Debian-LTS has issued an advisory on March 20: https://www.debian.org/lts/security/2022/dla-2957 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from upstream and Debian
Different packagers have dealt with this, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c. (CVE-2021-33293) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33293 https://www.debian.org/lts/security/2022/dla-2957 ======================== Updated packages in core/updates_testing: ======================== lib(64)pano13_3-2.9.20-1.1.mga8 lib(64)pano13-devel-2.9.20-1.1.mga8 libpano13-tools-2.9.20-1.1.mga8 from SRPM: libpano13-2.9.20-1.1.mga8.src.rpm
Status comment: Patches available from upstream and Debian => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => nicolas.salgueroCVE: (none) => CVE-2021-33293Source RPM: libpano13-2.9.20-1.mga9.src.rpm => libpano13-2.9.20-1.mga8.src.rpm
There are both core and tainted versions of these packages. My Qarepo is only finding updates for the core packages. Is that my error, or was something missed?
CC: (none) => andrewsfarm
Doesn't look like the tainted version was built. http://pkgsubmit.mageia.org/ only shows the core version.
CC: (none) => davidwhodginsKeywords: (none) => feedback
Yes, sorry, I missed that there is a tainted version too. Updated packages in tainted/updates_testing: ======================== lib(64)pano13_3-2.9.20-1.1.mga8.tainted lib(64)pano13-devel-2.9.20-1.1.mga8.tainted libpano13-tools-2.9.20-1.1.mga8.tainted from SRPM: libpano13-2.9.20-1.1.mga8.tainted.src.rpm
Keywords: feedback => (none)
Mga8-64 Plasma, i5-2500, Intel graphics. Referenced Bug 28997 for testing, using the Hugin panorama creator. For that bug I had last used Hugin years ago, probably back in Mandriva, as the test photos I used date back to before Mageia. Hugin had changed a great deal. This time, before testing I consulted that great repository of information, Youtube, for a basic tutorial on using the more recent Hugin. Used qarepo to update to the core packages of libpano, with no installation issues. Ran Hugin and stitched together 8 images of Lake Champlain, taken from the summit of Mount Defiance, near Ticonderoga, NY, USA. Armed with my new knowledge, I did a much better job this time - except that for some inexplicable reason the resulting panorama was upside down. It was easily rotated using Gwenview, so I'm not going to block this update while I try to figure out why it happened. Probably user error, but I don't know where. Giving the tainted version some time to show up on my preferred mirror before testing. It's not there yet.
No installation issues with the tainted version, either. Attempted the same panorama as in Comment 6, but this time extra features seemed to make it harder to accomplish. At least it was right-side up this time, though a "tip" that showed when I started Hugin let me know how I could have righted the image in the previous test. I played with it for a while, trying this and that with no errors, but the end result this time wasn't as good as the one with the core packages had been. As before, I believe the problem is user error, rather than a problem with the update. Giving this an OK, and validating. Advisory in Comment 2, with tainted information in Comment 5.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0115.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED