24749 – ed new security issue CVE-2017-5357

Bug 24749 - ed new security issue CVE-2017-5357

Summary: ed new security issue CVE-2017-5357

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:	MGA6TOO
Keywords:

Depends on:
Blocks:

Reported:	2019-05-03 20:32 CEST by David Walser
Modified:	2019-05-04 15:57 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	ed-1.15-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-05-03 20:32:55 CEST

SUSE has issued an advisory on April 1:
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005279.html

Mageia 6 is also affected.

David Walser 2019-05-03 20:33:01 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:10:17 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two submitters.

CC: (none) => marja11, mrambo, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2019-05-04 15:57:27 CEST

Neither cauldron or Mageia 6 are vulnerable to this bug. The initial bug report and response are here.

https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00001.html

The description of the solution above matches the proposed patch from SUSE here.

https://bugzilla.suse.com/show_bug.cgi?id=1019807

The fixed release is announced here and is 1.14.1.

https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00002.html

As cauldron is 1.15 and Mageia 6 is 1.14.2 (and moreover a check of regex.c in both tarballs show the line removed in the proposed patch is already gone) this bug is invalid.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.