23702 – exempi new security issue CVE-2018-12648

Bug 23702 - exempi new security issue CVE-2018-12648

Summary: exempi new security issue CVE-2018-12648

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-10-16 00:16 CEST by David Walser
Modified:	2018-10-26 20:48 CEST (History)
CC List:	9 users (show)

See Also:
Source RPM:	exempi-2.4.5-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-10-16 00:16:13 CEST

Fedora has issued an advisory on October 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WFS4YRRYY745JRYSEGGT7JFJTVC4F62H/

Mageia 6 is also affected.

David Walser 2018-10-16 00:16:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:50:57 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

CC: (none) => mageia, marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-10-17 20:37:06 CEST

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated exempi package fixes security vulnerability:

It was found that the WEBP::GetLE32 function in
XMPFiles/source/FormatSupport/WEBP_Support.hpp in Exempi 2.4.5 has a
NULL pointer dereference (CVE-2018-12648).


References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WFS4YRRYY745JRYSEGGT7JFJTVC4F62H/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12648
========================

Updated packages in core/updates_testing:
========================
lib64exempi3-2.4.5-1.1.mga6
lib64exempi-devel-2.4.5-1.1.mga6

from exempi-2.4.5-1.1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=22801#c6

Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CC: (none) => mrambo

Comment 3 Herman Viaene 2018-10-20 12:58:18 CEST

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
As per bug22801 Comment 4, opened pictures with eom and checked the metadata.
Seems OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 4 PC LX 2018-10-22 10:19:05 CEST

Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tests:
- Extracting PSD metadata with exempi.
- Using tellico (depends on lib64exempi3).
- Using eom (depends on lib64exempi3).

$ uname -a
Linux marte 4.14.76-desktop-1.mga6 #1 SMP Sat Oct 13 23:34:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep exempi | sort
lib64exempi3-2.4.5-1.1.mga6
$ find -ipath '*.psd' -exec exempi -x '{}' ';'
processing file x.psd
dump_xmp for file x.psd
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.5.0">
<SNIP>

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 5 Thomas Andrews 2018-10-26 01:00:12 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:55:41 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2018-10-26 20:48:22 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0416.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.