Fedora has issued an advisory today (August 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JVINHHR6VJKXTYYMAYKN5GROKHVT4UKB/ The issue is fixed upstream in 3.20.4 (already in Cauldron). Patched package uploaded for Mageia 5. Advisory: ======================== Updated eog packages fix security vulnerability: An out-of-bounds write vulnerability in eog was found when processing specially crafted SVG file. Due to passing the error message containing invalid UTF-8 character to GMarkup, out-of-bounds access is triggered (CVE-2016-6855). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6855 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JVINHHR6VJKXTYYMAYKN5GROKHVT4UKB/ ======================== Updated packages in core/updates_testing: ======================== eog-3.14.3-1.2.mga5 libeog-gir3.0-3.14.3-1.2.mga5 eog-devel-3.14.3-1.2.mga5 from eog-3.14.3-1.2.mga5.src.rpm
x86_64 Mate Not quite sure what I am doing here.... Downloaded crashEOG.svg as part of the PoC; https://bugzilla.gnome.org/show_bug.cgi?id=770143 It is not even pretending to be an SVG file... $ od -a crashEOG.svg <first three lines of dump> 0000000 sp < t ff d rs U { nak } J cr B " cr eot 0000020 nl L X E ~ H e $ D n bel 9 enq ff so x 0000040 v can nl W " enq j a i ! T ; ` + Y q First three lines of a valid SVG image: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Created with Inkscape (http://www.inkscape.org/) --> <svg So I am left wondering if the quoted link does point to the PoC image. Downloading the attachment by right clicking offers crashEOG.svg as the file name. ?? Before update: $ eog crashEOG.svg reported this: Could not load image 'crashEOG.svg'. <small>Error domain 1 code 73 on line 1 column 4 of file:///home/lcl/Downloads/crashEOG.svg: Couldn't find end of Start Tag X</small> After updates: $ eog crashEOG.svg <terminal output> (eog:20458): GLib-WARNING **: GError set over the top of a previous GError or uninitialized memory. This indicates a bug in someone's code. You must ensure an error is NULL before it's set. The overwriting error message was: Error domain 1 code 73 on line 1 column 4 of file:///home/lcl/Downloads/crashEOG.svg: Couldn't find end of Start Tag \xf4 <popup> Could not load image 'crashEOG.svg' Error domain 1 code 73 on line 1 column 4 of file:///home/lcl/Downloads/crashEOG.svg: Couldn't find end of Start Tag ? (invalid Unicode) eog successfully displays JPEG, PNG and SVG images, as it did before updating.
CC: (none) => tarazed25
Checking back to GNOME Bugzilla, it appears that the error message for the before update test was almost the same as observed here, which indicates that the downloaded file is the correct PoC image. Validating this on the strength of the similar messages.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0297.html
Status: NEW => RESOLVEDResolution: (none) => FIXED