Ubuntu has issued an advisory on July 15: https://usn.ubuntu.com/4055-1/ Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing the de facto maintainer.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() or GetRelativePathsToXhtmlDocuments() when a NULL pointer is passed to xc::XMLUri::isValidURI(). This affects third-party software (not Sigil) that uses FlightCrew as a library. (CVE-2019-13032) FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. (CVE-2019-13241) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13032 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13241 https://usn.ubuntu.com/4055-1/ ======================== Updated packages in core/updates_testing: ======================== flightcrew-common-0.9.0-10.1.mga7 flightcrew-cli-0.9.0-10.1.mga7 flightcrew-gui-0.9.0-10.1.mga7 flightcrew-plugin-0.9.0-10.1.mga7 lib(64)flightcrew0.7.2-0.9.0-10.1.mga7 lib(64)flightcrew-devel-0.9.0-10.1.mga7 from SRPMS: flightcrew-0.9.0-10.1.mga7.src.rpm
Version: Cauldron => 7Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2019-13032, CVE-2019-13241Whiteboard: MGA7TOO, MGA6TOO => (none)
Flightcrew sounds like a good name for a game,but is actually an epub analyser, used in conjunction with epub editors. I installed flightcrew, and ran flightcrew-gui to analyze a couple of epub-format ebooks. I them got the updates, and ran it again on the same ebooks. The results were the same. Looks like it's doing what it's supposed to do. Giving it a 64-bit OK, and validating. Advisory in Comment 2.
Whiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0396.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED