Bug 30944 - colord new security issue CVE-2021-42523
Summary: colord new security issue CVE-2021-42523
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-10-06 14:47 CEST by David Walser
Modified: 2022-10-08 22:24 CEST (History)
7 users (show)

See Also:
Source RPM: colord-1.4.5-1.mga8.src.rpm
CVE: CVE-2021-42523
Status comment:


Description David Walser 2022-10-06 14:47:55 CEST
openSUSE has issued an advisory on October 4:

Mageia 8 is also affected.
David Walser 2022-10-06 14:48:05 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from openSUSE

Comment 1 Lewis Smith 2022-10-06 21:25:06 CEST
Various packagers have dealt with this SRPM, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-10-07 08:41:35 CEST

Version 1.4.6 already contains the fix for CVE-2021-42523 so Cauldron is not affected.

Best regards,


CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2022-10-07 08:45:23 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it. (CVE-2021-42523)


Updated packages in core/updates_testing:

from SRPM:

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from openSUSE => (none)
CVE: (none) => CVE-2021-42523

Comment 4 Herman Viaene 2022-10-07 10:42:08 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous updates, no wiki andd googling colord does not bring me very far.
As the title in MCC says, this is a daemon, so
# systemctl -l status colord
● colord.service - Manage, Install and Generate Color Profiles
     Loaded: loaded (/usr/lib/systemd/system/colord.service; static)
     Active: active (running) since Fri 2022-10-07 09:52:29 CEST; 42min ago
   Main PID: 3426 (colord)
      Tasks: 3 (limit: 4364)
     Memory: 4.1M
        CPU: 1.087s
     CGroup: /system.slice/colord.service
             └─3426 /usr/libexec/colord

Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Starting Manage, Install and Generate Color Profiles...
Oct 07 09:52:29 mach7.hviaene.thuis systemd[1]: Started Manage, Install and Generate Color Profiles.
Oct 07 09:52:30 mach7.hviaene.thuis colord[3426]: failed to search file: failed to load file: Error opening file /usr/share/color/icc/colord/ColorMatchRGB.icc;63>

Note that I did not give a start command.
Reading tells me this is about color profiling and I know very little on the subject. I wonder whether this "Error opening file" points to a file that should be provided by default or what.
One remark: nothing seems to bother my system.
I also stumbled on a related package color-kde, but running its command


(colord-kde-icc-importer:5864): Gtk-WARNING **: 10:30:48.784: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
QCommandLineParser: already having an option named "v"
QCommandLineParser: already having an option named "h"
QCommandLineParser: already having an option named "help-all"
Usage: colord-kde-icc-importer [options] +file
An application to install ICC profiles

  -h, --help                 Displays help on commandline options.
  --help-all                 Displays help including Qt specific options.
  -v, --version              Displays version information.
  --author                   Show author information.
  --license                  Show license information.
  --desktopfile <file name>  The base file name of the desktop entry for this
  --yes                      Do not prompt the user if he wants to install

  file                       Color profile to install
And here my ignorance on the subject kicks in again.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2022-10-07 12:25:07 CEST
@Herman regarding comment 4:
Like you I have no knowledge  of this subject.
It looks like colord is started at boot because the status on this machine shows that colord was already running - no error report.
The file ColorMatchRGB.icc does not exist at /usr/share/color/icc or anywhere else but there are several other colour profiles there.
No sign of colord-kde-icc-importer here.

Installed the updates and restarted colord - no error.
You can ignore the missing file for this update - it may indicate that something on your system is needing it - not your problem if you do not normally deal with  colour profiles.

CC: (none) => tarazed25

Herman Viaene 2022-10-07 14:06:29 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 6 Dave Hodgins 2022-10-07 19:04:57 CEST
The files are in the source tar file used by the srpm during the build of
the binary program, not in the rpm package. Testing that colors are normal on
the monitor is sufficient.

CC: (none) => davidwhodgins

Comment 7 Thomas Andrews 2022-10-08 02:47:53 CEST
Since neither Herman nor Len reported abnormal monitor colors, going by Comment 6 I see no reason to ask them to test again.

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mauricio Andrés Bustamante Viveros 2022-10-08 06:37:33 CEST
Tested MGA8 VM

I have not colord daemon installed, but I installed the libcolord2-1.4.5-1.1.mga8 package that was shown in the drakrpm-update using the updates testing repo

No strange behaviours nor issues with the VM
Nor errors in the journald

This app/daemon is used to change the monitor and maybe the printer color profile, this only maybe is used for graphics designers, as did not change nothing in the previous test, is OK

CC: (none) => neoser10

Dave Hodgins 2022-10-08 19:58:12 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-10-08 22:24:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.