Bug 20775 - feh new security issue CVE-2017-7875
Summary: feh new security issue CVE-2017-7875
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-02 12:04 CEST by David Walser
Modified: 2017-05-11 10:32 CEST (History)
5 users (show)

See Also:
Source RPM: feh-2.18.2-1.mga6.src.rpm
CVE: CVE-2017-7875
Status comment:


Attachments

Description David Walser 2017-05-02 12:04:35 CEST
openSUSE has issued an advisory today (May 2):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00000.html

Mageia 5 is also affected.
David Walser 2017-05-02 12:04:41 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Chris Denice 2017-05-02 14:03:46 CEST
I have uploaded an updated package to version 2.18.3 for Mageia 5 (and requested a freeze push on Cauldron)

Please test that the new version works as expected, namely it is an image viewer, therefore, in a terminal:

feh myimage.png

should open a window and you should see the content of myimage.png ;)

Suggested advisory:
========================

Updated feh package to fix a double-free/OOB-write in E17 IPC. This was a potential security issue as a malicious X11 app running alongside feh and pretending to be an E17 window manager could have had access to out-of-bound memory.

Security vulnerability: CVE-2017-7875

References:
https://feh.finalrewind.org/
https://lists.opensuse.org/opensuse-updates/2017-05/msg00000.html
========================


Updated packages in core/updates_testing:
========================
feh-2.18.3-1.mga5

Source RPMs: 
feh-2.18.3-1.mga5.src.rpm

Assignee: eatdirt => qa-bugs
CVE: (none) => CVE-2017-7875
CC: (none) => eatdirt

Comment 2 Nicolas Lécureuil 2017-05-02 15:45:27 CEST
fixed and uploaded in cauldron

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
CC: (none) => mageia

Comment 3 Len Lawrence 2017-05-10 11:41:16 CEST
x86_64 real hardware.
Simple commandline image viewer.
Installed and checked operations.  No useful information for reproducing the bug for the listed CVE.

Installed the update.  Tried out some of the functions.
Automatic slideshow for a command like
$ feh --cycle-once *
but images need to be clicked to progress.  Adding -D 2.5 causes the slides to advance every 2.5 seconds.  Esc kills the program.  Up and down arrows zoom the image in or out.
Non-displayable files can be rejected by setting a timeout.
$ feh -D 4.0 --magick-timeout 0.2
The rogue files are listed as they are found.

The < and > keys did not work (image rotation).  There is a note on the man page about dependencies.
     feh requires the jpegtran and jpegexiforient binaries (usually
     distributed in "libjpeg-progs" or similar) for lossless rotation.
The binaries were not found on this system.

Display a montage of thumbnails of a directory, retaining image aspects:
$ feh --montage --thumb-width 120 --thumb-height 200

There are more modes and many more options.  It looks fine.

CC: (none) => tarazed25

Len Lawrence 2017-05-10 11:41:38 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2017-05-10 15:04:19 CEST
i586 in virtualbox

Ran the update after installing feh.

Display a subset of images from current directory as a click-through slide-show.
$ feh S*.jpg

Show a mosaic of thumbnails of current image directory disregarding image proportions.
$ feh --montage -X

Display a montage of thumbnails of images in current directory, retaining image aspects:
$ feh --montage --thumb-width 120 --thumb-height 200

Mouse right-click presents a short menu of control options such as 'exit' and the Up and Down arrows control zooming.   

Captions can be overlayed on the images:
$ feh -K ../captions whatever.jpg
In this case "useful information" displayed on the image, caption referenced as ../captions/whatever.jpg.txt.

Good for 32-bits.
Len Lawrence 2017-05-10 15:04:45 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 5 Lewis Smith 2017-05-10 18:41:50 CEST
@Len: thanks for doing this.
Validating & advisoried.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-05-10 22:59:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0137.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 Chris Denice 2017-05-11 10:32:15 CEST
Thanks Len for the exhaustive testing, missing features have been added for mga6 (Recommends to jpegtran and convert) as well as exif support!

Cheers,
Chris.

Note You need to log in before you can comment on or make changes to this bug.