Ubuntu has issued an advisory on January 15: https://usn.ubuntu.com/3860-1/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => geiger.david68210, marja11, pterjan, smelrorAssignee: bugsquad => pkg-bugs
Advisory: ======================== Updated libcaca packages fix security vulnerabilities: It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service (CVE-2018-20544). It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code (CVE-2018-20545, CVE-2018-20548, CVE-2018-20459). It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information (CVE-2018-20546, CVE-2018-20547). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549 https://usn.ubuntu.com/3860-1/ ======================== Updated packages in core/updates_testing: ======================== libcaca0-0.99-0.beta18.13.1.mga6 libcaca-devel-0.99-0.beta18.13.1.mga6 caca-utils-0.99-0.beta18.13.1.mga6 ruby-caca-0.99-0.beta18.13.1.mga6 python-caca-0.99-0.beta18.13.1.mga6 from libcaca-0.99-0.beta18.13.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugs
Just for the record some of those are in code not used in our package (only used when not built with imlib2 support) but this is not very important and I haven't had time to see which ones are really fixed by the update
@Pascal, re comment 3 The PoC may throw some light on that so I shall check those shortly.
CC: (none) => tarazed25
Mageia 6, x86_64 *Before update* Looked for POC tests. ------------------------------------------------------------------------- CVE-2018-20544 https://bugzilla.redhat.com/show_bug.cgi?id=1652627 $ img2txt POC6 img2txt: unable to load POC6 $ file POC6 POC6: PC bitmap, Windows 3.x format, 32 x 65503 x 1 This gives the impression of having already been fixed. ------------------------------------------------------------------------- CVE-2018-20545 https://bugzilla.redhat.com/show_bug.cgi?id=1652621 $ img2txt POC0 img2txt: unable to load POC0 The ASAN test upstream led to an abort so this has probably already been fixed. ------------------------------------------------------------------------- CVE-2018-20546 https://bugzilla.redhat.com/show_bug.cgi?id=1652622 $ img2txt POC1 img2txt: unable to load POC1 Upstream test generated ABORT. Probably good already. ------------------------------------------------------------------------- CVE-2018-20547 https://bugzilla.redhat.com/show_bug.cgi?id=1652624 $ img2txt POC3 img2txt: unable to load POC3 More of the same. ------------------------------------------------------------------------- CVE-2018-20548 https://bugzilla.redhat.com/show_bug.cgi?id=1652625 $ img2txt POC4 img2txt: unable to load POC4 Repeat earlier two remarks. Maybe good. ------------------------------------------------------------------------- CVE-2018-20549 https://bugzilla.redhat.com/show_bug.cgi?id=1652628 $ img2txt POC7 img2txt: unable to load POC7 It seems likely that all the reproducers are returning good results. As none of them abort they look good but there is some uncertainty about what we should expect to see for a successful test. More on this later.
