Fedora has issued an advisory today (September 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/ The issue is fixed upstream in 4.1. Mageia 5 is also affected.
Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable. Note that, after council's decision last night, this cannot be fixed in Mga5.
CC: (none) => geiger.david68210, marja11Assignee: bugsquad => pkg-bugs
My padawan arek is working on it.
Status: NEW => ASSIGNEDAssignee: pkg-bugs => lists.jjorgeCC: (none) => lists.jjorge
for an update in a release distro you should use "%define subrel" and not bump the rel.
(In reply to David GEIGER from comment #3) > for an update in a release distro you should use "%define subrel" and not > bump the rel. Not in the case cauldron has an higher version of the software, as for here.
Advisory: ======================== Updated iniparser packages fix security vulnerability: A flaw was found in iniparser version prior to 4.1. A stack buffer underflow in the function iniparser_load() in iniparser.c file which can be triggered by parsing a file that containing a zero-byte. This vulnerability may allow an attacker to cause a Denial of Service (DoS). References: https://github.com/ndevilla/iniparser/issues/68 https://bugzilla.redhat.com/show_bug.cgi?id=1545824 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JM5SZJJT2YKW6NSUEDTA7J4RSLYWP37D/ ======================== Updated packages in core/updates_testing: ======================== iniparser-3.1-8.mga6 libiniparser0-3.1-8.mga6 libiniparser-devel-3.1-8.mga6 from iniparser-3.1-8.mga6.src.rpm
CC: (none) => arusekk
(In reply to José Jorge from comment #4) > (In reply to David GEIGER from comment #3) > > for an update in a release distro you should use "%define subrel" and not > > bump the rel. > > Not in the case cauldron has an higher version of the software, as for here. Incorrect. You should use a subrel and not bump the rel, even in that case.
This never got assigned to QA. Advisory and package list in Comment 5.
Assignee: lists.jjorge => qa-bugs
$ uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - lib64iniparser-devel-3.1-8.mga6.x86_64 - lib64iniparser0-3.1-8.mga6.x86_64 ----------------------------- - I installed gcc - found an example program that calls iniparser (see attached). Compile and link via this command: $ gcc iniexample.c -lm /usr/lib64/libiniparser.so.0 -o iniexamp execute the program by $ ./iniexamp by default the program produces a file called example.ini. You can cat the file by: $ cat example.ini I also tried it against an empty file $ touch empty.ini $ ./iniexamp empty.ini It processes the empty file I tried echo null to the file (need some input here oh echoing null) $ echo $'\0' > empty.ini Ran the program again - no issues The library works
CC: (none) => brtians1Whiteboard: (none) => MGA6_64_OK
Created attachment 10447 [details] The example program I found I found the example at: https://github.com/ndevilla/iniparser/blob/master/example/iniexample.c
Whiteboard: MGA6_64_OK => MGA6-64-OK
The following 2 packages are going to be installed: - libiniparser-devel-3.1-8.mga6.i586 - libiniparser0-3.1-8.mga6.i586 37KB of additional disk space will be used. 26KB of packages will be retrieved. Is it ok to continue? ------------ Compiled: $ gcc iniexample.c -lm /usr/lib/libiniparser.so.0 -o iniexamp Executed: brian@localhost ~]$ ./iniexamp [pizza]=UNDEF [pizza:ham]=[yes] [pizza:mushrooms]=[TRUE] [pizza:capres]=[0] [pizza:cheese]=[Non] [wine]=UNDEF [wine:grape]=[Cabernet Sauvignon] [wine:year]=[1989] [wine:country]=[Spain] [wine:alcohol]=[12.5] Pizza: Ham: [1] Mushrooms: [1] Capres: [0] Cheese: [0] Wine: Grape: [Cabernet Sauvignon] Year: [1989] Country: [Spain] Alcohol: [12.5] Working in 32-bit
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
I prefer sausage and pepperoni on my pizza, but we'll let that one go. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory done from comment 5. Note *no* CVE.
CC: (none) => lewyssmithKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0440.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED