Bug 33803 - rapidjson new security issue CVE-2024-38517
Summary: rapidjson new security issue CVE-2024-38517
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-26 16:55 CET by Nicolas Salguero
Modified: 2024-11-27 21:00 CET (History)
3 users (show)

See Also:
Source RPM: rapidjson-1.1.0-6.mga9.src.rpm
CVE: CVE-2024-38517
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-26 16:55:13 CET 
Ubuntu has issued an advisory on November 25:
https://ubuntu.com/security/notices/USN-7125-1
Nicolas Salguero 2024-11-26 16:55:50 CET

CVE: (none) => CVE-2024-38517
Source RPM: (none) => rapidjson-1.1.0-7.mga10.src.rpm, rapidjson-1.1.0-6.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 David GEIGER 2024-11-27 06:58:10 CET 
Fixed both Cauldron and mga9!

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2024-11-27 09:17:37 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Tencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege. (CVE-2024-38517)

References:
https://ubuntu.com/security/notices/USN-7125-1
========================

Updated package in core/updates_testing:
========================
rapidjson-1.1.0-6.1.mga9

from SRPM:
rapidjson-1.1.0-6.1.mga9.src.rpm

Source RPM: rapidjson-1.1.0-7.mga10.src.rpm, rapidjson-1.1.0-6.mga9.src.rpm => rapidjson-1.1.0-6.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Status comment: Patch available from Ubuntu => (none)

katnatek 2024-11-27 16:57:49 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-11-27 17:15:18 CET 
RH x86_64

installing rapidjson-1.1.0-6.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: rapidjson             ##################################################################################################
      1/1: removing rapidjson-1.1.0-6.mga9.x86_64
                                 ##################################################################################################

This looks like devs territory, but feel free to provide additional test
Comment 4 Thomas Andrews 2024-11-27 17:45:13 CET 
According to bug 20566 comment 20, "rapidjson is only a build time dependency for ppsspp - it's used when building the package, but does not need to be installed on the users' system afterwards." 

So it is indeed dev territory, and is good on a clean install over the older version.

Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-11-27 21:00:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0371.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.