+++ This bug was initially created as a clone of Bug #17731 +++ A CVE was requested for an integer overflow that affects gtk+ and several apps: http://openwall.com/lists/oss-security/2016/02/10/2 A commit upstream in gtk+ to fix it is linked in the message above. Patched gambas3 packages uploaded for Mageia 5 and Cauldron. Suggested advisory: ======================== Updated gambas3 packages fix security vulnerability: Due to a logic error, an attempt to allocate a large block of memory fails in gt_cairo_create_surface, leading to a crash of gambas3 (CVE-2013-7447). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447 http://openwall.com/lists/oss-security/2016/02/10/6 ======================== Updated packages in core/updates_testing: ======================== gambas3-runtime-3.6.2-4.2.mga5 gambas3-devel-3.6.2-4.2.mga5 gambas3-script-3.6.2-4.2.mga5 gambas3-ide-3.6.2-4.2.mga5 gambas3-examples-3.6.2-4.2.mga5 gambas3-gb-cairo-3.6.2-4.2.mga5 gambas3-gb-chart-3.6.2-4.2.mga5 gambas3-gb-clipper-3.6.2-4.2.mga5 gambas3-gb-compress-3.6.2-4.2.mga5 gambas3-gb-crypt-3.6.2-4.2.mga5 gambas3-gb-db-3.6.2-4.2.mga5 gambas3-gb-db-form-3.6.2-4.2.mga5 gambas3-gb-db-mysql-3.6.2-4.2.mga5 gambas3-gb-db-odbc-3.6.2-4.2.mga5 gambas3-gb-db-postgresql-3.6.2-4.2.mga5 gambas3-gb-db-sqlite3-3.6.2-4.2.mga5 gambas3-gb-dbus-3.6.2-4.2.mga5 gambas3-gb-desktop-3.6.2-4.2.mga5 gambas3-gb-eval-highlight-3.6.2-4.2.mga5 gambas3-gb-form-3.6.2-4.2.mga5 gambas3-gb-form-dialog-3.6.2-4.2.mga5 gambas3-gb-form-mdi-3.6.2-4.2.mga5 gambas3-gb-form-stock-3.6.2-4.2.mga5 gambas3-gb-geom-3.6.2-4.2.mga5 gambas3-gb-gtk-3.6.2-4.2.mga5 gambas3-gb-gmp-3.6.2-4.2.mga5 gambas3-gb-gsl-3.6.2-4.2.mga5 gambas3-gb-gui-3.6.2-4.2.mga5 gambas3-gb-jit-3.6.2-4.2.mga5 gambas3-gb-image-3.6.2-4.2.mga5 gambas3-gb-image-effect-3.6.2-4.2.mga5 gambas3-gb-image-imlib-3.6.2-4.2.mga5 gambas3-gb-image-io-3.6.2-4.2.mga5 gambas3-gb-inotify-3.6.2-4.2.mga5 gambas3-gb-map-3.6.2-4.2.mga5 gambas3-gb-markdown-3.6.2-4.2.mga5 gambas3-gb-media-3.6.2-4.2.mga5 gambas3-gb-mime-3.6.2-4.2.mga5 gambas3-gb-memcached-3.6.2-4.2.mga5 gambas3-gb-mysql-3.6.2-4.2.mga5 gambas3-gb-ncurses-3.6.2-4.2.mga5 gambas3-gb-net-3.6.2-4.2.mga5 gambas3-gb-net-curl-3.6.2-4.2.mga5 gambas3-gb-net-smtp-3.6.2-4.2.mga5 gambas3-gb-net-pop3-3.6.2-4.2.mga5 gambas3-gb-opengl-3.6.2-4.2.mga5 gambas3-gb-opengl-glsl-3.6.2-4.2.mga5 gambas3-gb-opengl-glu-3.6.2-4.2.mga5 gambas3-gb-opengl-sge-3.6.2-4.2.mga5 gambas3-gb-openssl-3.6.2-4.2.mga5 gambas3-gb-option-3.6.2-4.2.mga5 gambas3-gb-pcre-3.6.2-4.2.mga5 gambas3-gb-pdf-3.6.2-4.2.mga5 gambas3-gb-qt4-3.6.2-4.2.mga5 gambas3-gb-qt4-ext-3.6.2-4.2.mga5 gambas3-gb-qt4-opengl-3.6.2-4.2.mga5 gambas3-gb-qt4-webkit-3.6.2-4.2.mga5 gambas3-gb-report-3.6.2-4.2.mga5 gambas3-gb-sdl-3.6.2-4.2.mga5 gambas3-gb-sdl-sound-3.6.2-4.2.mga5 gambas3-gb-settings-3.6.2-4.2.mga5 gambas3-gb-signal-3.6.2-4.2.mga5 gambas3-gb-v4l-3.6.2-4.2.mga5 gambas3-gb-vb-3.6.2-4.2.mga5 gambas3-gb-web-3.6.2-4.2.mga5 gambas3-gb-libxml-3.6.2-4.2.mga5 gambas3-gb-logging-3.6.2-4.2.mga5 gambas3-gb-xml-3.6.2-4.2.mga5 gambas3-gb-xml-html-3.6.2-4.2.mga5 gambas3-gb-xml-rpc-3.6.2-4.2.mga5 gambas3-gb-xml-xslt-3.6.2-4.2.mga5 gambas3-gb-data-3.6.2-4.2.mga5 gambas3-gb-complex-3.6.2-4.2.mga5 gambas3-gb-args-3.6.2-4.2.mga5 gambas3-gb-httpd-3.6.2-4.2.mga5 from gambas3-3.6.2-4.2.mga5.src.rpm
Source RPM: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 => gambas3
Trying M5 x64 with XFCE. Preliminary info... http://gambaswiki.org/wiki/doc/whatisgambas?nh http://gambaswiki.org/wiki/doc/intro?nh but these two pages apart? What to install? I landed up with this mixture of specific and dependant packages: gambas3-devel-3.6.2-4.1.mga5 gambas3-examples-3.6.2-4.1.mga5 gambas3-gb-cairo-3.6.2-4.1.mga5 gambas3-gb-clipper-3.6.2-4.1.mga5 gambas3-gb-db-3.6.2-4.1.mga5 gambas3-gb-db-form-3.6.2-4.1.mga5 gambas3-gb-desktop-3.6.2-4.1.mga5 gambas3-gb-eval-highlight-3.6.2-4.1.mga5 gambas3-gb-form-3.6.2-4.1.mga5 gambas3-gb-form-dialog-3.6.2-4.1.mga5 gambas3-gb-form-mdi-3.6.2-4.1.mga5 gambas3-gb-form-stock-3.6.2-4.1.mga5 gambas3-gb-geom-3.6.2-4.1.mga5 gambas3-gb-gtk-3.6.2-4.1.mga5 gambas3-gb-gui-3.6.2-4.1.mga5 gambas3-gb-image-3.6.2-4.1.mga5 gambas3-gb-image-effect-3.6.2-4.1.mga5 gambas3-gb-markdown-3.6.2-4.1.mga5 gambas3-gb-qt4-3.6.2-4.1.mga5 gambas3-gb-qt4-ext-3.6.2-4.1.mga5 gambas3-gb-qt4-webkit-3.6.2-4.1.mga5 gambas3-gb-settings-3.6.2-4.1.mga5 gambas3-ide-3.6.2-4.1.mga5 gambas3-runtime-3.6.2-4.1.mga5 gambas3-script-3.6.2-4.1.mga5 of which just devel, examples, ide, runtime, script, gb-gtk, gb-qt4 would probably pull in anything else necessary to make it do almost everything. No man pages for the many commands installed: /usr/bin/gambas3 -> gambas3.gambas* /usr/bin/gambas3.gambas* /usr/bin/gbs3 -> gbs3.gambas* /usr/bin/gbs3.gambas* /usr/bin/gba3* /usr/bin/gbc3* /usr/bin/gbi3* /usr/bin/gbr3 -> gbx3* /usr/bin/gbs3 -> gbs3.gambas* /usr/bin/gbs3.gambas* /usr/bin/gbw3 -> gbs3.gambas* /usr/bin/gbx3* but $ <command> -h does give usage & parameter info. In addition, for testing, there is a clutch of sample projects provided in: /usr/share/gambas3/examples/*/ and a menu entry 'Gambas3' under 'Development' [same as for gambas3 command]. This shows a window in which 'examples' is included in the menu on the left. Clicking that shows a list of all the included examples. Would that more software did this sort of thing. Plus a tips of the day window. Alas: trying any one shows the project correctly, but an *empty* alert. So there is a basic 'how to drive it' problem. Right-clicking the project icon, Properties, Libraries may offer a clue: "WARNING! The project executable and the libraries it depends on must be stored inside the same directory. Otherwise the libraries will not be found." If we can find the key (doubtless simple), this should be super easy to test. Can anyone advise how to drive it? It looks a very decent package.
CC: (none) => lewyssmith
Tested M5 x64 under XFCE: OK First good news: how to run those examples. The alleged 'empty' alert is NOT; but how to read white text on a pale yellow background? BTAIM It disappears when clicked. The toolbar above has a green right-pointing triangle. *This* kicks off the chosen project. If this requires a module not installed, it says so tidily. Everything yielded an error "Failed to create secure directory (/run/user/1001/pulse): Permission denied" often many times. This did not seem to matter. [I researched on their site how to run the examples, mailList & Forum. The only advice I found suggested either 'saving as' the opened project, then using the copy; or creating a new project as 'copy from an existing one', but I did not see this choice. No matter in the circumstances: the green triangle is what matters]. Updated all installed modules to 3.6.2-4.2.mga5. The program and the examples I tried all behaved as previously. Update OK.
Whiteboard: (none) => MGA5-64-OK
Good work. An madb diff of the srpm shows the patch is applied here too. http://madb.mageia.org/rpm/diff/application/0/name/gambas3-3.6.2-4.2.mga5.src.rpm/source/1/release/5/arch/i586/t_media/5 Validating. Advisory uploaded. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/675834/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0075.html
Status: NEW => RESOLVEDResolution: (none) => FIXED