CVEs have been assigned for multiple security issues in netpbm: http://openwall.com/lists/oss-security/2017/02/05/7 It says the issues were found in an older branch, but it's not clear if any have been fixed in later versions or if those just haven't been tested.
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #0) > CVEs have been assigned for multiple security issues in netpbm: > http://openwall.com/lists/oss-security/2017/02/05/7 > > It says the issues were found in an older branch, but it's not clear if any > have been fixed in later versions or if those just haven't been tested. Maybe one of our packagers is willing to investigate. Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
I checked with Bryan Henderson upstream. "The two Svgtopam vulnerabilities exist in both those releases. The current Stable release (10.73.07) has them fixed." I will try to package 10.73.07 for both cauldron and 5.
CC: (none) => mrambo
Update to 10.73.07 uploaded and freeze push requested. Mga5 is taking longer.
Updated package uploaded for Mageia 5. I did not find any past test procedures for this package but David Hodgins suggested on IRC that I use xfig or tuxpaint for my pre-testing. This may help QA also. Advisory: ======================== Version 10.73.07 fixes security vulnerabilities: * Out-of-bounds write in writeRasterPbm() (CVE-2017-2581) * Out-of-bounds read in expandCodeOntoStack() (CVE-2017-2579) * Out-of-bounds write of heap data in addPixelToRaster() (CVE-2017-2580) * Null pointer dereference in stringToUint (CVE-2017-2586) * Insufficient size check of memory allocation in createCanvas() (CVE-2017-2587) References: http://openwall.com/lists/oss-security/2017/02/05/7 ======================== Updated packages in core/updates_testing: ======================== lib64netpbm11-10.73.07-1.mga5 lib64netpbm-devel-10.73.07-1.mga5 netpbm-10.73.07-1.mga5 netpbm-debuginfo-10.73.07-1.mga5 from netpbm-10.73.07-1.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Asus A6000VM Xfce No installation issues. Found no trace of netpbm in using xfig, but found info in netpbm website as to usage of its commands. So, i created a small ppm graphic with xfig and then at CLI: $ ppmtojpeg testnet.ppm > testnet.jpg And found the jpg to have the correct graphics. ppmtojpeg being one of the programs of netpbm.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Fedora has issued an advisory for this today (February 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDK3BDMKIQL2NQ3SJZXPBEN2LSOUSSEE/ LWN reference: https://lwn.net/Vulnerabilities/714504/
Also used xfig to export a drawing as a ppm file, then used ppmtobmp to convert it, using xv to view the result. Validating the update
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0058.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/715042/