Assigning to the registered maintainer, but CC'ing neoclust (who fixed the previous CVE for this package) and all packagers collectively, because pasmatt is likely unavailable

CC: (none) => mageia, marja11, pkg-bugs
Assignee: bugsquad => matteo.pasotti

Seems good.

Squirrel version is 3-1-2 (Fedora 2-2-5). 

The only CVE for this version is CVE-2022-30292.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squirrel
https://github.com/sprushed/CVE-2022-30292

It's already fix by neoclust on Mga8 and Cauldron.

CC: (none) => jean-pierre

As I said, we already fixed CVE-2022-30292, but we missed this one.

My bad, 3.1.2 and 3.2.1 are too close for my eyes ;)

I will patch squirrel on Mga8 and control supertux.

Squirrel v3.2.1 is submit on Mga8 Update Testing : 
- update from 3.1.2 but no bound with another package
- native correction for CVE-2021-41556
- patch for CVE-2022-30292

supertux v0.6.2 is coming 
- same version which include squirrel's source code
- already patched for CVE-2022-30292
- new patch for CVE-2021-41556

What about building supertux against the system squirrel as we discussed, instead of using the bundled one?

Hi,

It's the editor choice "If you got this version of Supertux from a tarball (.tar), squirrel and tinygettext are already in the tarball."
https://github.com/SuperTux/supertux/blob/v0.6.3/INSTALL.md

Just because it's in the tarball doesn't mean we can't build against the system squirrel.

Off course not :)

The problem is the version of squirrel :
- squirrel version inside supertux : 3.1.1
- squirrel version for Mga8 : 3.1.2 (before patch) -> 3.2.1 (after patch)

So build supertux with the squirrel of Mga may have consequences.

I don't know much about squirrel, but hopefully being 3.x is enough.  Things don't always exactly match bundled versions, but as long as they're close it usually works.

openSUSE has issued an advisory for this on March 23:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/

So to clarify the situation right now:

On Cauldron:

- squirrel-3.2-3.mga9 -> fixes the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.3-4.mga9 -> unbundled squirrel to use system patched one

So for Cauldron all is fine and fixed!


For mga8 in Core/Updates_testing:

- squirrel-3.2-1.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.2-4.2.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292


I can if needed to unbundled squirrel also for mga8 but for this we have to update to latest 0.6.3 upstream release.

CC: (none) => geiger.david68210

Has squirrel/supertux been pushed to the build system for mga8?  I don't see it on pkgsubmit.

Yes some times ago:


:v supertux
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, x86_64)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, armv7hl)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, i586)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, aarch64)


:v squirrel
3.2-1.mga8 // core-updates_testing (Mga, 8, x86_64)
3.2-1.mga8 // core-updates_testing (Mga, 8, armv7hl)
3.2-1.mga8 // core-updates_testing (Mga, 8, i586)
3.2-1.mga8 // core-updates_testing (Mga, 8, aarch64)

libsquirrel-devel-3.2-1.mga8
libsquirrel0-3.2-1.mga8
squirrel-3.2-1.mga8
supertux-0.6.2-4.2.mga8
supertux-data-0.6.2-4.2.mga8

from SRPMS:
squirrel-3.2-1.mga8.src.rpm
supertux-0.6.2-4.2.mga8.src.rpm

CC: pkg-bugs => matteo.pasotti
Status comment: Patches available from upstream and Fedora => (none)
Assignee: matteo.pasotti => qa-bugs

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Got the supertux penguin ot move, jump on whatever those snowballs are, collect coins for some time.
Seems to work OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED