Bug 34047 - iniparser new security issue CVE-2025-0633
Summary: iniparser new security issue CVE-2025-0633
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-02-25 15:51 CET by Nicolas Salguero
Modified: 2025-02-26 07:29 CET (History)
3 users (show)

See Also:
Source RPM: iniparser-4.1-4.mga9.src.rpm
CVE: CVE-2025-0633
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-25 15:51:10 CET 
Ubuntu has issued an advisory on February 24:
https://ubuntu.com/security/notices/USN-7286-1
Nicolas Salguero 2025-02-25 15:52:09 CET

Source RPM: (none) => iniparser-4.2.4-1.mga10.src.rpm, iniparser-4.1-4.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-0633
Status comment: (none) => Patch available from Ubuntu

Comment 1 Nicolas Salguero 2025-02-25 16:13:51 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap-based Buffer Overflow vulnerability in iniparser_dumpsection_ini() in iniparser allows attacker to read out of bound memory. (CVE-2025-0633)

References:
https://ubuntu.com/security/notices/USN-7286-1
========================

Updated packages in core/updates_testing:
========================
lib(64)iniparser0-4.1-4.1.mga9
lib(64)iniparser-devel-4.1-4.1.mga9

from SRPM:
iniparser-4.1-4.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Source RPM: iniparser-4.2.4-1.mga10.src.rpm, iniparser-4.1-4.mga9.src.rpm => iniparser-4.1-4.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Status comment: Patch available from Ubuntu => (none)

katnatek 2025-02-25 20:12:40 CET

Keywords: (none) => advisory

Comment 2 Len Lawrence 2025-02-25 22:40:03 CET 
mga9, x86_64

Installed the core versions of these libraries and also isomaster which depends on them.  Put isomaster through its paces using Mageia-9-Live-Plasma-x86_64.iso.
A gui is presented with two windows, the top one showing the current directory and the lower one the files on the iso after clicking on the iso name above.

Any of the sections on the iso can be extracted and will land in the current directory if the named file does not exist.  That can be restored at will using the Add function.  The Remove function will extract the data and throw it away.

That all seemed to work fine before the update and similar operations worked after the update.  I did try extracting all the sections after the update and then putting them back together again and noted that the rebuilt file was slightly smaller than the original.  Tried to produce a bootable iso by running isodumper against the patched-together iso.  The process seemed to work but the BIOS did not recognise it as a bootable device although it did appear in the list of attached devices.  isodumper did complain about a missing GPG signature.

It is probably safe to say that the libraries are OK but I shall wait for comments and maybe the results of other testers.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2025-02-25 22:43:28 CET 
It would be worth looking at a CD-ROM iso.  I might have one somewhere.
Comment 4 katnatek 2025-02-26 00:05:39 CET 
RH x86_64

LC_ALL=C urpmi lib64iniparser0

installing lib64iniparser0-4.1-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64iniparser0       ##################################################################################################

 LC_ALL=C urpmi lib64iniparser-devel


installing lib64iniparser-devel-4.1-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64iniparser-devel  ##################################################################################################


Reference: bug#23561 comment#8
gcc iniexample.c -lm /usr/lib64/libiniparser.so.0 -o iniexamp

./iniexamp
[pizza]=UNDEF
[pizza:ham]=[yes]
[pizza:mushrooms]=[TRUE]
[pizza:capres]=[0]
[pizza:cheese]=[Non]
[wine]=UNDEF
[wine:grape]=[Cabernet Sauvignon]
[wine:year]=[1989]
[wine:country]=[Spain]
[wine:alcohol]=[12.5]
Pizza:
Ham:       [1]
Mushrooms: [1]
Capres:    [0]
Cheese:    [0]
Wine:
Grape:     [Cabernet Sauvignon]
Year:      [1989]
Country:   [Spain]
Alcohol:   [12.5]

Whiteboard: (none) => MGA9-64-OK

Comment 5 Len Lawrence 2025-02-26 01:42:27 CET 
Created a 16-track ISO file from an audio CD-ROM and mounted it as a loop device to check that it behaved as it should then used isomaster to remove four tracks and saved the tracks to a new iso which contained 12 tracks.  Reloaded that to check that all was good. 

$ sudo mount -t iso9660 -o ro,loop shorter.iso /mnt/iso
$ ls /mnt/iso
BATCHELO.WAV  HARVESTO.WAV  PADSTOW.WAV   THEOLDMA.WAV
BLACKJAC.WAV  JACKHALL.WAV  THECRUEL.WAV  THEWIFEO.WAV
GAUDETE.WAV   LONGLANK.WAV  THEELFKN.WAV  THOMASTH.WAV

The mangling of the track titles is an unfortunate side-effect of the original ISO creation process.

$ vlc /mnt/iso
That works fine, with all twelve tracks listed, which validates isomaster and by association the two libraries under test I think.
Katnatek's test is more to the point though - worth keeping in mind for future testing before and after.
Comment 6 Thomas Andrews 2025-02-26 02:42:10 CET 
Thanks. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2025-02-26 07:29:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0077.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.