+++ This bug was initially created as a clone of Bug #27969 +++ A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052 Fix is here: https://github.com/tbeu/matio/commit/a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3 Upstream reference: https://github.com/tbeu/matio/issues/131 According to our testing the issue is not actually fixed: https://bugs.mageia.org/show_bug.cgi?id=27969#c4 This needs to be reported upstream.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Incomplete fix needs to be reported upstream
That earlier bug's update is ready to push, blocked by this new one - which reiterates the need to report the fault (ineffective fix) upstream. Who does this? I just have - by appending to their bug (131), which is currently closed. I do not know whether to leave this with Bugsquad, or assign to packagers; with its UPSTREAM status.
Status: NEW => UPSTREAM
Blocks: 27969 => (none)
Assigning globally.
Assignee: bugsquad => pkg-bugsCC: (none) => ouaurelien
Fixed in mga9
Status: UPSTREAM => NEWCC: (none) => mageiaVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => (none)
New version pushed in mga8 src: - matio-1.5.21-1.mga8
Status comment: Incomplete fix needs to be reported upstream => (none)Assignee: pkg-bugs => qa-bugs
We'll have to see if it's actually fixed. matio-1.5.21-1.mga8 libmatio-devel-1.5.21-1.mga8 libmatio11-1.5.21-1.mga8 from matio-1.5.21-1.mga8.src.rpm
mga8, x64 Installed the latest core packages and checked the PoC again: $ matdump 006-memleak InflateRankDims: inflate returned data error InflateVarTag: inflate returned data error Empty InflateRankDims: Reading dimensions expected type MAT_T_INT32 Name: Rank: 0 InflateRankDims: inflate returned data error Segmentation fault (core dumped) Tried updating with qarepo. Not on my chosen mirror yet. Trying later. Assuming that rpms are for instance: matio-1.5.21-1.mga8.x86_64.rpm .....
CC: (none) => tarazed25
Updated the three packages. $ matdump 006-memleak Inflate: inflate returned data error That is a clean result so looks like it is fixed. $ urpmq --whatrequires-recursive lib64matio11 lib64matio-devel lib64matio11 matio No more scilab. Cannot find it either. Back to this later.
We had scilab in Mageia 7 so maybe it is in Cauldron?
Scilab was dropped.
ACK
Modified the 3d.c file used in bug 26883, which does not do very much but exercises matio. #include <stdio.h> #include <matio.h> #include <matio_pubconf.h> int main() { const int first = 2, second = 4, third = 5; int array3d[2][4][5] = { 0 }; // fill 3d array for (int i = 0; i < first; i++) for (int j = 0; j < second; j++) for (int k = 0; k < third; k++) array3d[i][j][k] = (i + 1) * (j + 1) * (k + 1); // write char* fieldname3d = "array3d"; const char *filename = "myfile.mat"; mat_t *matfp = NULL; //matfp contains pointer to MAT file or NULL on failure matfp = Mat_CreateVer(filename, NULL, MAT_FT_MAT5); //or MAT_FT_MAT4 / MAT_FT_MAT73 //don't forget to close file with Mat_Close(matfp); size_t dim3d[3] = { first, second, third }; matvar_t *variable3d = Mat_VarCreate(fieldname3d, MAT_C_INT32, MAT_T_INT32, 3, dim3d, &array3d, 0); //rank 3 Mat_VarWrite(matfp, variable3d, MAT_COMPRESSION_NONE); Mat_Close(matfp); Mat_VarFree(variable3d); } $ gcc -o 3d 3d.c $(pkg-config --libs --cflags matio) $ ./3d $ file myfile.mat myfile.mat: Matlab v5 mat-file (little endian) version 0x0100 $ ll myfile.mat -rw-r--r-- 1 lcl lcl 360 Dec 18 21:15 myfile.mat $ rm -f myfile.mat $ strace -o 3d.trace ./3d $ grep matio 3d.trace openat(AT_FDCWD, "/lib64/libmatio.so.11", O_RDONLY|O_CLOEXEC) = 3 $ OK on the basis of this primitive test.
Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0558.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED