30430 – supertux, squirrel new security issue CVE-2022-30292

Bug 30430 - supertux, squirrel new security issue CVE-2022-30292

Summary: supertux, squirrel new security issue CVE-2022-30292

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-05-14 18:26 CEST by David Walser
Modified:	2022-05-25 20:47 CEST (History)
CC List:	8 users (show)

See Also:
Source RPM:	supertux-0.6.2-8.mga9.src.rpm, squirrel-3.2-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-14 18:26:24 CEST

Fedora has issued an advisory today (May 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WBUYGYXDQX3OSAYHP4TCG3JS7PJTIE75/

It also affects the squirrel package.

Mageia 8 is also affected.

David Walser 2022-05-14 18:26:49 CEST

Status comment: (none) => Patches available from upstream and Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-05-17 13:13:24 CEST

Assinging to the supertux maintainer, CC'ing the squirrel maintainer

CC: (none) => marja11, matteo.pasotti
Assignee: bugsquad => rverschelde

Nicolas Lécureuil 2022-05-18 10:04:17 CEST

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 David Walser 2022-05-18 18:28:05 CEST

What Nicolas meant to say was he patched this in Cauldron in:
squirrel-3.2-2.mga9
supertux-0.6.2-9.mga9

For Mageia 8, squirrel has been patched, but supertux is pending.

libsquirrel0-3.1-2.1.mga8
squirrel-3.1-2.1.mga8
libsquirrel-devel-3.1-2.1.mga8

from squirrel-3.1-2.1.mga8.src.rpm

Comment 3 Nicolas Lécureuil 2022-05-19 21:52:09 CEST

fixed super tux just pushed into mga8

Status comment: Patches available from upstream and Fedora => (none)
Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 4 David Walser 2022-05-20 02:52:32 CEST

supertux-0.6.2-4.1.mga8
supertux-data-0.6.2-4.1.mga8

from supertux-0.6.2-4.1.mga8.src.rpm

Comment 5 Len Lawrence 2022-05-23 09:20:08 CEST

mga8, x64

squirrel is a programming language aimed at video game developers.
http://www.squirrel-lang.org/
Not much QA can do with this without getting involved in programming.
It updates cleanly anyway, as does supertux.
Played the game but did not get very far - the functions I tried worked as far
as I could tell.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-05-23 14:06:02 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-25 02:33:35 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-05-25 20:47:34 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.