31536 – pkgconf new security issue CVE-2023-24056

Bug 31536 - pkgconf new security issue CVE-2023-24056

Summary: pkgconf new security issue CVE-2023-24056

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-10 17:12 CET by David Walser
Modified:	2023-03-01 22:16 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	pkgconf-1.7.3-2.mga8.src.rpm
CVE:	CVE-2023-24056
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-10 17:12:52 CET

openSUSE has issued an advisory today (February 10):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/

The issue is fixed upstream in 1.8.1 and 1.9.4:
https://gitea.treehouse.systems/ariadne/pkgconf/tags

Mageia 8 is also affected.

David Walser 2023-02-10 17:13:26 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.8.1 and 1.9.4

Comment 1 Lewis Smith 2023-02-10 20:43:25 CET

It is unclear who maintains this nowadays, so assigning this update globally.
CC'ing Neal who is/was the oficial maintainer.

CC: (none) => ngompa13
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-03-01 09:34:12 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes. (CVE-2023-24056)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/
========================

Updated packages in core/updates_testing:
========================
lib(64)pkgconf3-1.7.3-2.1.mga8
lib(64)pkgconf-devel-1.7.3-2.1.mga8
pkgconf-1.7.3-2.1.mga8
pkgconf-m4-1.7.3-2.1.mga8
pkgconf-pkg-config-1.7.3-2.1.mga8

from SRPM:
pkgconf-1.7.3-2.1.mga8.src.rpm

CVE: (none) => CVE-2023-24056
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status: NEW => ASSIGNED
Source RPM: pkgconf-1.8.0-2.mga9.src.rpm => pkgconf-1.7.3-2.mga8.src.rpm
Status comment: Fixed upstream in 1.8.1 and 1.9.4 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Thomas Andrews 2023-03-01 19:52:56 CET

No installation issues in a mga8-64 VirtualBox Plasma guest. 

Urpmq on the packages is of no help, and looking for previous updates isn't any better. The pkgconf.org website has this to say:

"pkgconf is a program which helps to configure compiler and linker flags for development frameworks." And,

"libpkgconf is a library which provides access to most of pkgconf’s functionality, to allow other tooling such as compilers and IDEs to discover and use frameworks configured by pkgconf. It features a stable library ABI and API designed for building bindings and other tools."

Sure sounds like developer territory to me, far beyond my competence. Giving this an OK based on the clean install, and I'm going to validate. If there is a way for someone like me to test, please advise.

Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-03-01 20:11:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-03-01 22:16:01 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0077.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.