29528 – plib new security issue CVE-2021-38714

Bug 29528 - plib new security issue CVE-2021-38714

Summary: plib new security issue CVE-2021-38714

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-10-04 21:47 CEST by David Walser
Modified:	2021-10-13 21:41 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	plib-1.8.5-13.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-04 21:47:33 CEST

Debian-LTS has issued an advisory on October 2:
https://www.debian.org/lts/security/2021/dla-2775

Mageia 8 is also affected.

David Walser 2021-10-04 21:47:44 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Debian

Comment 1 Marja Van Waes 2021-10-05 22:16:20 CEST

Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 2 Nicolas Lécureuil 2021-10-09 00:32:32 CEST

Fix pushed in cauldron

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2021-10-09 00:37:53 CEST

pushed in mga8:

src:
     - plib-1.8.5-13.1.mga8

CC: (none) => rverschelde
Status comment: Patch available from Debian => (none)
Assignee: rverschelde => qa-bugs

Comment 4 David Walser 2021-10-09 00:49:38 CEST

libplib1-1.8.5-13.1.mga8
libplib-devel-1.8.5-13.1.mga8

from plib-1.8.5-13.1.mga8.src.rpm

Comment 5 Herman Viaene 2021-10-12 16:33:42 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
Previous update was from 2012, so went my own way.
# urpmq --whatrequires lib64plib1
flightgear
flightgear
flightgear
flightgear
lib64plib-devel
lib64plib-devel
lib64plib1
lib64plib1
speed-dreams
stormbaancoureur
torcs
tux_aqfh
Selected stormbaancoureur and ran it
$ strace -o plib.txt stormbaancoureur 
Version 2.1.6-generic
Stormbaan Coureur is (c)2006-2008 by Bram Stolk
plib is (c) by Steve Baker
OpenDE is (c) by Russel L. Smith
-1x-1--1@-1
OpenGL is version 4.6 (Compatibility Profile) Mesa 21.2.3
OpenGL renderer Mesa Intel(R) HD Graphics 5500 (BDW GT2)
This platform supports all required GL extensions to do hardware accelerated shadowing.
DEBUG: ssgLoadTGA: Loading '/usr/share/games/stormbaancoureur/images/spot.tga', RGB 512x512-24 RLE.
DEBUG: ssgLoadTGA: Allocating 786432 bytes for the size 512 x 512 (null)
open() on joystick device failed: No such file or directory
Cannot open /home/tester8/.stormbaancoureur.keys
Using keyboard
Asked for 44100Hz playback rate, but got 44099Hz
soundenginealsa.cxx: period size SOLL-WERT 625, IST-WERT 625
soundenginealsa.cxx: buffer size SOLL-WERT 5000, IST-WERT 5000
Number of samples per pixel: 4

I cann't never getmy head aroound those things, so opened and closed  some items from the main menu. Checked the plib.txt  file and found a few references to libplib.  Should b good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2021-10-13 03:59:42 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-13 19:55:54 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2021-10-13 21:41:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0476.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.