SUSE has issued an advisory on April 8: https://lwn.net/Articles/968977/ Debian has the following patch: https://sources.debian.org/src/indent/2.2.13-4/debian/patches/04-fix-a-heap-buffer-underread-in-set-buf-break.patch/ Mageia 9 is also affected.
Status comment: (none) => Patch available from DebianSource RPM: (none) => indent-2.2.13-2.mga10.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-0911
Thanks for the exact patch ref. It is short & sweet. No one packager in view, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: A flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash. (CVE-2024-0911) References: https://lwn.net/Articles/968977/ ======================== Updated package in core/updates_testing: ======================== indent-2.2.13-1.2.mga9 from SRPM: indent-2.2.13-1.2.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: indent-2.2.13-2.mga10.src.rpm => indent-2.2.13-1.1.mga9.src.rpmStatus comment: Patch available from Debian => (none)Version: Cauldron => 9
Keywords: (none) => advisory
MGA9-64 in VirtualBox. No installation issues. Followed Herman's lead in bug 31884 comment 5 for testing: Created a short test file testindent.c with Kwrite: #if X #if Y #define Z 1 #else #define Z 0 #endif #endif Ran the command: $ indent testindent.c -o testindentform.c -ppi 3 The resulting form in testindentform.c: #if X # if Y # define Z 1 # else # define Z 0 # endif #endif Looks good. Validating.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0122.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED