Bug 20916 - autotrace new security issues CVE-2017-915[1-9], CVE-2017-91[6-9][0-9], CVE-2017-9200
Summary: autotrace new security issues CVE-2017-915[1-9], CVE-2017-91[6-9][0-9], CVE-2...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Shlomi Fish
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-23 13:08 CEST by David Walser
Modified: 2017-12-28 06:06 CET (History)
1 user (show)

See Also:
Source RPM: autotrace-0.31.1-46.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-05-23 13:08:29 CEST
Several CVEs have been assigned for security issues in autotrace:
http://openwall.com/lists/oss-security/2017/05/23/11

No fixes are available at this time.

Mageia 5 is also affected.
David Walser 2017-05-23 13:08:36 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-28 06:07:09 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Rémi Verschelde 2017-06-30 12:55:33 CEST
AutoTrace is unmaintained since 2005, and there is no apparent fix for those CVEs yet (at least at Debian and Fedora). Fedora decided it would be a WONTFIX for them: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9151

I would suggest dropping it for Mageia 6 provided it has no reverse dependencies that can't be made to work against more recent bitmap converters.

Status comment: (none) => Candidate for dropping if no reverse deps

Comment 3 Rémi Verschelde 2017-06-30 23:51:49 CEST
Fixed in Mageia 6 by dropping autotrace.

For Mageia 5, I suggest to close as WONTFIX as Fedora did, as I don't expect those 50 security issues will ever be patched in such unmaintained software.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Rémi Verschelde 2017-06-30 23:51:57 CEST

Status comment: Candidate for dropping if no reverse deps => (none)

Comment 4 David Walser 2017-12-28 06:06:57 CET
This is dead software.

Status: NEW => RESOLVED
Resolution: (none) => OLD


Note You need to log in before you can comment on or make changes to this bug.