Bug 30540 - exo new security issue CVE-2022-32278
Summary: exo new security issue CVE-2022-32278
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-12 00:00 CEST by David Walser
Modified: 2022-06-24 22:51 CEST (History)
4 users (show)

See Also:
Source RPM: exo-4.16.0-1.mga8.src.rpm
CVE:
Status comment: Patch available from upstream


Attachments

Description David Walser 2022-06-12 00:00:08 CEST
A security issue was fixed upstream in exo on June 6:
https://gitlab.xfce.org/xfce/exo/-/commit/cc047717c3b5efded2cc7bd419c41a3d1f1e48b6

Mageia 8 is also affected.
David Walser 2022-06-12 00:00:22 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 Jani Välimaa 2022-06-18 16:14:04 CEST
Fixed in cauldron with exo-4.17.2-1.mga9.

Source RPM: exo-4.17.1-2.mga9.src.rpm => exo-4.16.0-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Jani Välimaa 2022-06-18 16:20:23 CEST
Please test exo-4.16.0-1.1.mga8 from mga8 core/updates_testing.

SRPMS:
exo-4.16.0-1.1.mga8

RPMS:
exo-4.16.0-1.1.mga8
lib(64)exo2_0-4.16.0-1.1.mga8
lib(64)exo-devel-4.16.0-1.1.mga8

Assignee: jani.valimaa => qa-bugs

Comment 3 Herman Viaene 2022-06-20 16:52:00 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Found old bug 10657, but I don't get what it means.
On my own, tried
# urpmq --whatrequires exo
exo
lib64exo2_0
lib64exo2_0
thunar
thunar
xfce4-verve-plugin

Then went on:
$ strace -o exo.txt thunar
Opened a NFS-share connection and opened an .odp file.
This works OK, and trace shows usage of /usr/lib64/libexo-2.so.0
Furthermore the site https://docs.xfce.org/xfce/exo/start
says (I quote) :
"Exo is an Xfce library targeted at application development."
And that is territory out of my league.
So this test is somewhat more than a clean install, I gice the OK, unless someone else has other ideas.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 David Walser 2022-06-20 19:25:42 CEST
Debian has issued an advisory for this on June 18:
https://www.debian.org/security/2022/dsa-5164
Comment 5 Thomas Andrews 2022-06-22 04:10:48 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-23 20:17:01 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-06-24 22:51:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0238.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.