33168 – exfatprogs new security issue CVE-2023-45897

Bug 33168 - exfatprogs new security issue CVE-2023-45897

Summary: exfatprogs new security issue CVE-2023-45897

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-05-02 09:29 CEST by Nicolas Salguero
Modified:	2025-01-26 08:16 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	exfatprogs-1.2.0-1.mga9.src.rpm
CVE:	CVE-2023-45897
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-02 09:29:44 CEST

RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971707/

Version 1.2.2 solves the problem or the following patches:
https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf
https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4
https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae

Nicolas Salguero 2024-05-02 09:30:15 CEST

Source RPM: (none) => exfatprogs-1.2.0-1.mga9.src.rpm
CVE: (none) => CVE-2023-45897
Status comment: (none) => Fixed upstream in 1.2.2 and patches available from upstream

Comment 1 Nicolas Salguero 2024-05-02 14:56:16 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in read_file_dentry_set. (CVE-2023-45897)

References:
https://lwn.net/Articles/971707/
========================

Updated package in core/updates_testing:
========================
exfatprogs-1.2.0-1.1.mga9

from SRPM:
exfatprogs-1.2.0-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.2.2 and patches available from upstream => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-05-02 19:41:17 CEST

Keywords: (none) => advisory

Comment 2 Thomas Andrews 2024-05-06 03:23:11 CEST

MGA9-64 Plasma. No installation issues. 

Bug 31055 tells me that Isodumper uses exfatprogs when formatting a usb stick to exFAT. I took a 128GB usb stick that was already formatted in NTFS, and used Isodumper to reformat it into exFAT, and added a label. After using MCC to confirm that the stick was indeed now in exFAT, and labeled, I used Dolphin to copy a video to it. VLC played the video from the stick without issues. Then I moved the file to another directory on my SSD,and "safely removed" the usb stick.

This is good to go. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 3 Mageia Robot 2024-05-09 04:41:52 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0166.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 4 Jaden Lind 2025-01-26 07:47:31 CET Comment hidden (spam)

Great to see RedHat's quick response and transparency, along with a prompt fix from the libvirt team to address the issue efficiently! http://tubetextify.com/

CC: (none) => allenpaul1990

sturmvogel 2025-01-26 08:16:54 CET

CC: allenpaul1990 => (none)

Note You need to log in before you can comment on or make changes to this bug.