Fedora has issued an advisory on December 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNGPD6IEEBZDLN6EMGXQ2ATUACQSTOWQ/ The issue is fixed in 1.14.41, which is already in Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated libgsf packages fix security vulnerability: An error within the "tar_directory_for_file()" function (gsf-infile-tar.c) in GNOME Structured File Library before 1.14.41 can be exploited to trigger a Null pointer dereference and subsequently cause a crash via a crafted TAR file (CVE-2016-9888). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9888 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNGPD6IEEBZDLN6EMGXQ2ATUACQSTOWQ/ ======================== Updated packages in core/updates_testing: ======================== libgsf-1.14.31-1.1.mga5 libgsf1_114-1.14.31-1.1.mga5 libgsf-devel-1.14.31-1.1.mga5 libgsf-gir1-1.14.31-1.1.mga5 from libgsf-1.14.31-1.1.mga5.src.rpm
URL: (none) => https://lwn.net/Vulnerabilities/708871/
MGA5-32 on Acer D620 Xfce No installation issues. # urpmq --whatrequires libgsf libgsf Not very usefull. Googled and found a possible testcase (attached file) but get into problems with it supposed to put some zip archive myarchive.zip and the testfile in a folder and run there $ valac --pkg libgsf-1 gsf-sample.vala $ ./gsf-sample but at first command I get: $ valac --pkg libgsf-1 gsf-sample.vala In file included from /home/tester5/Video/gsf-sample.vala.c:14:0: /usr/include/libgsf-1/gsf/gsf-outfile-impl.h:30:12: fout: field âparentâ has incomplete type GsfOutput parent; ^ /usr/include/libgsf-1/gsf/gsf-outfile-impl.h:34:2: fout: unknown type name âGsfOutputClassâ GsfOutputClass output_class; ^ error: cc exited with status 256 Compilation failed: 1 error(s), 0 warning(s)
CC: (none) => herman.viaene
Created attachment 8810 [details] test program
Usually only the library package is directly required. Try: urpmq --whatrequires libgsf1_114 or: urpmq --whatrequires lib64gsf1_114
Following David's advice, I found gchemtable. Running $ strace -o libgsf.txt gchemtable gave me in the file: open("/lib/libgsf-1.so.114", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\265\0\0004\0\0\0"..., 512) = 512 and gchem works OK.
Whiteboard: (none) => MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing on X86_64 real hardware. There does not appear to be any means for reproducing the security problem. Installed: - libgsf-1.14.31-1.1.mga5 - lib64gsf1_114-1.14.31-1.1.mga5 - lib64gsf-devel-1.14.31-1.1.mga5 - lib64gsf-gir1-1.14.31-1.1.mga5 Used link derived from program sample : https://wiki.gnome.org/Projects/Vala/GSFSample to check compilation requirements. $ sudo urpmi vala To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64ffi-devel 3.1 4.mga5 x86_64 lib64vala0.26_0 0.26.2 1.mga5 x86_64 vala 0.26.2 1.mga5 x86_64 (medium "Core Updates (distrib3)") glib-gettextize 2.42.1 2.1.mga5 x86_64 lib64glib2.0-devel 2.42.1 2.1.mga5 x86_64 lib64pcre-devel 8.38 1.mga5 x86_64 $ valac --pkg libgsf-1 gsf-sample.vala Produced the same errors as reported in comment 1 for i586. $ strace -o gchem.trace gchemtable $ grep gsf gchem.trace open("/usr/lib64/libgsf-1.so.114", O_RDONLY|O_CLOEXEC) = 3 stat("/home/lcl/qa/libgsf", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libgsf.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/libgsf.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_GB/LC_MESSAGES/libgsf.mo", O_RDONLY) = 13 This gets as far as the i586 tests - marking it as OK.
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Validated; advisory already in place.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0427.html
Status: NEW => RESOLVEDResolution: (none) => FIXED