Bug 15173 - perl-Gtk2 possible security issue from memory management bug
Summary: perl-Gtk2 possible security issue from memory management bug
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/633094/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2015-01-31 18:39 CET by David Walser
Modified: 2015-03-12 22:51 CET (History)
3 users (show)

See Also:
Source RPM: perl-Gtk2-1.249.200-5.mga5.src.rpm
Status comment:

perl-Gtk2 script files (1.10 KB, application/gzip)
2015-02-05 22:59 CET, olivier charles

Description David Walser 2015-01-31 18:39:38 CET
As Thierry pointed out on the dev mailing list, there's a memory management bug that was fixed in perl-Gtk2 1.2495:

He forwarded an e-mail from the gtk-perl-list@gnome.org list that addressed the possible security implications.  The response was rather unfortunate, as this is how we end up with things like GHOST, but I digress...


So we should update Mageia 4 and Cauldron to 1.2495.


Steps to Reproduce:
David Walser 2015-01-31 18:39:57 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-04 13:39:55 CET
Updated packages uploaded for Mageia 4 and Cauldron by tv.


from perl-Gtk2-1.249.500-2.mga4.src.rpm

Assigning to QA.  Advisory to come later.  For now, see the upstream NEWS file.

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4

Comment 2 olivier charles 2015-02-05 22:59:15 CET
Created attachment 5860 [details]
perl-Gtk2 script files

5 perl-Gtk2 script files I used for my test.

They were found here :


CC: (none) => olchal

Comment 3 olivier charles 2015-02-05 23:02:04 CET
Testing on Mageia4x64 real hardware using script files in Comment 2
Did not find any PoC

From current package :

To updated package :

Perl-Gtk2 scripts ran well with both versions.

Whiteboard: (none) => MGA4-64-OK

claire robinson 2015-02-09 20:01:04 CET

Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK

Comment 4 David Walser 2015-02-10 14:18:35 CET
The seven programs from the Dr. Dobbs article work fine on Mageia 4 i586.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-02-11 12:50:40 CET
Need an advisory for this one please David.
Comment 6 David Walser 2015-02-11 13:04:26 CET

Updated perl-Gtk2 packages fix security vulnerability:

Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2
before 1.2495, where, the code was freeing memory that gtk+ still holds onto
and might access later.

The perl-Gtk2 package has been updated to version 1.2495 to fix this issue and
other bugs.

Comment 7 claire robinson 2015-02-11 13:17:09 CET
Thanks. Validating.

Advisory uploaded.

Please push to 4 updates

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-02-11 21:48:33 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2015-02-12 16:36:50 CET

URL: (none) => http://lwn.net/Vulnerabilities/633094/

Comment 9 David Walser 2015-03-12 22:51:33 CET
A CVE was requested for this, but it's unclear whether one is appropriate.  MITRE cited our bug in the discussion:

Note You need to log in before you can comment on or make changes to this bug.