RedHat has issued an advisory on November 12: https://rhn.redhat.com/errata/RHSA-2012-1455.html It is unclear exactly which versions are affected, but Mageia 1, Mageia 2, and Cauldron all may be. The upstream commits to fix this are linked in the RedHat bug: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=856300
Whiteboard: (none) => MGA2TOO, MGA1TOO
All three versions are affected. I have checked the patches into SVN to fix this. It builds fine locally on Mageia 1 and Mageia 2. It does not build in Cauldron, with this seeming to be the problem: "unknown type name 'luaL_reg' from: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20121116215912.luigiwalser.valstar.23507/log/gegl-0.2.0-7.mga3/build.0.20121116220006.log Funda, could you please look into this?
Priority: Normal => High
Thanks for fixing the Cauldron package Funda.
Priority: High => NormalVersion: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated gegl packages fix security vulnerability: An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the gegl utility processed .ppm (Portable Pixel Map) image files. An attacker could create a specially-crafted .ppm file that, when opened in gegl, would cause gegl to crash or, potentially, execute arbitrary code (CVE-2012-4433). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4433 https://rhn.redhat.com/errata/RHSA-2012-1455.html ======================== Updated packages in core/updates_testing: ======================== gegl-0.1.2-3.1.mga1 libgegl0.1_0-0.1.2-3.1.mga1 libgegl0.1-devel-0.1.2-3.1.mga1 gegl-0.2.0-2.1.mga2 libgegl0.2_0-0.2.0-2.1.mga2 libgegl-devel-0.2.0-2.1.mga2 from SRPMS: gegl-0.1.2-3.1.mga1.src.rpm gegl-0.2.0-2.1.mga2.src.rpm
CC: (none) => fundawangAssignee: fundawang => qa-bugs
no public PoC found and I have no really clue how to test? tested on cli and convert pictures from png to ppm and ppm to png (e.g. # gegl gegl.png -o gegl.ppm) and played around with gegl plugin in gimp. Everything works fine. Are there any more specific tests needed or known?
CC: (none) => marc.lattemann
If you could reverse your command line test and make it use a PPM file as input, that will hit the affected code, so that would be good.
did both ways, but do not have a prepared ppm file for testing the overflow. So tested successfully on mga2 64bit. Will proceed testing the other versions.
Whiteboard: MGA1TOO => MGA1TOO, MGA2-64-OK
same tests performed for mga2 i586 and mga1 x86_64. But no gegl package found in Core_Update_testing for mga1 i586? [root@localhost urpmi]# LC_ALL=C urpmi gegl Package gegl-0.1.2-3.mga1.i586 is already installed [root@localhost urpmi]# LC_ALL=C urpmi --media 'Core Updates Testing (distrib5)' gegl No package named gegl according to Sophie the package is there. [20:05] <Latte> :v gegl -r 1 [20:05] <Sophie> Latte: 0.1.2-3.1.mga1 // core-updates_testing (Mga, 1, i586) [20:05] <Sophie> Latte: 0.1.2-3.mga1 // core-release (Mga, 1, i586) What am I doing wrong?
Whiteboard: MGA1TOO, MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK
I don't know, but I see it here: http://mageia.c3sl.ufpr.br/distrib/1/i586/media/core/updates_testing/gegl-0.1.2-3.1.mga1.i586.rpm
maybe you forgot to update media hdlists... urpmi.update "core updates testing"
CC: (none) => tmb
I don't know (I always using 'urpmi.update -a' after activating testing repos) - some server don't seem to be up-to-date. However using server David mentioned I could install gegl from updates_testing and everything is working on mga1 i586 as well. Validating update: please use advisory from Comment 3 Can sysadmin push package to updates? Thanks.
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugsWhiteboard: MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK => MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK, MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0335
Status: NEW => RESOLVEDResolution: (none) => FIXED