A security issue in xawtv has been announced on June 4: https://www.openwall.com/lists/oss-security/2020/06/04/6 The fix comprises two upstream commits and a patch attached to the message above. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patches available
This SRPM has no registered maintainer, but DavidG has done past new versions, so assigning it to you.
Assignee: bugsquad => geiger.david68210
Done for both Cauldron and mga7! Note that I upgraded xawtv to the latest upstream release which contains only 3 more commits compared to the 3.106.
David, I think you missed the patch attached to the oss-security message.
Nop! The commit 31f31f9cbaee7be806cba38e0ff5431bd44b20a3 is already included in the 3.107 release. And commit 36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 + attached patch are both in the single CVE-2020-13696.patch.
Advisory: ======================== Updated xawtv packages fix security vulnerability: The v4l-conf program in xawtv allows users to determine the existence of file names in directories they do not have access to, and allows a user to have the system open files they do not have access to, though it does not provide the user access to the file contents (CVE-2020-13696). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13696 https://www.openwall.com/lists/oss-security/2020/06/04/6 ======================== Updated packages in core/updates_testing: ======================== xawtv-3.107-1.1.mga7 xawtv-common-3.107-1.1.mga7 xawtv-control-3.107-1.1.mga7 fbtv-3.107-1.1.mga7 xawtv-misc-3.107-1.1.mga7 radio-3.107-1.1.mga7 streamer-3.107-1.1.mga7 motv-3.107-1.1.mga7 ttv-3.107-1.1.mga7 xawtv-web-3.107-1.1.mga7 from xawtv-3.107-1.1.mga7.src.rpm
CC: (none) => geiger.david68210Status comment: Patches available => (none)Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: geiger.david68210 => qa-bugs
Installed these packages from release on x86_64. There does not seem to be a way to test them without compatible hardware. vlc copes extremely well with DVB-T/T2 and free-to-air using the Hauppage WinTV tuner but xawtv/motv cannot see it. There are mutterings on the LinuxTV website that xawtv does not work with that tuner. $ motv -c /dev/dvb/adapter0/demux0 This is motv-3.106, running on Linux/x86_64 (5.6.8-desktop-1.mga7) xinerama 0: 3840x2160+0+0 Failed to query video capabilities: Inappropriate ioctl for device libv4l2: error getting capabilities: Inappropriate ioctl for device vid-open: failed: libv4l no video grabber device available Passing this on to whoever has appropriate hardware.
CC: (none) => tarazed25
And for what it is worth, in case there are no takers, all packages updated cleanly.
You could test the PoC (see the oss-security post).
Thanks David - did not read the post closely enough to see that it does not involve the gui. Going back to release version now.
https://www.openwall.com/lists/oss-security/2020/06/04/6 # mv .bashrc bashrc $ v4l-conf -c /dev/../root/.bashrc v4l-conf: using X11 display :1 dga: version 2.0 WARNING: No DGA direct video mode for this display. mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown can't open /dev/../root/.bashrc: No such file or directory $ v4l-conf -c /dev/../root/.bash_history v4l-conf: using X11 display :1 dga: version 2.0 WARNING: No DGA direct video mode for this display. mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown /dev/../root/.bash_history: wrong device Updated packages. After update. $ v4l-conf -c /dev/../root/.bashrc v4l-conf: using X11 display :1 dga: version 2.0 WARNING: No DGA direct video mode for this display. mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown /dev/../root/.bashrc: invalid path or file is not of the right type $ v4l-conf -c /dev/../root/.bash_history v4l-conf: using X11 display :1 dga: version 2.0 WARNING: No DGA direct video mode for this display. mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown /dev/../root/.bash_history: invalid path or file is not of the right type That looks conclusive - fix works. Leaving this a little longer. If nobody bites shall pass it tomorrow.
Whiteboard: (none) => MGA7-64-OK
openSUSE has issued an advisory for this on June 8: https://lists.opensuse.org/opensuse-updates/2020-06/msg00036.html
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0257.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED