openSUSE has issued an advisory on October 4: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GDIFQ2MG4MYMILUVYH7MTM5YKO2AMDS/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from openSUSE
Various packagers have dealt with this SRPM, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Hi, Version 1.4.6 already contains the fix for CVE-2021-42523 so Cauldron is not affected. Best regards, Nico.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it. (CVE-2021-42523) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42523 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GDIFQ2MG4MYMILUVYH7MTM5YKO2AMDS/ ======================== Updated packages in core/updates_testing: ======================== colord-1.4.5-1.1.mga8 colord-extra-profiles-1.4.5-1.1.mga8 lib(64)colord2-1.4.5-1.1.mga8 lib(64)colord-devel-1.4.5-1.1.mga8 lib(64)colord-gir1.0-1.4.5-1.1.mga8 from SRPM: colord-1.4.5-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 8Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Status comment: Patch available from openSUSE => (none)CVE: (none) => CVE-2021-42523
MGA8-64 MATE on Acer Aspire 5253 No installation issues. No previous updates, no wiki andd googling colord does not bring me very far. As the title in MCC says, this is a daemon, so # systemctl -l status colord ● colord.service - Manage, Install and Generate Color Profiles Loaded: loaded (/usr/lib/systemd/system/colord.service; static) Active: active (running) since Fri 2022-10-07 09:52:29 CEST; 42min ago Main PID: 3426 (colord) Tasks: 3 (limit: 4364) Memory: 4.1M CPU: 1.087s CGroup: /system.slice/colord.service └─3426 /usr/libexec/colord Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Starting Manage, Install and Generate Color Profiles... Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Started Manage, Install and Generate Color Profiles. Oct 07 09:52:30 mach7.hviaene.thuis colord[3426]: failed to search file: failed to load file: Error opening file /usr/share/color/icc/colord/ColorMatchRGB.icc;63> Note that I did not give a start command. Reading tells me this is about color profiling and I know very little on the subject. I wonder whether this "Error opening file" points to a file that should be provided by default or what. One remark: nothing seems to bother my system. I also stumbled on a related package color-kde, but running its command colord-kde-icc-importer (colord-kde-icc-importer:5864): Gtk-WARNING **: 10:30:48.784: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory QCommandLineParser: already having an option named "v" QCommandLineParser: already having an option named "h" QCommandLineParser: already having an option named "help-all" Usage: colord-kde-icc-importer [options] +file An application to install ICC profiles Options: -h, --help Displays help on commandline options. --help-all Displays help including Qt specific options. -v, --version Displays version information. --author Show author information. --license Show license information. --desktopfile <file name> The base file name of the desktop entry for this application. --yes Do not prompt the user if he wants to install Arguments: file Color profile to install And here my ignorance on the subject kicks in again.
CC: (none) => herman.viaene
@Herman regarding comment 4: Like you I have no knowledge of this subject. It looks like colord is started at boot because the status on this machine shows that colord was already running - no error report. The file ColorMatchRGB.icc does not exist at /usr/share/color/icc or anywhere else but there are several other colour profiles there. No sign of colord-kde-icc-importer here. Installed the updates and restarted colord - no error. You can ignore the missing file for this update - it may indicate that something on your system is needing it - not your problem if you do not normally deal with colour profiles.
CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK
The files are in the source tar file used by the srpm during the build of the binary program, not in the rpm package. Testing that colors are normal on the monitor is sufficient.
CC: (none) => davidwhodgins
Since neither Herman nor Len reported abnormal monitor colors, going by Comment 6 I see no reason to ask them to test again. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Tested MGA8 VM I have not colord daemon installed, but I installed the libcolord2-1.4.5-1.1.mga8 package that was shown in the drakrpm-update using the updates testing repo No strange behaviours nor issues with the VM Nor errors in the journald This app/daemon is used to change the monitor and maybe the printer color profile, this only maybe is used for graphics designers, as did not change nothing in the previous test, is OK
CC: (none) => neoser10
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0366.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED