Bug 30192 - libpano13 new security issue CVE-2021-33293
Summary: libpano13 new security issue CVE-2021-33293
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-03-21 21:39 CET by David Walser
Modified: 2022-03-24 10:04 CET (History)
4 users (show)

See Also:
Source RPM: libpano13-2.9.20-1.mga8.src.rpm
CVE: CVE-2021-33293
Status comment:


Description David Walser 2022-03-21 21:39:18 CET
Debian-LTS has issued an advisory on March 20:

Mageia 8 is also affected.
David Walser 2022-03-21 21:39:36 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and Debian

Comment 1 Lewis Smith 2022-03-22 20:50:26 CET
Different packagers have dealt with this, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-03-23 15:11:30 CET
Suggested advisory:

The updated packages fix a security vulnerability:

Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c. (CVE-2021-33293)


Updated packages in core/updates_testing:

from SRPM:

Status comment: Patches available from upstream and Debian => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-33293
Source RPM: libpano13-2.9.20-1.mga9.src.rpm => libpano13-2.9.20-1.mga8.src.rpm

Comment 3 Thomas Andrews 2022-03-23 19:28:50 CET
There are both core and tainted versions of these packages. My Qarepo is only finding updates for the core packages. Is that my error, or was something missed?

CC: (none) => andrewsfarm

Comment 4 Dave Hodgins 2022-03-23 20:26:28 CET
Doesn't look like the tainted version was built.
http://pkgsubmit.mageia.org/ only shows the core version.

CC: (none) => davidwhodgins
Keywords: (none) => feedback

Comment 5 Nicolas Salguero 2022-03-23 21:14:16 CET
Yes, sorry, I missed that there is a tainted version too.

Updated packages in tainted/updates_testing:

from SRPM:
Nicolas Salguero 2022-03-23 21:15:43 CET

Keywords: feedback => (none)

Comment 6 Thomas Andrews 2022-03-23 22:04:09 CET
Mga8-64 Plasma, i5-2500, Intel graphics.

Referenced Bug 28997 for testing, using the Hugin panorama creator. For that bug I had last used Hugin years ago, probably back in Mandriva, as the test photos I used date back to before Mageia. Hugin had changed a great deal. This time, before testing I consulted that great repository of information, Youtube, for a basic tutorial on using the more recent Hugin.

Used qarepo to update to the core packages of libpano, with no installation issues. Ran Hugin and stitched together 8 images of Lake Champlain, taken from the summit of Mount Defiance, near Ticonderoga, NY, USA. Armed with my new knowledge, I did a much better job this time - except that for some inexplicable reason the resulting panorama was upside down. It was easily rotated using Gwenview, so I'm not going to block this update while I try to figure out why it happened. Probably user error, but I don't know where.

Giving the tainted version some time to show up on my preferred mirror before testing. It's not there yet.
Comment 7 Thomas Andrews 2022-03-23 23:30:33 CET
No installation issues with the tainted version, either.

Attempted the same panorama as in Comment 6, but this time extra features seemed to make it harder to accomplish. At least it was right-side up this time, though a "tip" that showed when I started Hugin let me know how I could have righted the image in the previous test. I played with it for a while, trying this and that with no errors, but the end result this time wasn't as good as the one with the core packages had been. As before, I believe the problem is user error, rather than a problem with the update.

Giving this an OK, and validating. Advisory in Comment 2, with tainted information in Comment 5.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-03-24 00:42:41 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-03-24 10:04:11 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.