Fedora has issued an advisory on May 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PIW5FWQCDBCYOXITAHY7KFYRXUAJJ2U4/ According to SUSE, 1.8.1 is affected but backporting the fix is too difficult. Fedora updated to 2.0.0 and applied upstream patches.
SUSE bug: https://bugzilla.novell.com/show_bug.cgi?id=1073248 Fedora commit: https://src.fedoraproject.org/cgit/rpms/scummvm.git/commit/?h=f27&id=3d475bb40e2d7a92d31e764115bfd54b65ffc26a
CC: (none) => lists.jjorgeStatus comment: (none) => Patches available from upstream and Fedora
I know a ScummVM upstream maintainer, I'll ask him if it's safe for users to upgrade to 2.0.0 or if he wants to help me backport the patch to 1.8.1.
Patched scummvm-2.0.0-3.mga7 pushed to Cauldron, with the addition of FreeType2 support (which adds one scummvm engine). I'm pushing the same version to Mageia 6 as scummvm-2.0.0-1.mga6. Advisory: ========= Updated scummvm package fixes security vulnerability ScummVM 1.8.1's POSIX backend does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. This update fixes it, and updates ScummVM to the latest 2.0.0 upstream release, adding support for 23 new games, and several bug fixes. References: - https://bugzilla.novell.com/show_bug.cgi?id=1073248 - https://www.scummvm.org/news/20171217/ SRPM in core/updates_testing: ============================= scummvm-2.0.0-1.mga6 RPM in core/updates_testing: ============================ scummvm-2.0.0-1.mga6
Assignee: rverschelde => qa-bugsCC: (none) => rverschelde
Forgot to mention the CVE number in the advisory, new one: Advisory: ========= Updated scummvm package fixes security vulnerability ScummVM 1.8.1's POSIX backend does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL (CVE-2017-17528). This update fixes it, and updates ScummVM to the latest 2.0.0 upstream release, adding support for 23 new games, and several bug fixes. References: - https://bugzilla.novell.com/show_bug.cgi?id=1073248 - https://www.scummvm.org/news/20171217/
CVE: (none) => CVE-2017-17528
Installed and tested without issue. Tested using several games downloaded from https://www.scummvm.org/games/ System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q scummvm scummvm-2.0.0-1.mga6
CC: (none) => mageiaWhiteboard: (none) => MGA6-64-OK
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisoried from comment 4
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0278.html
Status: NEW => RESOLVEDResolution: (none) => FIXED