31023 – wkhtmltopdf new security issue CVE-2020-21365

Bug 31023 - wkhtmltopdf new security issue CVE-2020-21365

Summary: wkhtmltopdf new security issue CVE-2020-21365

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:	29326
Blocks:
	Show dependency tree / graph

Reported:	2022-10-25 14:54 CEST by David Walser
Modified:	2022-11-04 22:17 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	wkhtmltopdf-0.12.5-4.mga8.src.rpm
CVE:	CVE-2020-21365
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-25 14:54:36 CEST

Debian-LTS has issued an advisory on October 24:
https://www.debian.org/lts/security/2022/dla-3158

Mageia 8 is also affected.

Also, this package should be dropped from Cauldron (see Bug 29326).

David Walser 2022-10-25 14:54:50 CEST

Depends on: (none) => 29326
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-26 08:29:37 CEST

This is nominally with Joseph, but unsure whether he is still active for us, so CC'ing him, assigning globally in case not.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant

Comment 2 Nicolas Salguero 2022-11-02 15:31:00 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations. (CVE-2020-21365)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21365
https://www.debian.org/lts/security/2022/dla-3158
========================

Updated packages in core/updates_testing:
========================
lib(64)wkhtmltox0-0.12.5-4.1.mga8
lib(64)wkhtmltox-devel-0.12.5-4.1.mga8
wkhtmltopdf-0.12.5-4.1.mga8

from SRPM:
wkhtmltopdf-0.12.5-4.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2020-21365
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Source RPM: wkhtmltopdf-0.12.5-5.mga9.src.rpm => wkhtmltopdf-0.12.5-4.mga8.src.rpm

Comment 3 Herman Viaene 2022-11-03 11:36:27 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
No wiki, no previous updates, so just checked in MCC what commands are implemented here and tried these.
$ wkhtmltopdf donderdag.html don.pdf
Loading page (1/2)
Printing pages (2/2)                                               
Done  
Number of pages in the original document (made from an odt) is correct, resulted in a 4 page pdf with correct contents.                                                         
[tester8@mach7 Documents]$ wkhtmltoimage donderdag.html don.jpeg
Loading page (1/2)
Rendering (2/2)                                                    
Done  
Reults in a long narrow image in correct proportion to the actual data in the html file, text is correctly readable.
Good enough for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-11-03 12:43:32 CET

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-04 16:48:28 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-11-04 22:17:15 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0407.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.