Fedora has issued an advisory on December 3:
The issues are fixed upstream in 2.4.
Fixed upstream in 2.4
The only changes since ver. 2.1 were security updates and bug fixes with no new features, so I took the liberty of updating directly to ver. 2.4. advancecomp-2.4-1.mga8 is now available in updates_testing.
Here is a simple regression test (this doesn't check for the bug fix but just ensures the code still works with the patch):
$ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo ok
This will display "ok" on the last line, with no error messages showing, if all is well.
advancecomp has been updated to fix a number of bugs and security issues: CVE-2022-35014, CVE-2022-35015, CVE-2022-35016, CVE-2022-35017,
CVE-2022-35018, CVE-2022-35019, CVE-2022-35020
MGA8TOO has_procedure =>
Are there upstream release notes we can include in the references?
Fixed upstream in 2.4 =>
The release notes don't contain any more details. Even the commit logs are pretty sparse. Here are the CVE descriptions, which are also mostly useless:
CVE-2022-35014 Advancecomp v2.3 contains a segmentation fault.
CVE-2022-35015 Advancecomp v2.3 was discovered to contain a heap buffer overflow via le_uint32_read at /lib/endianrw.h.
CVE-2022-35016 Advancecomp v2.3 was discovered to contain a heap buffer overflow.
CVE-2022-35017 Advancecomp v2.3 was discovered to contain a heap buffer overflow.
CVE-2022-35018 Advancecomp v2.3 was discovered to contain a segmentation fault.
CVE-2022-35019 Advancecomp v2.3 was discovered to contain a segmentation fault.
CVE-2022-35020 Advancecomp v2.3 was discovered to contain a heap buffer overflow via the component __interceptor_memcpy at /sanitizer_common/sanitizer_common_interceptors.inc.
MGA8-64 MATE on Acer Aspire 5253
No installation issues
$ advzip --shrink-normal --add yann2 20100206\ Yannick/*.JPG
$ file yann2
yann2: Zip archive data, at least v2.0 to extract
[tester8@mach7 Pictures]$ advzip -l yann2
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
3232940 Defl:X 3228047 0% 09-26-22 15:06 31fa5535 greyscale.JPG
5782055 Defl:X 5756929 0% 11-11-13 07:42 92e6bdf4 P2061409.JPG
5328667 Defl:X 5323833 0% 11-11-13 07:42 9aa2530b P2061410.JPG
and more ....
-------- ------- --- -------
68256757 67897471 0% 13 files
[tester8@mach7 Pictures]$ advzip -z -3 yann2
67898799 67898799 100% yann2
67898799 67898799 100%
Hmm, took a while and the result seems even a bit larger than the original one.
$ cp yann2 /tmp
[tester8@mach7 Pictures]$ cd /tmp
[tester8@mach7 tmp]$ advzip -x yann2
All images seem to come trhu unharmed AFAICS
$ advmng --add 8 yann.mng *.png
Unsupported bit depth/color type, 8/0
In bug 25908 this command didn't give a satisfying result either, so no regression
So OK for me.
Validating. Advisory in comment 1.
After a netinstall ...
[dave@x9v ~]$ systemctl --user status pipewire.service pipewire.socket wireplumber.service |grep Loaded
Loaded: loaded (/usr/lib/systemd/user/pipewire.service; disabled; preset: disabled)
Loaded: loaded (/usr/lib/systemd/user/pipewire.socket; enabled; preset: enabled)
Loaded: loaded (/usr/lib/systemd/user/wireplumber.service; enabled; preset: enabled)
An update for this issue has been pushed to the Mageia Updates repository.