Ubuntu has issued an advisory today (October 21): https://ubuntu.com/security/notices/USN-5119-1 Mageia 8 is also affected.
Status comment: (none) => Patches available from Ubuntu and upstreamWhiteboard: (none) => MGA8TOO
This SRPM has no registered maintainer, and has been commited by various packagers, so having to assign the bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A flaw was found in libcaca. A heap buffer overflow in export.c in function export_tga might lead to memory corruption and other potential consequences. (CVE-2021-30498) A flaw was found in libcaca. A buffer overflow of export.c in function export_troff might lead to memory corruption and other potential consequences. (CVE-2021-30499) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30499 https://ubuntu.com/security/notices/USN-5119-1 ======================== Updated packages in core/updates_testing: ======================== caca-utils-0.99-0.beta19.5.2.mga8 lib(64)caca0-0.99-0.beta19.5.2.mga8 lib(64)caca-devel-0.99-0.beta19.5.2.mga8 python3-caca-0.99-0.beta19.5.2.mga8 ruby-caca-0.99-0.beta19.5.2.mga8 from SRPM: libcaca-0.99-0.beta19.5.2.mga8.src.rpm
Status comment: Patches available from Ubuntu and upstream => (none)Version: Cauldron => 8CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2021-30498, CVE-2021-30499Assignee: pkg-bugs => qa-bugs
MGA8-64 Plasma on Lenovo B50 No real installation issues. The text displayed in MCC for caca-utils needs to be updated since it refers to cacaball and cacamoir and cacaplas which are not provided. Tried some commands that work OK: cacaview P5211854.gif displays recognizable image onn the terminal cacafire and cacademo do OK. $ caca-config --version 0.99.beta19 but $ cacaclock Could not open font and $ man cacaaclock There is no page on cacaclock So I'm in the dark wwhat this font thingie really is. If it can be confirmed that the "missing" commands mentioned above really should not be there, I will not object the OK.
CC: (none) => herman.viaene
I wouldn't worry about its own built-in commands. Try something that uses the library. I believe mplayer can use it for one its ascii art output options.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0496.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED