Bug 31742 - stellarium new security issue CVE-2023-28371
Summary: stellarium new security issue CVE-2023-28371
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-30 23:21 CEST by David Walser
Modified: 2023-04-06 23:21 CEST (History)
6 users (show)

See Also:
Source RPM: stellarium-0.21.3-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-30 23:21:07 CEST 
Fedora has issued an advisory on March 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KG6UNRAOYZJSMIUELY3MMJ5J6LIUZXLT/

Mageia 8 is also affected.
David Walser 2023-03-30 23:21:24 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and Fedora

Comment 1 David GEIGER 2023-03-31 08:03:10 CEST 
Fixed in current 23.1 release for Cauldron!

CC: (none) => geiger.david68210

Comment 2 David GEIGER 2023-03-31 08:26:22 CEST 
Done for mga8 adding upstream patches!
Comment 3 Morgan Leijström 2023-03-31 10:46:18 CEST 
mga8-64 OK on Plasma, nvidia-current, 4K screen

I am no experienced user of this beautiful astronomy education/toy gadget.

Installed version from release, launched, searched and viewed Jupiter.
Updated to the one in updates, OK
Updated to this in testing, OK too.

Some output in console from where launched, but I deem it is not to worry about, and there were similar in previous versions:

StelCore: Invalid timezone name: ""  -- not setting timezone.
qt.gui.icc: Unsupported ICC profile class 70727472
QPngHandler: Failed to parse ICC profile
  --<(above two lines repeated 6 times more)>--
Error in Asterism  "TA6" : can't find star with coordinates 2.14697 / 8.55097
ERROR reading asterism lines record at line  88 for culture "western"
WARNING - asterism abbreviation "TA6" not found when loading asterism names
Oculars::validateAndLoadIniFile() found existing ini file version  3.1
Satellite has invalid orbit: "IGS Opt 5 r" "40539"


I see Cauldron have it updated in release, so setting bug to mga8

Version: Cauldron => 8
CC: (none) => fri
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => MGA8-64-OK

Comment 4 David Walser 2023-03-31 14:40:20 CEST 
stellarium-0.21.3-1.1.mga8

from stellarium-0.21.3-1.1.mga8.src.rpm

Source RPM: stellarium-1.2-2.mga9.src.rpm => stellarium-0.21.3-1.mga8.src.rpm
Status comment: Patches available from upstream and Fedora => (none)

Comment 5 PC LX 2023-03-31 20:16:42 CEST 
Installed and tested without issues.

Tested a bunch of features for about an hour. All worked as expected.



System: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a 
Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar  4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q stellarium 
stellarium-0.21.3-1.mga8
$ lspcidrake | grep VGA
Card:ATI Volcanic Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Cezanne [DISPLAY_VGA] (rev: c9)
Card:AMD Southern Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Navi 24 [Radeon RX 6400 / 6500 XT] [DISPLAY_VGA] (rev: c1)

CC: (none) => mageia

Comment 6 Thomas Andrews 2023-03-31 22:36:00 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-06 20:36:58 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-04-06 23:21:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0129.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.