Bug 8070 - gegl new security issue CVE-2012-4433
: gegl new security issue CVE-2012-4433
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: http://lwn.net/Vulnerabilities/524704/
: MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1...
: validated_update
  Show dependency treegraph
Reported: 2012-11-14 00:25 CET by David Walser
Modified: 2012-11-21 20:58 CET (History)
3 users (show)

See Also:
Source RPM: gegl-0.2.0-6.mga3.src.rpm
Status comment:


Description David Walser 2012-11-14 00:25:56 CET
RedHat has issued an advisory on November 12:

It is unclear exactly which versions are affected, but Mageia 1, Mageia 2, and Cauldron all may be.

The upstream commits to fix this are linked in the RedHat bug:
Comment 1 David Walser 2012-11-16 23:09:29 CET
All three versions are affected.  I have checked the patches into SVN to fix this.

It builds fine locally on Mageia 1 and Mageia 2.

It does not build in Cauldron, with this seeming to be the problem:
"unknown type name 'luaL_reg'


Funda, could you please look into this?
Comment 2 David Walser 2012-11-17 17:30:39 CET
Thanks for fixing the Cauldron package Funda.
Comment 3 David Walser 2012-11-17 17:38:05 CET
Patched package uploaded for Mageia 1 and Mageia 2.


Updated gegl packages fix security vulnerability:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the gegl utility processed .ppm (Portable Pixel Map) image
files. An attacker could create a specially-crafted .ppm file that, when
opened in gegl, would cause gegl to crash or, potentially, execute
arbitrary code (CVE-2012-4433).


Updated packages in core/updates_testing:

from SRPMS:
Comment 4 Marc Lattemann 2012-11-18 13:24:58 CET
no public PoC found and I have no really clue how to test?

tested on cli and convert pictures from png to ppm and ppm to png (e.g. # gegl gegl.png -o gegl.ppm) and played around with gegl plugin in gimp. Everything works fine. 
Are there any more specific tests needed or known?
Comment 5 David Walser 2012-11-18 18:03:26 CET
If you could reverse your command line test and make it use a PPM file as input, that will hit the affected code, so that would be good.
Comment 6 Marc Lattemann 2012-11-18 19:13:53 CET
did both ways, but do not have a prepared ppm file for testing the overflow. So tested successfully on mga2 64bit. Will proceed testing the other versions.
Comment 7 Marc Lattemann 2012-11-18 21:08:31 CET
same tests performed for mga2 i586 and mga1 x86_64. But no gegl package found in Core_Update_testing for mga1 i586?

[root@localhost urpmi]# LC_ALL=C urpmi gegl
Package gegl-0.1.2-3.mga1.i586 is already installed
[root@localhost urpmi]# LC_ALL=C urpmi --media 'Core Updates Testing (distrib5)' gegl
No package named gegl

according to Sophie the package is there.
[20:05] <Latte> :v gegl -r 1
[20:05] <Sophie> Latte: 0.1.2-3.1.mga1 // core-updates_testing (Mga, 1, i586)
[20:05] <Sophie> Latte: 0.1.2-3.mga1 // core-release (Mga, 1, i586)

What am I doing wrong?
Comment 8 David Walser 2012-11-18 21:20:12 CET
I don't know, but I see it here:
Comment 9 Thomas Backlund 2012-11-18 21:54:41 CET
maybe you forgot to update media hdlists...

urpmi.update "core updates testing"
Comment 10 Marc Lattemann 2012-11-18 22:37:56 CET
I don't know (I always using 'urpmi.update -a' after activating testing repos)  - some server don't seem to be up-to-date. However using server David mentioned I could install gegl from updates_testing and everything is working on mga1 i586 as well.

Validating update:

please use advisory from Comment 3

Can sysadmin push package to updates? Thanks.
Comment 11 Thomas Backlund 2012-11-21 20:58:16 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.