Fedora has issued an advisory today (May 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SEQGDVH43YW7AG7TRU2CTU5TMIYP27WP/ assimp and zxing-cpp are also affected. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Fedora
No regular maintainer, so assigning globally.
Assignee: bugsquad => pkg-bugs
Blender also affected: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/
Summary: curaengine, assimp, zxing-cpp new security issue CVE-2022-28041 => curaengine, assimp, zxing-cpp, blender new security issue CVE-2022-28041Source RPM: curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm => curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm, blender-2.93.7-2.mga9.src.rpm
Fedora has issued an advisory for zxing-cpp today (May 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2G6JJJQ5JABTPF5H2L5FQGLILYLIGPW6/
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30413
After checking, I can say that: - for Cauldron, only blender is affected; - for Mageia 9, only curaengine and blender are affected.
CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => MGA9TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2022-28041) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SEQGDVH43YW7AG7TRU2CTU5TMIYP27WP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/ ======================== Updated packages in core/updates_testing: ======================== blender-3.3.8-1.1.mga9 curaengine-4.12.1-3.1.mga9 from SRPMS: blender-3.3.8-1.1.mga9.src.rpm curaengine-4.12.1-3.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDSource RPM: curaengine-4.12.1-2.mga9.src.rpm, assimp-5.2.2-3.mga9.src.rpm, zxing-cpp-1.2.0-3.mga9.src.rpm, blender-2.93.7-2.mga9.src.rpm => curaengine-4.12.1-3.mga9.src.rpm, blender-3.3.8-1.mga9.src.rpmStatus comment: Patch available from Fedora => (none)CVE: (none) => CVE-2022-28041Assignee: pkg-bugs => qa-bugs
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. For curaengine got no farther than in bug 29622 getting the CuraEngine help to display its options. For blender: opened up a new set, got a cube object for free, and was able to resize, move and rotate it. I got no further, but at least it works. Giving the OK, unless someone else has a better knowledge of this tool.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Keywords: (none) => advisory
@Herman: I can remember trying to work with blender for another update some time ago. I don't remember details, but I do remember that I didn't get much farther than you did. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
For blender there is no reason to still stuck with 3.3.8. There is a LTS with all the fixes, and fixes also several further crashes. Better to update directly to 3.3.16. https://www.blender.org/download/lts/3-3/
CC: (none) => ghibomgx
Whiteboard: MGA9-64-OK => (none)Keywords: advisory, validated_update => (none)Assignee: qa-bugs => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2022-28041) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SEQGDVH43YW7AG7TRU2CTU5TMIYP27WP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHTD76NDEN77KCPI3XGGK2VVSA25WWEG/ ======================== Updated packages in core/updates_testing: ======================== blender-3.3.16-1.mga9 curaengine-4.12.1-3.1.mga9 from SRPMS: blender-3.3.16-1.mga9.src.rpm curaengine-4.12.1-3.1.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugs
BTW, in case of help to get the updated blender source code there is the script in SOURCES/ called get_git_blender-3.3_and_build_tgz.sh which needs to be bumped to the current version in the var BLENDER_VER=...; it will retrieve the source code (and fixes also the internal .h files because the internal code would use git otherwise), updated to the current version (+ patches).
I hate to make this but look the last version 3.3.17 is published today
If it doesn't fix any more security issues, it needn't hold up this update.
(In reply to David Walser from comment #12) > If it doesn't fix any more security issues, it needn't hold up this update. If I understand is just bugfix, fine
To all testers, please redo your test to validate again this update
RH mageia x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing blender-3.3.16-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/1: blender ###################################################################################### 1/1: removing blender-3.3.8-1.mga9.x86_64 ###################################################################################### writing /var/lib/rpm/installed-through-deps.list The application start right, but Is hard to use for me, maybe latter see a tutorial
RH mageia 9 x86_64 LC_ALL=C urpmi curaengine To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") curaengine 4.12.1 3.1.mga9 x86_64 (medium "Core Release (distrib1)") lib64arcus3 4.12.0 4.mga9 x86_64 lib64polyclipping22 6.4.2 4.mga9 x86_64 5MB of additional disk space will be used. 2.2MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) Y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64arcus3-4.12.0-4.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64polyclipping22-6.4.2-4.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/lib64arcus3-4.12.0-4.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64polyclipping22-6.4.2-4.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/curaengine-4.12.1-3.1.mga9.x86_64.rpm Preparing... ###################################################################################### 1/3: lib64polyclipping22 ###################################################################################### 2/3: lib64arcus3 ###################################################################################### 3/3: curaengine ######################################################################################
Following the previous criteria and validating
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0088.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED