31516 – editorconfig-core-c new security issue CVE-2023-0341

Bug 31516 - editorconfig-core-c new security issue CVE-2023-0341

Summary: editorconfig-core-c new security issue CVE-2023-0341

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-06 16:29 CET by David Walser
Modified:	2023-02-14 23:45 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	editorconfig-core-c-0.12.5-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-06 16:29:40 CET

Ubuntu has issued an advisory today (February 6):
https://ubuntu.com/security/notices/USN-5842-1

The issue is fixed upstream in 0.12.6.

Mageia 8 is also affected.

David Walser 2023-02-06 16:34:05 CET

Status comment: (none) => Fixed upstream in 0.12.6
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-06 17:05:22 CET

Assigning to our registered editorconfig-core-c maintainer.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2023-02-06 17:26:26 CET

Done for both mga8 and Cauldron!

Comment 3 David Walser 2023-02-06 19:11:20 CET

libeditorconfig0-0.12.6-1.mga8
editorconfig-0.12.6-1.mga8
libeditorconfig-devel-0.12.6-1.mga8

from editorconfig-core-c-0.12.6-1.mga8.src.rpm

CC: (none) => geiger.david68210
Status comment: Fixed upstream in 0.12.6 => (none)
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 4 Thomas Andrews 2023-02-09 18:37:14 CET

Tested in a VirtualBox mga8-64 Plasma guest. No installation issues.

No previous updates, but urpmq --whatreqires-recursive indicates that it is used by plasma-workspace, kwrite, konqueror, kate, and others.

I ran kwrite with strace -o output.txt kwrite and loaded a short text file into it. I edited the file, saved the edited version, and printed it to a pdf file. Examining output.txt afterward showed a call to  "/lib64/libeditorconfig.so.0"

Kwrite functioned normally, and there were no observed problems with plasma-workspace, so I'm going to call this one OK.

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-14 21:09:24 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-02-14 23:45:09 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0048.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.