Bug 30364 - libcaca new security issue CVE-2022-0856
Summary: libcaca new security issue CVE-2022-0856
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-02 20:22 CEST by David Walser
Modified: 2022-05-12 12:26 CEST (History)
4 users (show)

See Also:
Source RPM: libcaca-0.99-0.beta19.10.mga9.src.rpm
CVE: CVE-2022-0856
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-02 20:22:04 CEST 
openSUSE has issued an advisory on April 29:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PUXQNAUH2W6TRXYZGBDFHQTMXINVMOJB/

Mageia 8 is also affected.
David Walser 2022-05-02 20:22:20 CEST

Status comment: (none) => Patch available from openSUSE
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-05-07 20:28:14 CEST 
This SRPM has been updated by different paople, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-05-09 13:43:39 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service. (CVE-2022-0856)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0856
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PUXQNAUH2W6TRXYZGBDFHQTMXINVMOJB/
========================

Updated packages in core/updates_testing:
========================
caca-utils-0.99-0.beta19.5.3.mga8
lib(64)caca0-0.99-0.beta19.5.3.mga8
lib(64)caca-devel-0.99-0.beta19.5.3.mga8
python3-caca-0.99-0.beta19.5.3.mga8
ruby-caca-0.99-0.beta19.5.3.mga8

from SRPM:
libcaca-0.99-0.beta19.5.3.mga8.src.rpm

CVE: (none) => CVE-2022-0856
Status comment: Patch available from openSUSE => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2022-05-10 02:21:09 CEST 
Tested in a VirtualBox MGA8 Plasma guest. No installation issues.

Tried cacaview and cacafire, as outlined in Bug 24208 Comment 8. Both seemed to work. In Bug 29575, it was suggested that rather than its own built-in utilities, testers should try something that uses the library. After looking into it, I decided to try toilet.

Toilet (“The Other Implementation’s letters”) is a fun yet mostly useless command that takes small text input and outputs it a large ASCII art text in the terminal:

$ toilet Mageia
                                          
 m    m                        "          
 ##  ##  mmm    mmmm   mmm   mmm     mmm  
 # ## # "   #  #" "#  #"  #    #    "   # 
 # "" # m"""#  #   #  #""""    #    m"""# 
 #    # "mm"#  "#m"#  "#mm"  mm#mm  "mm"# 
                m  #                      
                 ""                       

There are special color and rotating effects available, too. I tried them, and they work, but I'm not sure they would reproduce well here. (Probably just as well.)

OKing this and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-11 23:58:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-05-12 12:26:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0172.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.