openSUSE has issued an advisory on August 31: https://lists.opensuse.org/opensuse-updates/2019-08/msg00217.html The issue was fixed upstream, probably in 3.2.3.
QA Contact: (none) => securityComponent: RPM Packages => Security
openSUSE has issued an advisory on September 9: https://lists.opensuse.org/opensuse-updates/2019-09/msg00053.html It fixes another issue, also probably fixed upstream in 3.2.3.
Summary: libmirage new security issue CVE-2019-15540 => libmirage new security issues CVE-2019-15540 and CVE-2019-15757
Done!
Advisory: ======================== Updated libmirage packages fix security vulnerabilities: The CSO filter in libMirage in CDemu did not validate the part size, triggering a heap-based buffer overflow that could lead to root access by a local user (CVE-2019-15540). NULL pointer dereference in the NRG parser (CVE-2019-15757). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15757 https://lists.opensuse.org/opensuse-updates/2019-08/msg00217.html https://lists.opensuse.org/opensuse-updates/2019-09/msg00053.html ======================== Updated packages in core/updates_testing: ======================== libmirage-common-3.2.3-1.mga7 libmirage11-3.2.3-1.mga7 libmirage-devel-3.2.3-1.mga7 libmirage-gir3.2-3.2.3-1.mga7 from libmirage-3.2.3-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Running the daemon # cdemu-daemon Starting CDEmu daemon with following parameters: - num devices: 1 - control device: /dev/vhba_ctl - audio driver: null - bus type: session posix_spawn avoided (fd close requested) posix_spawn avoided (fd close requested) cdemu0: Mapping: device mapping (SCSI generic) for device #0 could not be determined; device mapping info for this device will not be available Inserting or ejecting a CD does not provoke any feedback. Googling leads me to installing cdemu-client and from https://wiki.archlinux.org/index.php/CDemu picking a few commands $ cdemu status Devices' status: DEV LOADED FILENAME 0 False Strange to me as there is a CD loaded. $ cdemu device-mapping Device mapping: DEV SCSI CD-ROM SCSI generic 0 /dev/sr2 That seems OK. Not sure whet to do with it.
CC: (none) => herman.viaene
Mga7-64 Plasma system. Installed kde-cdemu-manager, which pulled in cdemu-daemon, cdemu-client, several libmirage packages, and a couple of others. Read /usr/share/doc/cdemu-client/README, which gave several helpful hints about usage. CDemu creates virtual optical drives, and loads/unloads them with image files of various types. It can be run from the command line, and there are gui managers available for Gtk+ or Plasma. The update packages installed cleanly. Using the kde gui, I was able to add and remove virtual drives, and load them with various isos. Tried some of the simpler command line commands, and all worked. Looks OK for 64-bit. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0404.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED