openSUSE has issued an advisory today (May 2): https://lists.opensuse.org/opensuse-updates/2017-05/msg00000.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
I have uploaded an updated package to version 2.18.3 for Mageia 5 (and requested a freeze push on Cauldron) Please test that the new version works as expected, namely it is an image viewer, therefore, in a terminal: feh myimage.png should open a window and you should see the content of myimage.png ;) Suggested advisory: ======================== Updated feh package to fix a double-free/OOB-write in E17 IPC. This was a potential security issue as a malicious X11 app running alongside feh and pretending to be an E17 window manager could have had access to out-of-bound memory. Security vulnerability: CVE-2017-7875 References: https://feh.finalrewind.org/ https://lists.opensuse.org/opensuse-updates/2017-05/msg00000.html ======================== Updated packages in core/updates_testing: ======================== feh-2.18.3-1.mga5 Source RPMs: feh-2.18.3-1.mga5.src.rpm
Assignee: eatdirt => qa-bugsCVE: (none) => CVE-2017-7875CC: (none) => eatdirt
fixed and uploaded in cauldron
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5CC: (none) => mageia
x86_64 real hardware. Simple commandline image viewer. Installed and checked operations. No useful information for reproducing the bug for the listed CVE. Installed the update. Tried out some of the functions. Automatic slideshow for a command like $ feh --cycle-once * but images need to be clicked to progress. Adding -D 2.5 causes the slides to advance every 2.5 seconds. Esc kills the program. Up and down arrows zoom the image in or out. Non-displayable files can be rejected by setting a timeout. $ feh -D 4.0 --magick-timeout 0.2 The rogue files are listed as they are found. The < and > keys did not work (image rotation). There is a note on the man page about dependencies. feh requires the jpegtran and jpegexiforient binaries (usually distributed in "libjpeg-progs" or similar) for lossless rotation. The binaries were not found on this system. Display a montage of thumbnails of a directory, retaining image aspects: $ feh --montage --thumb-width 120 --thumb-height 200 There are more modes and many more options. It looks fine.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
i586 in virtualbox Ran the update after installing feh. Display a subset of images from current directory as a click-through slide-show. $ feh S*.jpg Show a mosaic of thumbnails of current image directory disregarding image proportions. $ feh --montage -X Display a montage of thumbnails of images in current directory, retaining image aspects: $ feh --montage --thumb-width 120 --thumb-height 200 Mouse right-click presents a short menu of control options such as 'exit' and the Up and Down arrows control zooming. Captions can be overlayed on the images: $ feh -K ../captions whatever.jpg In this case "useful information" displayed on the image, caption referenced as ../captions/whatever.jpg.txt. Good for 32-bits.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
@Len: thanks for doing this. Validating & advisoried.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0137.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Thanks Len for the exhaustive testing, missing features have been added for mga6 (Recommends to jpegtran and convert) as well as exif support! Cheers, Chris.