Bug 25876 - htmldoc new security issue CVE-2019-19630
Summary: htmldoc new security issue CVE-2019-19630
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-14 19:03 CET by David Walser
Modified: 2019-12-19 14:46 CET (History)
5 users (show)

See Also:
Source RPM: htmldoc-1.9.3-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-14 19:03:58 CET 
Debian-LTS has issued an advisory on December 9:
https://www.debian.org/lts/security/2019/dla-2026

The issue is fixed upstream in 1.9.8.

Mageia 7 is also affected.
David Walser 2019-12-14 19:04:06 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-14 20:43:25 CET 
Assigning to Shlomi as both the registered maintainer and most recent committer.

Assignee: bugsquad => shlomif

Comment 2 David GEIGER 2019-12-15 08:51:11 CET 
1.9.8 is not yet released.

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-12-15 14:54:26 CET 
The commit that fixes the issue is:
https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c
Comment 4 David GEIGER 2019-12-16 19:37:49 CET 
Fixed both Cauldron and mga7!
Comment 5 David Walser 2019-12-16 20:41:39 CET 
Advisory:
========================

Updated htmldoc packages fix security vulnerability:

In HTMLDOC, there was a one-byte underflow in htmldoc/ps-pdf.cxx caused by a
floating point math difference between GCC and Clang (CVE-2019-19630).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19630
https://www.debian.org/lts/security/2019/dla-2026
========================

Updated packages in core/updates_testing:
========================
htmldoc-1.9.3-2.1.mga7
htmldoc-nogui-1.9.3-2.1.mga7

from htmldoc-1.9.3-2.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: shlomif => qa-bugs

Comment 6 Herman Viaene 2019-12-17 14:57:53 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
First tried command htmldoc, which is a gui an selected an html file which I made of an odt file (used in my own website) and convert that one to pdf. It throws an error saying "Did you not forget to apply webpage format".
Note: this is a Dutch installation, but the whole thing seems to be English only.
I could not find such setting in the gui, so I settled for the CLI:
$ htmldoc-nogui -t pdf --webpage -f dond.pdf donderdag.html 
PAGES: 5
BYTES: 218271
The resulting pdf file is OK, so good enough for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-12-17 18:20:23 CET 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-19 13:46:36 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-19 14:46:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0403.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.