29577 – gfbgraph new security issue CVE-2021-39358

Bug 29577 - gfbgraph new security issue CVE-2021-39358

Summary: gfbgraph new security issue CVE-2021-39358

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-10-22 00:08 CEST by David Walser
Modified:	2021-12-02 17:50 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	gfbgraph-0.2.4-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-22 00:08:54 CEST

Fedora has issued an advisory on October 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UYI47UX6S5PAOWVWQ2KID64MCTXTH7SE/

Mageia 8 is also affected.

David Walser 2021-10-22 00:09:18 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2021-10-23 20:59:17 CEST

This is good for assigning to Olav, who maintains it.

Assignee: bugsquad => olav

Comment 2 Nicolas Lécureuil 2021-11-22 23:30:41 CET

fixed in cauldron.

src:
    - gfbgraph-0.2.4-1.1.mga8

CC: (none) => mageia, olav
Version: Cauldron => 8
Assignee: olav => qa-bugs
Status comment: Patch available from Fedora => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2021-11-22 23:34:09 CET

libgfbgraph0.2_0-0.2.4-1.1.mga8
libgfbgraph-gir0.2-0.2.4-1.1.mga8
libgfbgraph-devel-0.2.4-1.1.mga8

from gfbgraph-0.2.4-1.1.mga8.src.rpm

Comment 4 Thomas Andrews 2021-11-24 00:44:47 CET

These appear to be Gnome libraries. I'm not a Gnome user, but gave it a shot, anyway, using a VirtualBox guest. Used qarepo to update the packages, with no installation issues.

libgfbgraph0.2_0 is used by Gnome Online Accounts for logging onto Facebook, and is the subject of the advisory in Comment 0. Unfortunately, both before and after the update, when I tried to use GOA to log onto my Facebook account I got back a notice that the app wasn't set up, and my user wasn't authorized to use it, anyway. I don't have a clue about where to go from there.

libgfbgraph-gir0.2 is used by Gnome Maps. I did better here. I was able to run Maps, pinpoint my address, and get directions to various places, with times for driving, riding a bicycle, and walking. I don't trust the walking time, though. The app said I could walk from my house to the local fueling station/lunch counter, a distance of two miles, in 35 minutes. But, with the route being all uphill, and me a lifelong resident of the community, in reality if I were to attempt such a feat one of my neighbors would probably stop and offer me a ride before I got very far, and I would arrive far sooner.

But anyway, Maps seems to be working as designed. I could give this an OK based on that and a clean install, but it would be better if someone more familiar with Gnome Online Accounts, and with a Facebook account, would give this a try.

CC: (none) => andrewsfarm

Comment 5 David Walser 2021-11-24 02:50:07 CET

Your Maps story has me dying laughing :D

Comment 6 Thomas Andrews 2021-11-27 15:07:37 CET

Sending this on. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2021-12-01 22:06:06 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2021-12-02 17:50:39 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0530.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.