Fedora has issued an advisory on April 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FRPEEZJKIVRRCTBOO42O6IY44O5UU3MT/ Mageia 8 is also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO
Unsure where to push this, so doing so glabally. CC'ing tv who did a fix some months ago.
Assignee: bugsquad => pkg-bugsCC: (none) => thierry.vignaud
Hi, By following the link given in comment 0, I found that link: https://bugzilla.redhat.com/show_bug.cgi?id=2181192 which gives that link: https://bugzilla.redhat.com/show_bug.cgi?id=2181183 which gives that link: https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835 which gives that link: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 which gives that link: https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf which says the commit was added in version 2.74.4. So Cauldron is not affected by that CVE.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => nicolas.salgueroSource RPM: glib2.0-2.74.5-3.mga9.src.rpm => glib2.0-2.66.8-1.mga8.src.rpm
SUSE has issued an advisory on April 19: https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html It fixes this issue and one new one, which will need to be checked against Cauldron.
Version: 8 => CauldronSummary: glib2.0 new security issue CVE-2023-24593 => glib2.0 new security issues CVE-2023-24593 and CVE-2023-25180Status comment: Patch available from Fedora => Patches available from Fedora and SUSEWhiteboard: (none) => MGA8TOO
Hi, That new CVE also refers to: https://bugzilla.redhat.com/show_bug.cgi?id=2181182 It is also fixed by the same commit so Cauldron is not affected by that CVE. Best regards,
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Denial of service caused by handling a malicious text-form variant. (CVE-2023-24593) Denial of service caused by malicious serialised variant. (CVE-2023-25180) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25180 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FRPEEZJKIVRRCTBOO42O6IY44O5UU3MT/ https://lists.suse.com/pipermail/sle-security-updates/2023-April/014499.html ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.66.8-1.1.mga8 glib2.0-tests-2.66.8-1.1.mga8 glib-gettextize-2.66.8-1.1.mga8 lib(64)gio2.0_0-2.66.8-1.1.mga8 lib(64)glib2.0_0-2.66.8-1.1.mga8 lib(64)glib2.0-devel-2.66.8-1.1.mga8 lib(64)glib2.0-static-devel-2.66.8-1.1.mga8 from SRPM: glib2.0-2.66.8-1.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from Fedora and SUSE => (none)Status: NEW => ASSIGNED
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 28612 for testing: symlink.tar file contains only a symlink, no "real" file. Extracting it results in the link appearing pointing to /tmp/moo which does not exist. So works as expected. Tried zenity, $ identify 19761105TrouwLodeNoella/D053.jpg 19761105TrouwLodeNoella/D053.jpg JPEG 1656x988 1656x988+0+0 8-bit sRGB 125813B 0.000u 0:00.002 played mpg file with parole, all works OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0176.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed: CVE-2023-29499 CVE-2023-32611 CVE-2023-32665 https://ubuntu.com/security/notices/USN-6165-1
*** Bug 32034 has been marked as a duplicate of this bug. ***