32273 – indent new security issues, including CVE-2023-40305

Bug 32273 - indent new security issues, including CVE-2023-40305

Summary: indent new security issues, including CVE-2023-40305

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-09-11 14:11 CEST by Nicolas Salguero
Modified:	2023-09-30 21:18 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	indent-2.2.13-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-11 14:11:57 CEST

Fedora has issued an advisory on September 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MIUH3F63KQJWYR3FLKRZUYYRJOY6FYX/

Mageia 8 and 9 are also affected.

Nicolas Salguero 2023-09-11 14:12:32 CEST

Source RPM: (none) => indent-2.2.13-1.mga9.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Nicolas Salguero 2023-09-11 14:37:31 CEST

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file. (CVE-2023-40305)

GNU indent 2.2.13 has a heap overread in lexi().

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40305
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MIUH3F63KQJWYR3FLKRZUYYRJOY6FYX/
========================

Updated package in {8|9}/core/updates_testing:
========================
indent-2.2.13-1.1.mga{8|9}

from SRPM:
indent-2.2.13-1.1.mga{8|9}.src.rpm

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-09-18 09:20:15 CEST

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: nicolas.salguero => qa-bugs

Comment 2 Herman Viaene 2023-09-18 16:59:39 CEST

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
followed test from bug 31884:
original reading
#if X
#if Y
#define Z 1
#else
#define Z 0
#endif
#endif
Comand executed:
$ indent indent.c -o testcindentform.c -ppi 3
results in testcindentform.c reading
#if X
#   if Y
#      define Z 1
#   else
#      define Z 0
#   endif
#endif
So good to go.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

PC LX 2023-09-20 17:53:35 CEST

CC: (none) => mageia

Comment 3 Thomas Andrews 2023-09-24 02:34:55 CEST

MGA9-64 Plasma in Virtualbox:

No installation issues. Attempted to use Herman's test in a cookbook fashion, as I know not what I do...

Created an unindented file testindent.c:

#if X
#if Y
#define Z 1
#else
#define Z 0
#endif
#endif
 
Ran the command $  indent testindent.c -o testindentform.c -ppi 3

Opened testindentform.c with kwrite:

#if X
#   if Y
#      define Z 1
#   else
#      define Z 0
#   endif
#endif

Result same as Herman's, so OKing for MGA9. Validating. Advisory in comment 1.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Marja Van Waes 2023-09-30 15:34:13 CEST

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Mageia Robot 2023-09-30 21:18:32 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0274.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.