Upstream has issued an advisory on September 22: http://lists.x.org/archives/xorg-announce/2015-September/002637.html The issue is fixed in version 0.32.8. Updated package uploaded for Mageia 5. Advisory: ======================== Updated pixman packages fix security vulnerability: The pixman library before 0.32.8 is vulnerable to a buffer overflow which can affect 32-bit systems. References: http://lists.x.org/archives/xorg-announce/2015-September/002637.html ======================== Updated packages in core/updates_testing: ======================== libpixman1_0-0.32.8-1.mga5 libpixman-devel-0.32.8-1.mga5 from pixman-0.32.8-1.mga5.src.rpm Reproducible: Steps to Reproduce:
mga5 x86_64 Installed packages : lib64pixman-devel-0.32.8-1.mga5.x86_64.rpm lib64pixman1_0-0.32.8-1.mga5.x86_64.rpm Firefox launch OK. lsof | grep firefox | grep pixman shows /usr/lib64/libpixman-1.so.0.32.8 Update OK.
CC: (none) => yann.cantinWhiteboard: (none) => MGA5-64-OK
(In reply to Yann Cantin from comment #1) > > lsof | grep firefox | grep pixman shows /usr/lib64/libpixman-1.so.0.32.8 > That's a handy tip, easier than strace. Could you add it here please.. https://wiki.mageia.org/en/QA_Tips_and_Tricks
In VirtualBox, M5, KDE, 32-bit Package(s) under test: libpixman1_0 default install of libpixman1_0 [root@localhost wilcal]# urpmi libpixman1_0 Package libpixman1_0-0.32.6-3.mga5.i586 is already installed KDE Desktop applications display properly lsof | grep firefox | grep pixman: /usr/lib/libpixman-1.so.0.32.6 VLC plays videos correctly, LibreOffice/Write display properly. install libpixman1_0 from updates_testing Stop then restart X [root@localhost wilcal]# urpmi libpixman1_0 Package libpixman1_0-0.32.8-1.mga5.i586 is already installed KDE Desktop applications display properly lsof | grep firefox | grep pixman: /usr/lib/libpixman-1.so.0.32.8 VLC plays videos correctly, LibreOffice/Write display properly.
CC: (none) => wilcal.int
Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded. Thanks for adding that Yann.
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK
Whiteboard: advisory MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0385.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/658600/
This is CVE-2015-5297: https://usn.ubuntu.com/3843-1/
Summary: pixman new buffer overflow security issue fixed upstream in 0.32.8 => pixman new buffer overflow security issue fixed upstream in 0.32.8 (CVE-2015-5297)