon theme, and the Mageia 4 update adds a missing requirement for the gnome-icon-theme-symbolic package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2096 https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130347.html
CC: (none) => jani.valimaa
I'd say: mga3 => CVE-2014-2093 mga4 => CVE-2014-2096 .pyc issue isn't relevant for us as we don't ship such files with catfish in mga3/4.
Easy test case for mga3: ======================== cd /tmp cat > catfish.py << EOF #!/usr/bin/python print "Hello World!" EOF chmod 755 catfish.py catfish And same for mga4: ================== cd /tmp mkdir -p bin cat > bin/catfish.py << EOF #!/usr/bin/python print "Hello World!" EOF chmod 755 bin/catfish.py catfish
Thanks again Jani. Corrected advisories. Advisory (Mageia 3): ======================== Updated catfish package fixes security vulnerability: Untrusted search path vulnerability in Catfish allows local users to gain privileges via a Trojan horse catfish.py in the current working directory (CVE-2014-2093). Additionally, the update fixes the application icon symlink and a crash when some icons are missing from the icon theme. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2093 https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130342.html Advisory (Mageia 4): ======================== Updated catfish package fixes security vulnerabilities: Untrusted search path vulnerability in Catfish allows local users to gain privileges via a Trojan horse bin/catfish.py in the current working directory (CVE-2014-2096). Additionally, the update adds a missing requirement for the gnome-icon-theme-symbolic package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2096 https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130347.html
Procedure in comment 4, thanks Jani.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing MGA4 64 real hardware. Installed from normal repertories, the test given in Comment 4 (many thanks for that; but expected output?) yielded: $ catfish Hello World! *without* launching the graphical program. Trying Catfish from the menu, it launched & worked fine. Updated from Testing to catfish-0.8.2-2.1.mga4 and re-running the given test *launched* the graphical program, with: $ catfish (catfish.py:17084): Gdk-CRITICAL **: gdk_device_ungrab: assertion 'GDK_IS_DEVICE (device)' failed (catfish.py:17084): Gtk-CRITICAL **: gtk_device_grab_remove: assertion 'GDK_IS_DEVICE (device)' failed (catfish.py:17084): Gdk-CRITICAL **: gdk_device_ungrab: assertion 'GDK_IS_DEVICE (device)' failed (catfish.py:17084): Gtk-CRITICAL **: gtk_device_grab_remove: assertion 'GDK_IS_DEVICE (device)' failed The same searches as previously gave the same results. If this is what is expected, can someone MGA4-64-OK this in the Whiteboard, please?
CC: (none) => lewyssmith
(In reply to Jani Välimaa from comment #4) > And same for mga4: > ================== ... > catfish Jani, please can you confirm (or otherwise) that the pre-update & post-update Mageia4 test results I noted in Comment 7 are what they should be; I cannot judge (but suspect they are good). If OK, you can MGA4-64-OK the bug in the whiteboard.
Just an off-topic note for Jani, I noticed that Debian now has 1.2.0: https://packages.debian.org/source/sid/catfish
In VirtualBox, M3, KDE, 32-bit Package(s) under test: catfish default install of catfish [root@localhost wilcal]# urpmi catfish Package catfish-0.3.2-6.mga3.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. install catfish from updates_testing [root@localhost wilcal]# urpmi catfish Package catfish-0.3.2-6.1.mga3.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: catfish default install of catfish [root@localhost wilcal]# urpmi catfish Package catfish-0.3.2-6.mga3.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. install catfish from updates_testing [root@localhost wilcal]# urpmi catfish Package catfish-0.3.2-6.1.mga3.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: catfish default install of catfish [root@localhost wilcal]# urpmi catfish Package catfish-0.8.2-2.mga4.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. install catfish from updates_testing [root@localhost wilcal]# urpmi catfish Package catfish-0.8.2-2.1.mga4.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: catfish default install of catfish [root@localhost wilcal]# urpmi catfish Package catfish-0.8.2-2.mga4.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. install catfish from updates_testing [root@localhost wilcal]# urpmi catfish Package catfish-0.8.2-2.1.mga4.noarch is already installed Catfish works, I can do a search, and list, searched for files in my home directory. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine and is fully functional after update. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Separate advisories uploaded for mga3 and mga4
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0341.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0342.html