Bug 33529 - orc new security issue CVE-2024-40897
Summary: orc new security issue CVE-2024-40897
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://ubuntu.com/security/notices/U...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 09:41 CEST by Nicolas Salguero
Modified: 2024-09-10 18:41 CEST (History)
3 users (show)

See Also:
Source RPM: orc-0.4.33-1.mga9.src.rpm
CVE: CVE-2024-40897
Status comment:


Attachments

Description Nicolas Salguero 2024-09-06 09:41:07 CEST
Ubuntu has issued an advisory on August 15:
https://ubuntu.com/security/notices/USN-6964-1
Nicolas Salguero 2024-09-06 09:41:37 CEST

Source RPM: (none) => orc-0.4.33-1.mga9.src.rpm
CVE: (none) => CVE-2024-40897
Status comment: (none) => Patch available from Ubuntu

Comment 1 Marja Van Waes 2024-09-06 21:24:02 CEST
No registered maintainer, so assigning to all.

CC: (none) => marja11
URL: (none) => https://ubuntu.com/security/notices/USN-6964-1
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-09-09 11:12:16 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments. (CVE-2024-40897)

References:
https://ubuntu.com/security/notices/USN-6964-1
========================

Updated packages in core/updates_testing:
========================
lib(64)orc0.4_0-0.4.33-1.1.mga9
lib(64)orc-devel-0.4.33-1.1.mga9
orc-0.4.33-1.1.mga9

from SRPM:
orc-0.4.33-1.1.mga9.src.rpm

Status comment: Patch available from Ubuntu => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-09-09 18:56:40 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-09-09 20:05:14 CEST
LC_ALL=C urpmi --auto --auto-update
adding 66 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (32-bit)"
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing orc-0.4.33-1.1.mga9.x86_64.rpm lib64orc0.4_0-0.4.33-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64orc0.4_0         ##################################################################################################
      2/2: orc                   ##################################################################################################
      1/2: removing orc-0.4.33-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64orc0.4_0-0.4.33-1.mga9.x86_64
                                 ##################################################################################################


Description :
Orc is a library and set of tools for compiling and executing very
simple programs that operate on arrays of data.  The “language” is a
generic assembly language that represents many of the features
available in SIMD architectures, including saturated addition and
subtraction, and many arithmetic operations.

Look like developer territory give OK in base clean install

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-09-10 03:14:01 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-09-10 18:41:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0288.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.