Bug 20524 - R-base new security issue CVE-2016-8714
Summary: R-base new security issue CVE-2016-8714
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-19 16:10 CET by David Walser
Modified: 2017-08-03 21:06 CEST (History)
4 users (show)

See Also:
Source RPM: R-base-3.1.2-2.mga5.src.rpm
CVE:
Status comment:

Attachments
Extract from the sample session inthe R manual (600 bytes, text/plain)
2017-07-31 19:25 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-03-19 16:10:47 CET 
Debian has issued an advisory today (March 19):
https://lists.debian.org/debian-security-announce/2017/msg00068.html

The DSA will be posted here:
https://www.debian.org/security/2017/dsa-3813

It may be fixed already in Cauldron, unless Debian also added a patch to 3.3.3.
Comment 1 Marja Van Waes 2017-03-19 17:19:25 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lmenut

Comment 2 David Walser 2017-07-09 02:09:57 CEST 
Luc built an update for this and never said anything.  Assigning to QA.

Advisory:
========================

Updated R-base packages fix security vulnerability:

Cory Duplantis discovered a buffer overflow in the R programming language. A
malformed encoding file may lead to the execution of arbitrary code during PDF
generation (CVE-2016-8714).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
https://www.debian.org/security/2017/dsa-3813
========================

Updated packages in core/updates_testing:
========================
R-base-3.1.2-2.1.mga5
libRmath-3.1.2-2.1.mga5
libRmath-devel-3.1.2-2.1.mga5

from R-base-3.1.2-2.1.mga5.src.rpm

Assignee: lmenut => qa-bugs
CC: (none) => lmenut

Comment 3 Len Lawrence 2017-07-31 19:23:26 CEST 
mga5  x86_64  Mate

Had a look at the introduction and R-lang manuals downloaded from 
https://www.r-project.org/about.html
and decided that it required too much time to learn to use.

Installed R and set up a work directory.
Just typing R brings up a command line prompt for interrogating the system or writing code statements.
$ cd work
$ R
> help()
q
> demo()
q
> help.start()
> q()
$

Help is extensive and demo outlines the demonstration programs available. 
help.start() launches a web page with comprehensive links and following
"packages" lists the packages in the standard library, all concerned with statistical analysis.  Other links cover the same ground as the PDF manuals.

Installed the updates and checked out the interfaces as above and tried out 
the sample session from Appendix A of the manual.  See the attachment for a partial sample interactive session.
That all went well and as there is not much else we can do with this it gets the OK.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-07-31 19:25:57 CEST 
Created attachment 9543 [details]
Extract from the sample session inthe R manual

Since R is a GNU project there should be no copyright issues, I hope.
Len Lawrence 2017-07-31 19:26:22 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 5 Rémi Verschelde 2017-08-03 18:48:49 CEST 
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-08-03 21:06:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0236.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.