Bug 17741 - thunar: new integer overflow security issue (CVE-2013-7447)
Summary: thunar: new integer overflow security issue (CVE-2013-7447)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/675834/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks: 17731
  Show dependency treegraph
 
Reported: 2016-02-12 17:13 CET by Jani Välimaa
Modified: 2016-02-17 20:22 CET (History)
3 users (show)

See Also:
Source RPM: thunar
CVE: CVE-2013-7447
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jani Välimaa 2016-02-12 17:13:21 CET 
+++ This bug was initially created as a clone of Bug #17731 +++

A CVE was requested for an integer overflow that affects gtk+ and several apps:
http://openwall.com/lists/oss-security/2016/02/10/2

A commit upstream in gtk+ to fix it is linked in the message above.
Comment 1 Jani Välimaa 2016-02-12 17:20:02 CET 
Pushed new release [1] to core/updates_testing which fixes the issue.

[1] thunar-1.6.6-1.1.mga5

Assignee: bugsquad => qa-bugs

Comment 2 Jani Välimaa 2016-02-12 17:21:19 CET 
SRPM:
thunar-1.6.6-1.1.mga5

RPMS:
thunar-1.6.6-1.1.mga5
lib(|64)thunarx2_0-1.6.6-1.1.mga5
lib(|64)thunarx-devel-1.6.6-1.1.mga5
David Walser 2016-02-12 17:33:54 CET

CC: cvargas, jani.valimaa, luigiwalser, matteo.pasotti, olav, tarakbumba => (none)
Severity: normal => major

Jani Välimaa 2016-02-12 17:38:56 CET

CVE: (none) => CVE-2013-7447

Jani Välimaa 2016-02-12 17:39:32 CET

URL: (none) => http://www.openwall.com/lists/oss-security/2016/02/10/2

Comment 3 David Walser 2016-02-12 20:14:30 CET 
Suggested advisory:
========================

Updated thunar packages fix security vulnerability:

Due to a logic error, an attempt to allocate a large block of memory
fails in thunar_gdk_cairo_set_surface, leading to a crash of thunar
(CVE-2013-7447).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447
http://openwall.com/lists/oss-security/2016/02/10/6
Comment 4 Lewis Smith 2016-02-12 20:36:04 CET 
Testing M5 x64, real HW, XFCE, OK

 lib64thunarx2_0-1.6.6-1.1.mga5
 thunar-1.6.6-1.1.mga5
 [+ thunar-volman-0.8.1-1.mga5]
Played with directory browsing, opening by double-clicking all sorts of files, USB stick, DVD. Everything seems normal.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-02-13 17:22:25 CET 
Reply to comment #4
Are you able to run this on 32-bit Lewis, real or virtual?  If not I can try it.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2016-02-14 11:06:08 CET 
mga5  i586 in virtualbox  Mate

[lcl@cursa ~/qa]$ sudo urpmi thunar
Package thunar-1.6.6-1.mga5.i586 is already installed

Installed thunar-1.6.6-1.1.mga5.i586
          libthunarx2_0-1.6.6-1.1.mga5
# urpmi thunar-volman
Package thunar-volman-0.8.1-1.mga5.i586 is already installed

Thunar appeared under System Tools in the Applications menu.
Brought up image viewer by double-clicking an image file.  Invoked Amarok on an ogg file.  Examined a tar file.  DragonPlayer came up on double-clicking an already downloaded Youtube video clip.  Installed latex2rtf from an rpm lying around in Downloads.  Imported documents.tar from a USB drive and extracted the files. Opened Documents/ and double-clicked on an odt file to invoke Libreoffice writer.
Finally, tried network browsing but nothing happened except that "network:///" appeared in the address bar.  On the host machine thunar -> Browse Network raises an error whereas caja (the Mate default file manager) allows remote logins.
For caja in the vm 'Browse Network' does nothing either so that may be a restriction in virtual machines.  If there is a bug for network browsing in thunar on real hardware it is probably irrelevant to this update.  Will wait for feedback on that one.  If David agrees that it can be ignored here I shall OK the update for 32-bit.  Might there be an addon for network browsing?
Comment 7 Len Lawrence 2016-02-14 12:42:17 CET 
As a rider to comment #6 I tried out Thunar in xfce where thunar is the default file manager and it behaved as in Mate with a few differences in file associations. e.g. to play a music track Amarok needed to be selected rather than going with the default Parole media player which foundered on a GStreamer backend error (Could not initialise Xv output).  Pretty sure that is irrelevant to the current testing.
Comment 8 claire robinson 2016-02-14 17:23:24 CET 
The lack of network browsing in a VM is likely down to VM network config Len. If using vbox set it to bridged network for it to be able to access other computers on the lan.

Testing you've done for Thunar is perfectly good though.
Comment 9 Len Lawrence 2016-02-14 17:44:05 CET 
@Claire.  Yes I guess it must be down to configuration, although I do use a bridged network; doing scp's back and forth all the time.
We can let this run then.  Validating, and would someone from sysadmin please push to Mageia 5 core updates please.
Len Lawrence 2016-02-14 17:44:32 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-02-14 17:45:01 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2016-02-15 12:05:36 CET 
advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

David Walser 2016-02-16 20:25:12 CET

URL: http://www.openwall.com/lists/oss-security/2016/02/10/2 => http://lwn.net/Vulnerabilities/675834/

Comment 11 Mageia Robot 2016-02-17 20:22:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0071.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.