Bug 31088 - pixman new security issue CVE-2022-44638
Summary: pixman new security issue CVE-2022-44638
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-07 20:45 CET by David Walser
Modified: 2022-11-13 03:27 CET (History)
5 users (show)

See Also:
Source RPM: pixman-0.40.0-1.mga8.src.rpm
CVE: CVE-2022-44638
Status comment:


Attachments

Description David Walser 2022-11-07 20:45:16 CET
pixman 0.42.2 has been released on November 3, fixing a security issue:
https://lists.x.org/archives/xorg-announce/2022-November/003249.html

A CVE has been assigned:
https://lists.x.org/archives/xorg-announce/2022-November/003251.html
David Walser 2022-11-07 20:45:45 CET

Status comment: (none) => Fixed upstream in 0.42.2

Comment 1 David Walser 2022-11-07 20:56:21 CET
Debian-LTS has issued an advisory for this today (November 7):
https://www.debian.org/lts/security/2022/dla-3179
Comment 2 Lewis Smith 2022-11-07 21:25:02 CET
> Fixed upstream in 0.42.2
DavidW has already put this in Cauldron (thanks).

Assigning to Thierry simply because you have committed this SRPM a few times recently, so have seen it. So this is just for M8.

Assignee: bugsquad => thierry.vignaud

Comment 3 Nicolas Salguero 2022-11-08 10:07:27 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. (CVE-2022-44638)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44638
https://lists.x.org/archives/xorg-announce/2022-November/003249.html
https://lists.x.org/archives/xorg-announce/2022-November/003251.html
https://www.debian.org/lts/security/2022/dla-3179
========================

Updated packages in core/updates_testing:
========================
lib(64)pixman1_0-0.40.0-1.1.mga8
lib(64)pixman-devel-0.40.0-1.1.mga8

from SRPM:
pixman-0.40.0-1.1.mga8.src.rpm

Status comment: Fixed upstream in 0.42.2 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-44638
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED

Comment 4 Herman Viaene 2022-11-11 11:31:31 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 16815 for testing
mpg file plays OK with VLC-player
Restarted firefox and video from newspaper site plays OK (sound and video in sync)
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2022-11-12 00:08:47 CET
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-13 00:25:15 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-11-13 03:27:07 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0423.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.