As Thierry pointed out on the dev mailing list, there's a memory management bug that was fixed in perl-Gtk2 1.2495: http://cpansearch.perl.org/src/XAOC/Gtk2-1.2495/NEWS He forwarded an e-mail from the gtk-perl-list@gnome.org list that addressed the possible security implications. The response was rather unfortunate, as this is how we end up with things like GHOST, but I digress... https://www.mail-archive.com/gtk-perl-list@gnome.org/msg07796.html So we should update Mageia 4 and Cauldron to 1.2495. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron by tv. perl-Gtk2-1.249.500-2.mga4 perl-Gtk2-doc-1.249.500-2.mga4 from perl-Gtk2-1.249.500-2.mga4.src.rpm Assigning to QA. Advisory to come later. For now, see the upstream NEWS file.
CC: (none) => thierry.vignaudAssignee: thierry.vignaud => qa-bugsWhiteboard: MGA4TOO => (none)Version: Cauldron => 4
Created attachment 5860 [details] perl-Gtk2 script files 5 perl-Gtk2 script files I used for my test. They were found here : http://www.drdobbs.com/web-development/programming-graphical-applications-with/184416060?pgno=1
CC: (none) => olchal
Testing on Mageia4x64 real hardware using script files in Comment 2 Did not find any PoC From current package : -------------------- perl-Gtk2-1.249.0-2.mga4 To updated package : ------------------ perl-Gtk2-1.249.500-2.mga4.x86_64 Perl-Gtk2 scripts ran well with both versions.
Whiteboard: (none) => MGA4-64-OK
Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK
The seven programs from the Dr. Dobbs article work fine on Mageia 4 i586.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Need an advisory for this one please David.
Advisory: ======================== Updated perl-Gtk2 packages fix security vulnerability: Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. The perl-Gtk2 package has been updated to version 1.2495 to fix this issue and other bugs. References: https://www.mail-archive.com/gtk-perl-list@gnome.org/msg07793.html http://cpansearch.perl.org/src/XAOC/Gtk2-1.2495/NEWS
Thanks. Validating. Advisory uploaded. Please push to 4 updates
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0059.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/633094/
A CVE was requested for this, but it's unclear whether one is appropriate. MITRE cited our bug in the discussion: http://openwall.com/lists/oss-security/2015/03/12/12