openSUSE has issued an advisory today (February 10): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/ The issue is fixed upstream in 1.8.1 and 1.9.4: https://gitea.treehouse.systems/ariadne/pkgconf/tags Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.8.1 and 1.9.4
It is unclear who maintains this nowadays, so assigning this update globally. CC'ing Neal who is/was the oficial maintainer.
CC: (none) => ngompa13Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes. (CVE-2023-24056) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/ ======================== Updated packages in core/updates_testing: ======================== lib(64)pkgconf3-1.7.3-2.1.mga8 lib(64)pkgconf-devel-1.7.3-2.1.mga8 pkgconf-1.7.3-2.1.mga8 pkgconf-m4-1.7.3-2.1.mga8 pkgconf-pkg-config-1.7.3-2.1.mga8 from SRPM: pkgconf-1.7.3-2.1.mga8.src.rpm
CVE: (none) => CVE-2023-24056Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroVersion: Cauldron => 8Status: NEW => ASSIGNEDSource RPM: pkgconf-1.8.0-2.mga9.src.rpm => pkgconf-1.7.3-2.mga8.src.rpmStatus comment: Fixed upstream in 1.8.1 and 1.9.4 => (none)Whiteboard: MGA8TOO => (none)
No installation issues in a mga8-64 VirtualBox Plasma guest. Urpmq on the packages is of no help, and looking for previous updates isn't any better. The pkgconf.org website has this to say: "pkgconf is a program which helps to configure compiler and linker flags for development frameworks." And, "libpkgconf is a library which provides access to most of pkgconf’s functionality, to allow other tooling such as compilers and IDEs to discover and use frameworks configured by pkgconf. It features a stable library ABI and API designed for building bindings and other tools." Sure sounds like developer territory to me, far beyond my competence. Giving this an OK based on the clean install, and I'm going to validate. If there is a way for someone like me to test, please advise. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0077.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED