Bug 27969 - matio possible new security issue CVE-2019-20052
Summary: matio possible new security issue CVE-2019-20052
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-12-29 08:17 CET by Zombie Ryushu
Modified: 2021-03-01 17:12 CET (History)
4 users (show)

See Also:
Source RPM: matio-1.5.16-1.1.mga7.src.rpm
CVE: CVE-2019-20052
Status comment:


Attachments

Description Zombie Ryushu 2020-12-29 08:17:05 CET
A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case.
Zombie Ryushu 2020-12-29 08:17:19 CET

CVE: (none) => CVE-2019-20052

Comment 1 David Walser 2020-12-29 17:08:25 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052

Fix is here:
https://github.com/tbeu/matio/commit/a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3

It's not clear what versions (if any) are actually affected.

Whiteboard: (none) => MGA7TOO
Summary: matio security flaw CVE-2019-20052 => matio possible new security issue CVE-2019-20052
Status comment: (none) => Patch available from upstream
Assignee: bugsquad => geiger.david68210
Severity: normal => major
CC: (none) => nicolas.salguero

Comment 2 Nicolas Lécureuil 2020-12-30 20:08:20 CET
Fixed in cauldron.

Package pushed in mga7:

src:
    matio-1.5.16-1.2.mga7

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs

Comment 3 David Walser 2020-12-30 23:58:24 CET
Advisory:
========================

Updated matio packages fix security vulnerability:

A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because
SafeMulDims does not consider the rank==0 case (CVE-2019-20052).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052
========================

Updated packages in core/updates_testing:
========================
matio-1.5.16-1.2.mga7
libmatio9-1.5.16-1.2.mga7
libmatio-devel-1.5.16-1.2.mga7

from matio-1.5.16-1.2.mga7.src.rpm

Status comment: Patch available from upstream => (none)

Comment 4 Len Lawrence 2021-01-01 19:00:53 CET
mga7, x86_64

CVE-2019-20052
https://github.com/tbeu/matio/issues/131
$ matdump 006-memleak 
InflateRankDims: inflate returned data error
InflateVarNameTag: inflate returned data error
Empty
InflateRankDims: Reading dimensions expected type MAT_T_INT32
InflateRankDims: Reading dimensions expected type MAT_T_INT32
      Name: 
      Rank: 0
InflateRankDims: inflate returned data error
Segmentation fault (core dumped)

Updated packages.
$ rpm -q matio
matio-1.5.16-1.2.mga7

$ matdump 006-memleak 
InflateRankDims: inflate returned data error
InflateVarNameTag: inflate returned data error
Empty
InflateRankDims: Reading dimensions expected type MAT_T_INT32
      Name: 
      Rank: 0
InflateRankDims: inflate returned data error
Segmentation fault (core dumped)

There is only a minor difference which gives the impression that the patch does not work.  Upstream had difficulty verifying the fix or even the issue.

So, what do we do in a case like this - just carry on regardless?
I probably shall anyway.

CC: (none) => tarazed25

Comment 5 David Walser 2021-01-01 20:31:18 CET
Someone needs to tell upstream that it's not fixed.

Whiteboard: (none) => feedback

Len Lawrence 2021-01-02 00:51:12 CET

Whiteboard: feedback => (none)
Keywords: (none) => feedback

Comment 6 Aurelien Oudelet 2021-02-04 18:58:38 CET
Upstream BR is closed since dec. 2019!

Source RPM: matio-1.5.17-3.mga8.src.rpm => matio-1.5.16-1.1.mga7.src.rpm
CC: (none) => ouaurelien

Comment 7 Aurelien Oudelet 2021-02-19 10:37:51 CET
Re ping. We should fix this.
@Packager can you take a look?
Aurelien Oudelet 2021-03-01 17:12:14 CET

Status: NEW => NEEDINFO

Aurelien Oudelet 2021-03-01 17:12:49 CET

Status: NEEDINFO => NEW


Note You need to log in before you can comment on or make changes to this bug.