Ubuntu has issued an advisory on November 21: https://ubuntu.com/security/notices/USN-7118-1 Cauldron has already version 0.23.93 so only Mageia 9 is affected. Fixed in version 0.23.93 or with the following patches: https://github.com/mchehab/zbar/commit/f8f8f5ccf1e8d68c3700e0f0b3d895cdf03ce679 (CVE-2023-40889) https://github.com/mchehab/zbar/commit/012a030250a203e5529d09caedea7ad7173dacfd (CVE-2023-40890)
Debian also has patches: https://sources.debian.org/data/main/z/zbar/0.23.92-7%2Bdeb12u1/debian/patches/0003-CVE-2023-40889-qrdec.c-Fix-array-out-of-bounds-acces.patch https://sources.debian.org/data/main/z/zbar/0.23.92-7%2Bdeb12u1/debian/patches/0004-Add-bounds-check-for-CVE-2023-40890.patch
Status comment: (none) => Fixed upstream in 0.23.93 and patch available from upstream and DebianCVE: (none) => CVE-2023-40889, CVE-2023-40890Source RPM: (none) => zbar-0.23.92-3.mga9.src.rpm
Status comment: Fixed upstream in 0.23.93 and patch available from upstream and Debian => Fixed upstream in 0.23.93 and patches available from upstream and Debian
Assigning directly to you, David, as you are the packager who has been maintaining zbar.
Assignee: bugsquad => geiger.david68210
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== libzbar-devel-0.23.93-1.mga9 libzbar-gir1.0-0.23.93-1.mga9 libzbar0-0.23.93-1.mga9 libzbargtk0-0.23.93-1.mga9 libzbarqt0-0.23.93-1.mga9 lib64zbar-devel-0.23.93-1.mga9 lib64zbar-gir1.0-0.23.93-1.mga9 lib64zbar0-0.23.93-1.mga9 lib64zbargtk0-0.23.93-1.mga9 lib64zbarqt0-0.23.93-1.mga9 python3-zbar-0.23.93-1.mga9 zbar-0.23.93-1.mga9 From SRPMS zbar-0.23.93-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => advisory
RH x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Nonfree 32bit Updates (distrib37)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64zbar0-0.23.93-1.mga9.x86_64.rpm zbar-0.23.93-1.mga9.x86_64.rpm lib64zbargtk0-0.23.93-1.mga9.x86_64.rpm lib64zbar-gir1.0-0.23.93-1.mga9.x86_64.rpm lib64zbarqt0-0.23.93-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/5: lib64zbar0 ################################################################################################## 2/5: lib64zbargtk0 ################################################################################################## 3/5: lib64zbar-gir1.0 ################################################################################################## 4/5: lib64zbarqt0 ################################################################################################## 5/5: zbar ################################################################################################## 1/5: removing zbar-0.23.92-3.mga9.x86_64 ################################################################################################## 2/5: removing lib64zbargtk0-0.23.92-3.mga9.x86_64 ################################################################################################## 3/5: removing lib64zbar-gir1.0-0.23.92-3.mga9.x86_64 ################################################################################################## 4/5: removing lib64zbarqt0-0.23.92-3.mga9.x86_64 ################################################################################################## 5/5: removing lib64zbar0-0.23.92-3.mga9.x86_64 ################################################################################################## tested zbarcam, zbarcam-gtk & zbarcam-qt the video of the webcam works, but look like is all I can test zbarimg ERROR: specify image file(s) to scan usage: zbarimg [options] <image>... scan and decode bar codes from one or more image files options: -h, --help display this help text --version display version information and exit --polygon output points delimiting code zone with decoded symbol data -q, --quiet minimal output, only print decoded symbol data -v, --verbose increase debug output level --verbose=N set specific debug output level -d, --display enable display of following images to the screen -D, --nodisplay disable display of following images (default) --xml, --noxml enable/disable XML output format --raw output decoded symbol data without converting charsets -1, --oneshot exit after scanning one bar code -S<CONFIG>[=<VALUE>], --set <CONFIG>[=<VALUE>] set decoder/scanner <CONFIG> to <VALUE> (or 1) --nodbus disable dbus message zbarimg --version 0.23.93 Feel free to provide additional test and/or remove the OK if needed
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
I got a little more, but not much. Using my scanner, I created an image of the side of a can of ground black pepper that has the UPC code. Then I attempted to run the image through zbarimg: $ zbarimg --verbose Pepper.png Name Error (Connection ":1.207" is not allowed to own the service "org.linuxtv.Zbar" due to security policies in the configuration file) EAN-13:4099100106015 scanned 1 barcode symbols from 1 images in 0.05 seconds dump_stats: symbol sets allocated = 1 dump_stats: scanner syms in use = 0 recycled = 0 dump_stats: image syms in use = 0 recycled = 0 dump_stats: symbols allocated = 1 dump_stats: recycled[0] = 0 dump_stats: recycled[1] = 0 dump_stats: recycled[2] = 0 dump_stats: recycled[3] = 0 dump_stats: recycled[4] = 0 _zbar_qr_destroy: max finder lines = 255x127 It did find the barcode in the image, and scanned it, correctly reading the EAN-13 code number. (according to what it says on the can) But it would seem that the configuration needs to be changed in order to go any farther with it. It did seem to work as I believe it should, as far as I could go. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0374.html
Status: NEW => RESOLVEDResolution: (none) => FIXED