Bug 30868 - enlightenment new security issue CVE-2022-37706
Summary: enlightenment new security issue CVE-2022-37706
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-19 20:54 CEST by David Walser
Modified: 2022-10-08 22:23 CEST (History)
5 users (show)

See Also:
Source RPM: enlightenment-0.24.2-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-09-19 20:54:21 CEST
Debian-LTS has issued an advisory today (September 19):
https://www.debian.org/lts/security/2022/dla-3115

The issue is fixed upstream in 0.25.4.

Mageia 8 is also affected.
David Walser 2022-09-19 20:54:33 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.25.4

Comment 1 David Walser 2022-09-23 18:03:52 CEST
Debian has issued an advisory for this on September 21:
https://www.debian.org/security/2022/dsa-5233
David Walser 2022-10-03 16:34:27 CEST

Severity: normal => critical

Comment 3 Chris Denice 2022-10-04 15:48:11 CEST
I am having a look, an updgrade of enlightenment might not be well suited for mga8.
Comment 4 David Walser 2022-10-04 17:14:44 CEST
For Mageia 8, you might be able to borrow the patch from Debian-LTS.
Comment 5 Chris Denice 2022-10-04 17:18:15 CEST
Patched enlightenment landing in updates_testing for mga8.


Suggested advisory:
========================

Updated enlightenment package to fix the security vulnerability CVE-2022-37706 that would allow an user to gain root privileges.



References:
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141
========================

Updated packages in core/updates_testing:
========================

enlightenment-0.24.2-2.1.mga8
enlightenment-devel-0.24.2-2.1.mga8

Source RPMs:
enlightenment-0.24.2-2.1.mga8.src.rpm

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

Comment 6 Chris Denice 2022-10-04 17:19:04 CEST
Cauldron is getting a full upgrade for both efl and enlightenment to latest version (0.25.4)
David Walser 2022-10-04 17:22:42 CEST

Source RPM: enlightenment-0.25.3-1.mga9.src.rpm => enlightenment-0.24.2-2.mga8.src.rpm
Status comment: Fixed upstream in 0.25.4 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 7 Len Lawrence 2022-10-07 20:58:23 CEST
mga8, x64
Installed enlightenment, logged out and selected E for login.  The desktop came up with a  warning that the user could not access system services without modifying /etc/enlightenment/system.conf. Checked terminology - working as expected.

Installed the update and logged out and in again.  Edited system.conf and cycled login.  No obvious regressions with the desktop environment.  Bluetooth sound working, firefox and a few other applications like mediaplayer, vlc, by left-clicking on the background -> Applications -> ....

This looks sound.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-10-08 02:14:05 CEST
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-08 19:08:30 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-10-08 22:23:46 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0360.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.