Bug 31516 - editorconfig-core-c new security issue CVE-2023-0341
Summary: editorconfig-core-c new security issue CVE-2023-0341
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-06 16:29 CET by David Walser
Modified: 2023-02-14 23:45 CET (History)
5 users (show)

See Also:
Source RPM: editorconfig-core-c-0.12.5-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-02-06 16:29:40 CET
Ubuntu has issued an advisory today (February 6):
https://ubuntu.com/security/notices/USN-5842-1

The issue is fixed upstream in 0.12.6.

Mageia 8 is also affected.
David Walser 2023-02-06 16:34:05 CET

Status comment: (none) => Fixed upstream in 0.12.6
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-06 17:05:22 CET
Assigning to our registered editorconfig-core-c maintainer.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2023-02-06 17:26:26 CET
Done for both mga8 and Cauldron!
Comment 3 David Walser 2023-02-06 19:11:20 CET
libeditorconfig0-0.12.6-1.mga8
editorconfig-0.12.6-1.mga8
libeditorconfig-devel-0.12.6-1.mga8

from editorconfig-core-c-0.12.6-1.mga8.src.rpm

CC: (none) => geiger.david68210
Status comment: Fixed upstream in 0.12.6 => (none)
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 4 Thomas Andrews 2023-02-09 18:37:14 CET
Tested in a VirtualBox mga8-64 Plasma guest. No installation issues.

No previous updates, but urpmq --whatreqires-recursive indicates that it is used by plasma-workspace, kwrite, konqueror, kate, and others.

I ran kwrite with strace -o output.txt kwrite and loaded a short text file into it. I edited the file, saved the edited version, and printed it to a pdf file. Examining output.txt afterward showed a call to  "/lib64/libeditorconfig.so.0"

Kwrite functioned normally, and there were no observed problems with plasma-workspace, so I'm going to call this one OK.

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-14 21:09:24 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-02-14 23:45:09 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0048.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.