Additional note running on from comment 5. $ file POC* POC0: PC bitmap, Windows 3.x format, 65536 x 65536 x 4 POC1: PC bitmap, Windows 3.x format, 132 x 4353 x 60675 POC3: PC bitmap, OS/2 1.x format, 127 x 0 POC4: PC bitmap, Windows 3.x format, 65536 x 65536 x 1 POC6: PC bitmap, Windows 3.x format, 32 x 65503 x 1 POC7: PC bitmap, Windows 3.x format, 65535 x 32 x 16388
MGA6-32 MATE on IBM Thinkpad R50e No installation issues At CLI: $ img2txt dsc00107.jpg produces as feedback rows of code which gets some colors in the MATE terminal and the whole gives a (of course) very crude impression of the original picture. Redirecting the output to a file $ img2txt dsc00107.jpg > cacatest.txt gives a file which displays absolute rubbish with Pluma. That does not seem to be the end of the command. OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Tried img2txt as in comment 7 and generated a very low resolution text image of an original coloured JPEG, viewed by running cat. $ urpmq --whatrequires lib64caca0 | sort -u caca-utils gstreamer0.10-caca gstreamer1.0-caca lib64caca0 lib64caca-devel lib64mpv1 lib64xine2 mplayer mpv ruby-caca toilet vlc-plugin-common xine-ui-aa So, used by various players. Not sure we should investigate toilet. $ urpmq -i caca-utils This package contains utilities and demonstration programs for libcaca, the Colour AsCii Art library. cacaview - simple viewer in terminal cacaball - animated ASCII metaballs cacafire - flaming ASCII art cacamoir - animated moiré circles cacaplas - plasma effect cacademo - demonstration of rendering features Used cacaview on the original test JPEG. That performed the img2txt operation and showed the result in a text window. Help provided by ? - used g and G to modify gamma. Not obvious how to save the result. cacafire and cacademo work but the other three animations appear to be missing but looking in /usr/bin turns up cacaclock, cacaplay and cacaserver and a link to caca-config. cacaplay plays *.caca animations. It has a man page. cacaclock is supposed to show the current time but requires a font argument. Could not figure out what the specification is for a font. $ cacaclock -d %R --font=Larabiefont Could not open font $ cacaclock -d %R --font=lucidasans-18 Could not open font ruby-caca is a ruby binding for caca; python-caca is probably similar. From the man page (3) for ruby-caca-api: $ irb -rcaca irb(main):001:0> Caca.constants => [:BLACK, :BLUE, :GREEN, :CYAN, :RED, :MAGENTA, :BROWN, :LIGHTGRAY, :DARKGRAY, :LIGHTBLUE, :LIGHTGREEN, :LIGHTCYAN, :LIGHTRED, :LIGHTMAGENTA, :YELLOW, :WHITE, :DEFAULT, :TRANSPARENT, :BOLD, :ITALICS, :UNDERLINE, :BLINK, :Canvas, :Dither, :Font, :Display, :Event] $ ruby -rcaca -e 'p Caca::Canvas.export_list' [["caca", "native libcaca format"], ["ansi", "ANSI"], ["utf8", "UTF-8 with ANSI escape codes"], ["utf8cr", "UTF-8 with ANSI escape codes and MS-DOS \\r"], ["html", "HTML"], ["html3", "backwards-compatible HTML"], ["bbfr", "BBCode (French)"], ["irc", "IRC with mIRC colours"], ["ps", "PostScript document"], ["svg", "SVG vector image"], ["tga", "TGA image"], ["troff", "troff source"]] I had to massage this oneliner to get the same result as the man page. $ ruby -rcaca -e 'c=Caca::Canvas.new(6, 3).fill_box(0,0,3,3,0x23);c2=Caca::Canvas.new(1,1).put_str(0,0,"x"); c.blit(1,1,c2); puts c.export_to_memory("irc")' ### #x# ### $ ruby -rcaca -e 'puts Caca::Canvas.new(6,3).draw_thin_polyline([[0,0], [0,2],[5,2],[0,0]]).export_to_memory("irc")' -. | `. ----`- $ ruby -rcaca -e 'p Caca::Font.list' ["Monospace 9", "Monospace Bold 12"] $ cat linetest.rb require 'caca' c = Caca::Canvas.new( 20, 10 ) c.put_str( 2, 3, "plop!" ) c.draw_thin_polyline( [[0,0], [0,2], [5,2], [0,0]] ) d = Caca::Display.new(c) d.title = "Test !" d.refresh Esc = 0x1b.chr # Redefine Event::Key#quit? so that q, Q, and Esc become exit keys # Note that the ^[ combination was not interpreted as Esc so Esc failed # to do anything. module Caca class Event::Key def quit? "qQ#{Esc}".split( '' ).member?( @ch.chr ) end end end while( ( e = d.get_event( Caca::Event, -1 ) ) && !e.quit? ) p e d.refresh end Running linetest.rb generated a text window - q, Q or Esc exited the demo. $ ruby linetest.rb. So it looks like the ruby binding is working fine. Giving this a 64-bit OK.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Thanks to you both. Advisory from comment 2.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0050.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED