34447 – wxgtk new security issue CVE-2024-58249

Bug 34447 - wxgtk new security issue CVE-2024-58249

Summary: wxgtk new security issue CVE-2024-58249

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-07-08 17:27 CEST by Nicolas Salguero
Modified:	2025-11-14 03:31 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	wxgtk-3.2.6-1.mga9
CVE:	CVE-2024-58249
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-08 17:27:24 CEST

openSUSE has issued an advisory on July 5:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5MGXBYGQNDVNLDQFHYQAQNIK5TUT6PIL/

Comment 1 Nicolas Salguero 2025-07-08 17:28:23 CEST

Fix: https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d (v3.2.7)

Source RPM: (none) => wxgtk-3.2.6-1.mga9.src.rpm
CVE: (none) => CVE-2024-58249

Comment 2 Lewis Smith 2025-07-20 21:28:17 CEST

Assigning globally.

Status comment: (none) => Fix given
Assignee: bugsquad => pkg-bugs

katnatek 2025-07-21 18:20:36 CEST

Assignee: pkg-bugs => j.alberto.vc

Comment 3 katnatek 2025-07-21 20:44:54 CEST

@David you think is wise jump to 3.2.8 or is fine with 3.2.7

CC: (none) => geiger.david68210

katnatek 2025-07-22 03:12:32 CEST

Source RPM: wxgtk-3.2.6-1.mga9.src.rpm => wxgtk-3.2.6-1.mga9
Status comment: Fix given => (none)
Assignee: j.alberto.vc => qa-bugs

Comment 4 katnatek 2025-07-22 03:19:56 CEST

RPMS:

lib(64)wx_baseu3.2_0-3.2.8.1-1.mga9
lib(64)wx_baseu_net3.2_0-3.2.8.1-1.mga9
lib(64)wx_baseu_xml3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_adv3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_aui3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_core3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_gl3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_html3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_media3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_propgrid3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_qa3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_ribbon3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_richtext3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_stc3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_webview3.2_0-3.2.8.1-1.mga9
lib(64)wx_gtk3u_xrc3.2_0-3.2.8.1-1.mga9
lib(64)wxgtku3.2-devel-3.2.8.1-1.mga9
wxgtk3.2-3.2.8.1-1.mga9

SRPM:
wxgtk-3.2.8.1-1.mga9

katnatek 2025-07-22 03:38:28 CEST

Keywords: (none) => advisory

katnatek 2025-07-22 03:39:11 CEST

Depends on: (none) => 34442

Comment 5 katnatek 2025-07-22 04:40:32 CEST

RH x86_64

installing lib64wx_gtk3u_ribbon3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_gl3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_core3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_baseu3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_xrc3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_baseu_xml3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_html3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_stc3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_qa3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_richtext3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_media3.2_0-3.2.8.1-1.mga9.x86_64.rpm wxgtk3.2-3.2.8.1-1.mga9.x86_64.rpm lib64wx_baseu_net3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_webview3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_aui3.2_0-3.2.8.1-1.mga9.x86_64.rpm lib64wx_gtk3u_propgrid3.2_0-3.2.8.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
     1/16: wxgtk3.2              ##################################################################################################
     2/16: lib64wx_baseu3.2_0    ##################################################################################################
     3/16: lib64wx_gtk3u_core3.2_0
                                 ##################################################################################################
     4/16: lib64wx_baseu_xml3.2_0
                                 ##################################################################################################
     5/16: lib64wx_gtk3u_html3.2_0
                                 ##################################################################################################
     6/16: lib64wx_gtk3u_xrc3.2_0
                                 ##################################################################################################
     7/16: lib64wx_gtk3u_richtext3.2_0
                                 ##################################################################################################
     8/16: lib64wx_gtk3u_qa3.2_0 ##################################################################################################
     9/16: lib64wx_gtk3u_ribbon3.2_0
                                 ##################################################################################################
    10/16: lib64wx_gtk3u_gl3.2_0 ##################################################################################################
    11/16: lib64wx_gtk3u_stc3.2_0
                                 ##################################################################################################
    12/16: lib64wx_gtk3u_media3.2_0
                                 ##################################################################################################
    13/16: lib64wx_gtk3u_webview3.2_0
                                 ##################################################################################################
    14/16: lib64wx_gtk3u_aui3.2_0
                                 ##################################################################################################
    15/16: lib64wx_gtk3u_propgrid3.2_0
                                 ##################################################################################################
    16/16: lib64wx_baseu_net3.2_0
                                 ##################################################################################################
     1/16: removing lib64wx_gtk3u_richtext3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     2/16: removing lib64wx_gtk3u_xrc3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     3/16: removing lib64wx_gtk3u_qa3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     4/16: removing lib64wx_gtk3u_html3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     5/16: removing lib64wx_gtk3u_propgrid3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     6/16: removing lib64wx_gtk3u_aui3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     7/16: removing lib64wx_gtk3u_webview3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     8/16: removing lib64wx_gtk3u_media3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
     9/16: removing lib64wx_gtk3u_stc3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    10/16: removing lib64wx_gtk3u_gl3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    11/16: removing lib64wx_gtk3u_ribbon3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    12/16: removing lib64wx_gtk3u_core3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    13/16: removing lib64wx_baseu_xml3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    14/16: removing lib64wx_baseu_net3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    15/16: removing lib64wx_baseu3.2_0-3.2.6-1.mga9.x86_64
                                 ##################################################################################################
    16/16: removing wxgtk3.2-3.2.6-1.mga9.x86_64
                                 ##################################################################################################

strace poedit file.po

openat(AT_FDCWD, "/lib64/libwx_gtk3u_xrc-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_webview-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_core-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_baseu_net-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_baseu-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3

And more

strace guayadeque shows
openat(AT_FDCWD, "/lib64/libwx_baseu-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_core-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_baseu_net-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_html-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3

And more

strace filezilla
openat(AT_FDCWD, "/lib64/libwx_gtk3u_aui-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_xrc-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libwx_gtk3u_core-3.2.so.0", O_RDONLY|O_CLOEXEC) = 3

Looks good for me

Comment 6 Jani Välimaa 2025-07-22 10:59:09 CEST

(In reply to katnatek from comment #3)
> @David you think is wise jump to 3.2.8 or is fine with 3.2.7

According to our updates policy [1], we should stay at the version we have in core/release and use a patch to fix the issue. I don't see why this case should be different.

[1] https://wiki.mageia.org/en/Updates_policy#Version_Policy

CC: (none) => jani.valimaa

Comment 7 katnatek 2025-07-22 13:39:23 CEST

(In reply to Jani Välimaa from comment #6)
> (In reply to katnatek from comment #3)
> > @David you think is wise jump to 3.2.8 or is fine with 3.2.7
> 
> According to our updates policy [1], we should stay at the version we have
> in core/release and use a patch to fix the issue. I don't see why this case
> should be different.
> 
> [1] https://wiki.mageia.org/en/Updates_policy#Version_Policy
I think this case fit i. the exeption
'Version not supported upstream'
https://github.com/wxWidgets/wxWidgets/releases/tag/v3.2.8.1

Comment 8 Jani Välimaa 2025-07-22 14:02:30 CEST

(In reply to katnatek from comment #7)
> (In reply to Jani Välimaa from comment #6)
> > (In reply to katnatek from comment #3)
> > > @David you think is wise jump to 3.2.8 or is fine with 3.2.7
> > 
> > According to our updates policy [1], we should stay at the version we have
> > in core/release and use a patch to fix the issue. I don't see why this case
> > should be different.
> > 
> > [1] https://wiki.mageia.org/en/Updates_policy#Version_Policy
> I think this case fit i. the exeption
> 'Version not supported upstream'
> https://github.com/wxWidgets/wxWidgets/releases/tag/v3.2.8.1

That's not the case. There is nothing that says that version 3.2.6 should be updated to the latest version.

However as the pkg is already on mirrors I would say there's no need to revert it to the older version (unless QA team says something else). Please, be more careful next time when thinking about to update package version in stable release, and remember that we have policies to follow.

Comment 9 katnatek 2025-07-27 23:55:34 CEST

We need more test on this please

Comment 10 Len Lawrence 2025-07-29 12:26:42 CEST

On it.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2025-07-29 13:17:04 CEST

mga9, x64
Previous test was in bug #29848.

Ensured that all base packages were installed.

