Fedora has issued an advisory on March 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSD3O3LQSW7QZLM33RFCIW3TFNXLB7QD/ The updated to 4.35 with an additional bug fix (it would be good to update Cauldron).
Status comment: (none) => Fixed upstream in 4.34
Cauldron already has 4.34, but note Luigi's remark about 4.35. Assigning to tv who did the 4.34 (& earlier) update[s).
Assignee: bugsquad => thierry.vignaud
Suggested advisory: ======================== The updated package fixes some bugs including a security vulnerability: Decoding hash keys without ending ':'. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSD3O3LQSW7QZLM33RFCIW3TFNXLB7QD/ ======================== Updated package in core/updates_testing: ======================== perl-Cpanel-JSON-XS-4.350.0-1.mga8 from SRPM: perl-Cpanel-JSON-XS-4.350.0-1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 4.34 => (none)Status: NEW => ASSIGNEDAssignee: thierry.vignaud => qa-bugs
Note that this is still pending a freeze move in Cauldron.
Mageia8, x86_64 $ urpmq --whatrequires perl-Cpanel-JSON-XS perl-App-SerializeUtils perl-Cpanel-JSON-XS perl-Search-Elasticsearch There is also a user tool cpanel_json_xs. cpanel_json_xs [-v] [-f inputformat] [-t outputformat] Picked a configuration file at random from Stellarium data: $ cpanel_json_xs <defaultStarsConfig.json >testfile The conversion was effected but as is usual with JSON data you have to look closely in some places to see it. $ cat defaultStarsConfig.json { "version": 12, "hipSpectralFile": "stars_hip_sp_0v0_4.cat", [...] "url": "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat", "checksum": "9e2e362022824c60d7e4d94ef8c3af12", "checked": false } ] } $ cat testfile { "catalogs" : [ { "checked" : true, "checksum" : "f29bcdca4ef0e945988ff609f7fa9e6a", [...] "sizeMb" : 534, "url" : "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat" } ], "hipComponentsIdsFile" : "stars_hip_cids_0v0_0.cat", "hipSpectralFile" : "stars_hip_sp_0v0_4.cat", "version" : 12 } Updated from version 4.250. Removed testfile and ran the same command. testfile looked identical to the earlier one. A bit late in the day tested the security issue by removing two of the : characters from hash keys in the firstwo stanzas of the catalog section. { "id": "stars0", "fileName": "stars_0_0v0_8.cat", -> "count" 0.005, "magRange": [-2, 6], "sizeMb": 0.1, "checksum": "f29bcdca4ef0e945988ff609f7fa9e6a", "checked": true }, { "id": "stars1", "fileName": "stars_1_0v0_8.cat", "count": 0.022, -> "magRange" [6, 7.5], "sizeMb": 0.6, "checksum": "cdffa5b38b1de9eb53272176921861d2", "checked": true }, Running the command again produced an error. $ cpanel_json_xs <defaultStarsConfig.json >testfile2 ':' expected, at character offset 203 (before "0.005,\n\t\t\t"magRa...") at /usr/bin/cpanel_json_xs line 219, <STDIN> line 1. Giving this an OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0119.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED