Bug 32055 - Update CuraEngine (CVE-2022-28041)
Summary: Update CuraEngine (CVE-2022-28041)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-06-28 12:52 CEST by papoteur
Modified: 2023-07-07 07:56 CEST (History)
5 users (show)

See Also:
Source RPM: curaengine-4.8.0-1.1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description papoteur 2023-06-28 12:52:30 CEST 
bug 30366 reports issue CVE-2022-28041 about stb library, which is included in curaengine.

stb library has been updated to the latest snapshot (29-01-2023) to fix the issue.
Package:
curaengine-4.8.0-1.1.1.mga8

Source:
curaengine-4.8.0-1.1.1.mga8.src.rpm
Comment 1 Herman Viaene 2023-06-29 11:46:07 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
As in bug 29622, getting no further than the help command:
$ CuraEngine help

Cura_SteamEngine version 4.8.0
Copyright (C) 2020 Ultimaker

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

usage:
CuraEngine help
	Show this help message

CuraEngine connect <host>[:<port>] [-j <settings.def.json>]
  --connect <host>[:<port>]
	Connect to <host> via a command socket, 
	instead of passing information via the command line
  -v
	Increase the verbose level (show log messages).
etc.....
seems to work OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 2 Morgan Leijström 2023-06-29 12:40:28 CEST 
Why not update to 4.12.1 that is in mga9?

CC: (none) => fri

Comment 3 Morgan Leijström 2023-06-29 12:42:40 CEST 
Maybe 5.x in mga9, BTW...
Comment 4 papoteur 2023-06-30 16:36:13 CEST 
(In reply to Morgan Leijström from comment #2)
> Why not update to 4.12.1 that is in mga9?

It is in 4.13.1.
The update is not needed to fix the CVE.
5.x wasn't packaged until recently anywhere.
Comment 5 Thomas Andrews 2023-07-01 14:23:28 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-07-06 23:46:08 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-07-07 07:56:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0228.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.