Bug 30114 - shapelib new security issue CVE-2022-0699
Summary: shapelib new security issue CVE-2022-0699
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-03 22:24 CET by David Walser
Modified: 2022-03-11 09:52 CET (History)
5 users (show)

See Also:
Source RPM: shapelib-1.5.0-2.mga8.src.rpm
CVE: CVE-2022-0699
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-03 22:24:14 CET 
openSUSE has issued an advisory today (March 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6B3VSER4WPCPULJGLJVI75SE2NKX4RQH/

Mageia 8 is also affected.
David Walser 2022-03-03 22:24:37 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and openSUSE

Comment 1 Nicolas Salguero 2022-03-07 13:56:47 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Double-free vulnerability in contrib/shpsort.c. (CVE-2022-0699)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0699
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6B3VSER4WPCPULJGLJVI75SE2NKX4RQH/
========================

Updated packages in core/updates_testing:
========================
lib(64)shp2-1.5.0-2.1.mga8
lib(64)shp-devel-1.5.0-2.1.mga8
shapelib-1.5.0-2.1.mga8

from SRPM:
shapelib-1.5.0-2.1.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Patches available from upstream and openSUSE => (none)
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-0699

Comment 2 Len Lawrence 2022-03-07 17:48:55 CET 
mga8, x64

AFAIK from the XML documentation, shapelib is a developers tool to overcome the rectangular bias of Xlib; i.e. to provide curves and circles, shadows and other things.

whatrequires lists gnudl, gpsbabel, marble, and roadmap as needing the shp2 library but before updating an strace of marble did not indicate that shp2 was involved in running it.  Might depend on circumstances.

Updated the  three packages and tried marble again, Earth view - open street map and atlas.  Toured Apollo sites on the moon.  The trace did not indicate any direct use of the lib64shp2 library.  Tried the open street map view in marble and printed out a map of a section of Copenhagen.  Still nothing in the trace.  However, marble is definitely working without regressions.

plplot might be a better bet but don't know how to use it.  roadmap probably needs a GPS device - none available.

Leaving this as it stands.  Inclined to assign OK but maybe somebody else would like a shot?

CC: (none) => tarazed25

Len Lawrence 2022-03-09 19:20:04 CET

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-03-09 21:48:08 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-11 01:42:25 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-03-11 09:52:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0096.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.