Bug 24184 - libgxps new security issue CVE-2018-10767
Summary: libgxps new security issue CVE-2018-10767
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-15 03:35 CET by David Walser
Modified: 2019-11-06 21:19 CET (History)
6 users (show)

See Also:
Source RPM: libgxps-0.2.5-1.2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-15 03:35:22 CET 
Fedora has issued an advisory on January 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MSIVWHXRZWTRZFL7N6763ECQ6L7FHAVB/

The issue was fixed upstream in 0.3.1.
Comment 1 David Walser 2019-01-15 03:56:35 CET 
It was supposedly fixed in:
https://access.redhat.com/errata/RHSA-2018:3140

but the only patch we're missing from that update:
https://git.centos.org/commit/rpms!libgxps.git/b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7

is:
https://git.centos.org/raw/rpms/libgxps.git/b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.patch

and the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1575188

does mention the patched function in the stack trace, but I'm not sure.

I've committed that patch in SVN anyway.
Comment 2 Marja Van Waes 2019-01-15 08:34:35 CET 
(In reply to David Walser from comment #1)
> It was supposedly fixed in:
> https://access.redhat.com/errata/RHSA-2018:3140
> 
> but the only patch we're missing from that update:
> https://git.centos.org/commit/rpms!libgxps.git/
> b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7
> 
> is:
> https://git.centos.org/raw/rpms/libgxps.git/
> b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.
> patch
> 
> and the RedHat bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1575188
> 
> does mention the patched function in the stack trace, but I'm not sure.
> 
> I've committed that patch in SVN anyway.

So you want someone to take a closer look, before submitting it & assigning to QA?

CC'ing some committers and all packagers collectively.

CC: (none) => mageia, marja11, olav, pkg-bugs, thierry.vignaud

Comment 3 Marja Van Waes 2019-02-03 08:38:00 CET 
(In reply to Marja Van Waes from comment #2)
> (In reply to David Walser from comment #1)
> > It was supposedly fixed in:
> > https://access.redhat.com/errata/RHSA-2018:3140
> > 
> > but the only patch we're missing from that update:
> > https://git.centos.org/commit/rpms!libgxps.git/
> > b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7
> > 
> > is:
> > https://git.centos.org/raw/rpms/libgxps.git/
> > b2ba33c2c2612e42f6f1e66aad44b3c728caf0b7/SOURCES!libgxps-0.3.0-clear-error.
> > patch
> > 
> > and the RedHat bug:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1575188
> > 
> > does mention the patched function in the stack trace, but I'm not sure.
> > 
> > I've committed that patch in SVN anyway.
> 
> So you want someone to take a closer look, before submitting it & assigning
> to QA?
> 
> CC'ing some committers and all packagers collectively.

There is no registered maintainer, so assigning to all packagers collectively, to decrease the chance that this will be forgotten.

Assignee: bugsquad => pkg-bugs

Comment 4 Mike Rambo 2019-11-06 21:19:33 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo
Note You need to log in before you can comment on or make changes to this bug.