Fedora has issued an advisory on March 3: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178378.html Corrected packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated exempi and exiv2 packages fix security vulnerability: exempi contains code to protect against a denial-service-attack related to XML entity expansion ("billion laughs attack"), but it was not compiled into the Mageia package because BanAllEntityUsage was not defined when the package was compiled. This has been corrected by recompiling it with the BanAllEntityUsage macro defined. The exiv2 package contains a bundled copy of the same code and has also been recompiled with the macro defined. References: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178378.html ======================== Updated packages in core/updates_testing: ======================== libexempi3-2.2.2-14.1.mga5 libexempi-devel-2.2.2-14.1.mga5 exiv2-0.24-5.1.mga5 libexiv2_13-0.24-5.1.mga5 libexiv2-devel-0.24-5.1.mga5 exiv2-doc-0.24-5.1.mga5 from SRPMS: exempi-2.2.2-14.1.mga5.src.rpm exiv2-0.24-5.1.mga5.src.rpm
Procedure: use test image from: http://www.exiv2.org/sample.html man page is here: http://www.exiv2.org/manpage.html Also used test images from my Canon EOS camera ( jpg & CR2/RAW ) In VirtualBox, M5, KDE, 32-bit Package(s) under test: exiv2 default install of exiv2 [root@localhost wilcal]# urpmi exiv2 Package exiv2-0.24-5.mga5.i586 is already installed [wilcal@localhost images_test]$ exiv2 image_file.xxx returns image metadata from jpg, gif, CR2, png, tif, bmp files exiv2 -pt image_file.xxx returns a massive amount of metadata exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg adds "bkenney" to Exif.Image.Artist field install evix2 from updates_testing [root@localhost wilcal]# urpmi exiv2 Package exiv2-0.24-5.1.mga5.i586 is already installed [wilcal@localhost images_test]$ exiv2 image_file.xxx returns image metadata from jpg, gif, CR2, png, tif, bmp files exiv2 -pt image_file.xxx returns a massive amount of metadata exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg adds "bkenney" to Exif.Image.Artist field
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: exiv2 default install of exiv2 [root@localhost wilcal]# urpmi exiv2 Package exiv2-0.24-5.mga5.x86_64 is already installed [wilcal@localhost images_test]$ exiv2 image_file.xxx returns image metadata from jpg, gif, CR2, png, tif, bmp files exiv2 -pt image_file.xxx returns a massive amount of metadata exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg adds "bkenney" to Exif.Image.Artist field install evix2 from updates_testing [root@localhost wilcal]# urpmi exiv2 Package exiv2-0.24-5.1.mga5.x86_64 is already installed [wilcal@localhost images_test]$ exiv2 image_file.xxx returns image metadata from jpg, gif, CR2, png, tif, bmp files exiv2 -pt image_file.xxx returns a massive amount of metadata if it's there. exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg adds "bkenney" to Exif.Image.Artist field
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded, but lacks CVEs.
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
(In reply to Lewis Smith from comment #4) > Advisory uploaded, but lacks CVEs. You may want to double-check it, as the updates bot just ran and didn't push this.
(In reply to Lewis Smith from comment #4) > Advisory uploaded, but lacks CVEs. Not sure if this is why it failed to push, but I've removed the line 'Advisory text to describe the update.', and the duplication of the subject line. Also removed a trailing blank line. The srpms etc, all look correct as far as I can see.
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #6) > Not sure if this is why it failed to push, but I've removed the line > 'Advisory text to describe the update.', and the duplication of the subject > line. Also removed a trailing blank line. > The srpms etc, all look correct as far as I can see. Thanks Dave. This looks better. This happens to be the first Advisory I have done which has 2 SRPMs - in case that had a bearing.
The reason it failed tp get pushed was wrong srpm names... (no "src.rpm" allowed) I fixed it with: --- 17877.adv (revision 4316) +++ 17877.adv (working copy) @@ -3,8 +3,8 @@ src: 5: core: - - exempi-2.2.2-14.1.mga5.src.rpm - - exiv2-0.24-5.1.mga5.src.rpm + - exempi-2.2.2-14.1.mga5 + - exiv2-0.24-5.1.mga5
CC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0101.html
Status: NEW => RESOLVEDResolution: (none) => FIXED