30391 – gerbv new security issue CVE-2021-40403

Bug 30391 - gerbv new security issue CVE-2021-40403

Summary: gerbv new security issue CVE-2021-40403

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-05-07 21:32 CEST by David Walser
Modified:	2022-05-12 12:26 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	gerbv-2.7.0-3.mga8.src.rpm
CVE:	CVE-2021-40403
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-07 21:32:06 CEST

Fedora has issued an advisory today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PTGBC37N2FV7NKOWFVCFMPAFYEPHSB7C/

Mageia 8 is also affected.

Comment 1 David Walser 2022-05-07 21:32:43 CEST

Apparently fixed upstream in 2.8.2 (new upstream).

Status comment: (none) => Fixed upstream in 2.8.2
Whiteboard: (none) => MGA8TOO

Comment 2 Nicolas Salguero 2022-05-09 13:12:02 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-40403)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40403
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PTGBC37N2FV7NKOWFVCFMPAFYEPHSB7C/
========================

Updated packages in core/updates_testing:
========================
gerbv-2.7.0-3.1.mga8
gerbv-examples-2.7.0-3.1.mga8
lib(64)gerbv1-2.7.0-3.1.mga8
lib(64)gerbv-devel-2.7.0-3.1.mga8

from SRPM:
gerbv-2.7.0-3.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
CVE: (none) => CVE-2021-40403
Source RPM: gerbv-2.7.0-4.mga9.src.rpm => gerbv-2.7.0-3.mga8.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.8.2 => (none)
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2022-05-11 10:56:32 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues, not installing the devel, since that one would draw in a large number of other devel stuff.
Run gerbv, open an example as provided by the package: /usr/share/gerbv/example/amacro-ref/full-ex.grb and I could deisplay the properties of two of the objects in it.
Works OK as far ass I can see.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-05-11 14:22:03 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-11 23:28:37 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-05-12 12:26:18 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0176.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.