Fedora has issued an advisory on July 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TUM5GIUZJ7AVHVCXDZW6ZVCAPV2ISN47/ The issues are fixed upstream in 2.9.2: https://github.com/gerbv/gerbv/releases Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.9.2Whiteboard: (none) => MGA8TOO
2.7.0 we had over 3y ago! This package has beein committed by different people over the years, so asigning this update globally. CC'ing NicolasS as you did a patch not so long ago.
Assignee: bugsquad => pkg-bugsCC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). (CVE-2021-40391) An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260). (CVE-2021-40393, CVE-2021-40394) An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). (CVE-2021-40400) A use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and Gerbv forked 2.7.1. (CVE-2021-40401) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40391 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40393 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40394 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40400 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40401 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TUM5GIUZJ7AVHVCXDZW6ZVCAPV2ISN47/ ======================== Updated packages in core/updates_testing: ======================== gerbv-2.7.3-1.mga8 gerbv-examples-2.7.3-1.mga8 lib(64)gerbv1-2.7.3-1.mga8 lib(64)gerbv-devel-2.7.3-1.mga8 from SRPM: gerbv-2.7.3-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: gerbv-2.7.0-5.mga9.src.rpm => gerbv-2.7.0-3.1.mga8.src.rpmVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.9.2 => (none)
MGA8-64 Plasma on Acer Aspire 5253 No installation issues. Following bug 30391, launched gerbv from CLI, opened examples /usr/share/gerbv/example/am-test/am-test.gbx and /usr/share/gerbv/example/amacro-ref/full-ex.grb and in both I could select some objects and dispay the properties. Looks good.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0260.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED