Nicolas Salguero pushed ming-0.4.5-8.2.mga5 to 5 core/updates_testing last Friday. Suggested Advisory: ====================================== The update fixes CVE-2017-7578: Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allow remote attackers to cause a denial of service (listswf application crash) or possibly have unspecified other impact via a crafted SWF file. NOTE: this issue exists because of an incomplete fix for CVE-2016-9831. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7578 ======================================== Updated packages in core/updates_testing: ======================================== libming-devel-0.4.5-8.2.mga5.i586 libming1-0.4.5-8.2.mga5.i586 ming-utils-0.4.5-8.2.mga5.i586 perl-SWF-0.4.5-8.2.mga5.i586 python-SWF-0.4.5-8.2.mga5.i586 lib64ming-devel-0.4.5-8.2.mga5.x86_64 lib64ming1-0.4.5-8.2.mga5.x86_64 ming-utils-0.4.5-8.2.mga5.x86_64 perl-SWF-0.4.5-8.2.mga5.x86_64 python-SWF-0.4.5-8.2.mga5.x86_64 from SRPM: ming-0.4.5-8.2.mga5
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing this on real x86_64 and i586 virtualbox. The report is rather long so it is provided as an attachment. Summary: libming was already installed on the 64-bit machine. Downloaded a reproducer image (SWF) and found that listing its contents causes the script to hang. After the update, listing runs to completion, with an acknowledgement that the file contains trailing garbage. Installed clash, a drawing and animation program which uses libming. At a primitive level it works. OK for 64-bits.
CC: (none) => tarazed25
Whiteboard: advisory => advisory MGA5-64-OK
Created attachment 9201 [details] Extended description of update test
i586 virtualbox Obtained the reproducer file and ran the pre and post update listswf tests as detailed for x86_64 and found identical results. listaction used to analyze an existing NASA animation; it showed the actions and the placing of various objects. Installed clash and played with it. Looks OK. OK for 32-bits.
Whiteboard: advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
Validating the update. Len, feel free to validate updates that have been tested on both arches.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0108.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Several issues were announced as having been fixed in 0.4.8: http://openwall.com/lists/oss-security/2017/04/29/
CC: (none) => luigiwalser