33410 – libfm and libfm-qt: vulnerability related to trusted locations

Bug 33410 - libfm and libfm-qt: vulnerability related to trusted locations

Summary: libfm and libfm-qt: vulnerability related to trusted locations

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-07-17 16:11 CEST by Nicolas Salguero
Modified:	2024-07-20 02:09 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libfm-1.3.2-1.mga9.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-17 16:11:31 CEST

That issue was announced here:
https://github.com/lxqt/libfm-qt/pull/992

For libfm-qt, the fix is: https://github.com/lxqt/libfm-qt/commit/a07f17fecdc65a75f3d18f0f5814cc37f9958ae6

For libfm, the fix is: https://github.com/lxde/libfm/commit/ee33947ee71719e5750cbe832159a7ecc90e0add

Mageia 9 is also affected.

Comment 1 Nicolas Salguero 2024-07-17 16:13:40 CEST

For libfm, Cauldron already includes the fix.

Source RPM: (none) => libfm-1.3.2-4.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patches available from upstream

Comment 2 Nicolas Salguero 2024-07-17 16:18:57 CEST

For libfm, libfm-1.3.2-4.1.mga9 solves the problem too.

Comment 3 Nicolas Salguero 2024-07-17 16:20:31 CEST

Updated packages in core/updates_testing:
========================
lib(64)fm4-1.3.2-4.1.mga9
lib(64)fm-devel-1.3.2-4.1.mga9
libfm-1.3.2-4.1.mga9
lxshortcut-1.3.2-4.1.mga9

from SRPM:
libfm-1.3.2-4.1.mga9.src.rpm

Comment 4 Lewis Smith 2024-07-17 20:45:07 CEST

What about libfm-qt ? libfm-qt-1.4.0-1.mga9.src.rpm

Comment 5 Nicolas Salguero 2024-07-18 09:13:13 CEST

Hi,

I think libfm-qt is handled by LxQt packager.

Best regards,

Nico.

Assignee: bugsquad => yvesbrungard

Comment 6 papoteur 2024-07-18 09:56:43 CEST

Hello Nicolas,
Thanks for your vigilance.
urpmq -yf fm-qt
lib64fm-qt-devel-1.4.0-1.mga9.x86_64
lib64fm-qt13-1.3.0-1.mga9.x86_64
lib64fm-qt14-1.4.0-1.mga9.x86_64
lib64lastfm-qt5-devel-1.1.0-4.mga9.x86_64
libfm-qt-1.4.0-1.mga9.x86_64

The actual version in use is libfm-qt 1.4.0
rpm -qa|grep fm-qt
libfm-qt-1.4.0-1.mga9
lib64fm-qt14-1.4.0-1.mga9
pcmanfm-qt-1.4.0-1.mga9

The patch should be applied to 1.4.0, and to be sure, we can obsolete 1.3.0 (lib64fm-qt13).

papoteur 2024-07-18 09:57:49 CEST

Source RPM: libfm-1.3.2-4.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm => libfm-1.4.0-1.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm

papoteur 2024-07-18 10:05:07 CEST

Source RPM: libfm-1.4.0-1.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm => libfm-1.3.2-1.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm

Comment 7 papoteur 2024-07-18 15:06:40 CEST

Submitted:
SRPMS:
libfm-qt-1.4.0-1.1.mga9
RPMS:
lib64fm-qt-devel-1.4.0-1.1.mga9
lib64fm-qt14-1.4.0-1.1.mga9
libfm-qt-1.4.0-1.1.mga9

Assignee: yvesbrungard => qa-bugs

Comment 8 Nicolas Salguero 2024-07-18 17:09:46 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability related to trusted locations.

References:
https://github.com/lxqt/libfm-qt/pull/992
========================

Updated packages in core/updates_testing:
========================
lib(64)fm4-1.3.2-4.1.mga9
lib(64)fm-devel-1.3.2-4.1.mga9
libfm-1.3.2-4.1.mga9
lxshortcut-1.3.2-4.1.mga9

lib(64)fm-qt14-1.4.0-1.1.mga9
lib(64)fm-qt-devel-1.4.0-1.1.mga9
libfm-qt-1.4.0-1.1.mga9

from SRPMS:
libfm-1.3.2-4.1.mga9.src.rpm
libfm-qt-1.4.0-1.1.mga9

Status: NEW => ASSIGNED

Nicolas Salguero 2024-07-18 17:09:50 CEST

Status comment: Patches available from upstream => (none)

Nicolas Salguero 2024-07-18 17:09:57 CEST

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Nicolas Salguero 2024-07-18 17:10:07 CEST

Source RPM: libfm-1.3.2-1.mga9.src.rpm, libfm-qt-2.0.2-2.mga10.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm => libfm-1.3.2-1.mga9.src.rpm, libfm-qt-1.4.0-1.mga9.src.rpm

katnatek 2024-07-18 23:54:45 CEST

Keywords: (none) => advisory

Comment 9 katnatek 2024-07-19 00:29:47 CEST

RH mageia 9 x86_64 
confirm the vulnerability in lxqt

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64fm-qt14-1.4.0-1.1.mga9.x86_64.rpm libfm-1.3.2-4.1.mga9.x86_64.rpm lxshortcut-1.3.2-4.1.mga9.x86_64.rpm lib64fm4-1.3.2-4.1.mga9.x86_64.rpm libfm-qt-1.4.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: lxshortcut            ##################################################################################################
      2/5: lib64fm4              ##################################################################################################
      3/5: libfm                 ##################################################################################################
      4/5: libfm-qt              ##################################################################################################
      5/5: lib64fm-qt14          ##################################################################################################
      1/5: removing lxshortcut-1.3.2-4.mga9.x86_64
                                 ##################################################################################################
      2/5: removing lib64fm4-1.3.2-4.mga9.x86_64
                                 ##################################################################################################
      3/5: removing libfm-1.3.2-4.mga9.x86_64
                                 ##################################################################################################
      4/5: removing lib64fm-qt14-1.4.0-1.mga9.x86_64
                                 ##################################################################################################
      5/5: removing libfm-qt-1.4.0-1.mga9.x86_64
                                 ##################################################################################################

Close and star session (necessary to really make effect)
Now the POC desktop file ask what to do if Open or Run
OK for the fm-qt flavor

Comment 10 katnatek 2024-07-19 03:50:29 CEST

RH mageia 0 x86_64

Downgrade the packages
Install pcmafm
Reproduce the vulnerabilty
Update again to testing packages
Now the POC desktop file ask for action instead run without ask

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 11 Thomas Andrews 2024-07-19 13:32:47 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2024-07-20 02:09:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0271.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.