$ rpm -qa | egrep 'wxgtk|lib64wx'
wxgtk3.0-3.0.5.1-6.mga9
lib64wx_baseu3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_core3.0_0-3.0.5.1-6.mga9
lib64wx_baseu_xml3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_html3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_adv3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_xrc3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_qa3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_aui3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_gl3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_stc3.0_0-3.0.5.1-6.mga9
lib64wx_gtk3u_webview3.0_0-3.0.5.1-6.mga9
lib64wx_baseu_net3.0_0-3.0.5.1-6.mga9
wxgtk3.2-3.2.6-1.mga9
lib64wx_baseu3.2_0-3.2.6-1.mga9
lib64wx_baseu_xml3.2_0-3.2.6-1.mga9
lib64wx_baseu_net3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_core3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_html3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_xrc3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_webview3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_richtext3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_stc3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_aui3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_ribbon3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_gl3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_propgrid3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_adv3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_media3.2_0-3.2.6-1.mga9
lib64wx_gtk3u_qa3.2_0-3.2.6-1.mga9
lib64wxgtku3.2-devel-3.2.6-1.mga9

All new packages installed smoothly via qarepo and MageiaUpdate.
According to the previous bug these applications depend on wxgtk libraries:
audacity
boinc-manager
dvdstyler
flamerobin
freefilesync
guayadeque
kicad
opencpn
openyahtzee
python3-wxpython4
radiotray-ng
urbanlightscape
wxHexEditor

Installing them all.  urbanlightscape is taking forever.  Tests later.

Comment 12 Len Lawrence 2025-07-29 16:52:46 CEST

audacity appeared to be working OK - selected a piece of music and showed the left and right tracks.  Played section of L track using pulse.

dvdstyler opened and some of the controls responded.  No DVD slot on this machine though.

flamerobin runs but I could not make a database connection - unsure what input was needed.

Played about with guayadeque but have no access to any sources.  Tried selecting a collection on disk but was unable to get it to run.  The format may not be compatible - no real idea.

kicad displays various options for PCBs.  Changed some values and tried calculate but always produced a NaN.  It looks like it is working anyway.

Played about with opencpn.  The interface appears to work but I could not remember how to use/install a chart after downloading it.

This shall have to do for the moment.  Giving it the OK.

Whiteboard: (none) => MGA9-64-OK

katnatek 2025-07-30 23:42:09 CEST

CC: (none) => andrewsfarm

Comment 13 katnatek 2025-07-30 23:44:27 CEST

Note that upstream says rebuild of applications is not mandatory

https://github.com/wxWidgets/wxWidgets/releases/tag/v3.2.8.1
wxWidgets 3.2.8.1 is part of 3.2 stable branch. This means that it is API and ABI-compatible with the previous 3.2.x releases, i.e. the applications previously built using 3.2.7 or earlier shared libraries will continue working with this release even without recompiling when using shared libraries and can be rebuilt without any changes to the code otherwise.

Comment 14 Thomas Andrews 2025-07-31 02:35:16 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Dan Fandrich 2025-08-02 06:10:02 CEST

This is marked as blocked by bug 34442, but it looks to me like that's not quite true. I don't see any direct dependency on icu, and even if there were it would just mean that wxgtk would need to be rebuilt (again) as part of 34442.

Can this be pushed now, as is?

CC: (none) => dan

Comment 16 katnatek 2025-08-02 12:21:42 CEST

(In reply to Dan Fandrich from comment #15)
> This is marked as blocked by bug 34442, but it looks to me like that's not
> quite true. I don't see any direct dependency on icu, and even if there were
> it would just mean that wxgtk would need to be rebuilt (again) as part of
> 34442.
> 
> Can this be pushed now, as is?

I send first icu and just whent BS mark the packages as upliade
send wxgtk (any rebuild for icu is needed then)
So if you think it can be pushed
Plese do it
Thank you

katnatek 2025-08-02 17:40:07 CEST

Depends on: 34442 => (none)

Comment 17 Dan Fandrich 2025-08-02 22:35:45 CEST

I see no dependency on icu in any of the packages in comment 4, so I'm going to push this.

Comment 18 Mageia Robot 2025-08-02 23:16:22 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0217.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 19 spammer 2025-11-14 03:24:25 CET Comment hidden (spam)

Just a heads up, they're saying it's not necessary to rebuild the applications.

https://github.com/wxWidgets/wxWidgets/releases/tag/v3.2.8.1 https://plantsvs-brainrots.io

CC: (none) => roycarlson56

katnatek 2025-11-14 03:31:15 CET

CC: roycarlson56 => (none)

Note You need to log in before you can comment on or make changes to this bug.