Debian-LTS has issued an advisory on April 13: https://www.debian.org/lts/security/2021/dla-2624 The issues are fixed upstream in 2.9.20 (final release). Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 2.9.20CC: (none) => geiger.david68210
Done for Cauldron , mga8 and mga7!
So win the prize! Assigning to you.
Assignee: bugsquad => geiger.david68210CC: geiger.david68210 => (none)
Fedora has issued an advisory for this on April 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JE6YZSXNVD6WZ3AG3ENL2DIHQFF24LYX/
Updated packages in core *and tainted* updates_testing: libpano13-tools-2.9.20-1.mga7 libpano13_3-2.9.20-1.mga7 libpano13-devel-2.9.20-1.mga7 libpano13_3-2.9.20-1.mga8 libpano13-tools-2.9.20-1.mga8 libpano13-devel-2.9.20-1.mga8 from SRPMS: libpano13-2.9.20-1.mga7.src.rpm libpano13-2.9.20-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Fixed upstream in 2.9.20 => (none)
A look back at previous update bugs referencing libpano revealed that it almost always involved Hugin, a panorama stitcher. Hugin was already installed on my MGA7 test system, as was the tainted version of libpano13-tools. Using qarepo, I updated libpano13-tools to the core version, then ran Hugin and used it to stitch together a series of photos of Lake Champlain taken from the top of Mount Defiance, near Ticonderoga, New York. Then I again updated libpano13-tools, this time to the tainted version, and again stitched together seperate copies of the same photos, again successfully. This is OK for mga7 64-bit.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => andrewsfarm
Performed the same tests in mga8. While the results were different, it appeared to me that was from user error, rather than from anything due to the update package. It's been a while since I used Hugin, and it has become much more complicated, with many possible settings, and it's quite possible that the defaults don't work with this series of photos as they once did. I did not see any errors during processing, so I'm going to give this an mga8 OK, and validate.
CC: (none) => sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
Advisory: ======================== Updated libpano13 packages fix a security vulnerability: Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20.rc2 and earlier can lead to read and write arbitrary memory values (CVE-2021-20307). References: - https://bugs.mageia.org/show_bug.cgi?id=28997 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20307 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JE6YZSXNVD6WZ3AG3ENL2DIHQFF24LYX/ - https://www.debian.org/lts/security/2021/dla-2624 ======================== For Mageia 7: Updated packages in 7/core/updates_testing: ======================== libpano13-tools-2.9.20-1.mga7 lib(64)pano13_3-2.9.20-1.mga7 lib(64)pano13-devel-2.9.20-1.mga7 from SRPMS: libpano13-2.9.20-1.mga7.src.rpm ======================== Updated packages in 7/tainted/updates_testing: ======================== libpano13-tools-2.9.20-1.mga7.tainted lib(64)pano13_3-2.9.20-1.mga7.tainted lib(64)pano13-devel-2.9.20-1.mga7.tainted from SRPM: libpano13-2.9.20-1.mga7.tainted.src.rpm ================================================ For Mageia 8: Updated packages in 8/core/updates_testing: ======================== libpano13_3-2.9.20-1.mga8 lib(64)pano13-tools-2.9.20-1.mga8 lib(64)pano13-devel-2.9.20-1.mga8 from SRPM: libpano13-2.9.20-1.mga8.src.rpm ======================== Updated packages in 8/tainted/updates_testing: ======================== lib(64)pano13-devel-2.9.20-1.mga8.tainted lib(64)pano13_3-2.9.20-1.mga8.tainted libpano13-tools-2.9.20-1.mga8.tainted from SRPM: libpano13-2.9.20-1.mga8.tainted.src.rpm
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-20307
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0230.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED