As Thierry pointed out on the dev mailing list, there's a memory management bug that was fixed in perl-Gtk2 1.2495:
He forwarded an e-mail from the firstname.lastname@example.org list that addressed the possible security implications. The response was rather unfortunate, as this is how we end up with things like GHOST, but I digress...
So we should update Mageia 4 and Cauldron to 1.2495.
Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron by tv.
Assigning to QA. Advisory to come later. For now, see the upstream NEWS file.
Created attachment 5860 [details]
perl-Gtk2 script files
5 perl-Gtk2 script files I used for my test.
They were found here :
Testing on Mageia4x64 real hardware using script files in Comment 2
Did not find any PoC
From current package :
To updated package :
Perl-Gtk2 scripts ran well with both versions.
The seven programs from the Dr. Dobbs article work fine on Mageia 4 i586.
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA4-32-OK
Need an advisory for this one please David.
Updated perl-Gtk2 packages fix security vulnerability:
Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2
before 1.2495, where, the code was freeing memory that gtk+ still holds onto
and might access later.
The perl-Gtk2 package has been updated to version 1.2495 to fix this issue and
Please push to 4 updates
has_procedure MGA4-64-OK MGA4-32-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OKCC:
An update for this issue has been pushed to Mageia Updates repository.
A CVE was requested for this, but it's unclear whether one is appropriate. MITRE cited our bug in the discussion: