Mageia Bugzilla – Bug 8070
gegl new security issue CVE-2012-4433
Last modified: 2012-11-21 20:58:16 CET
RedHat has issued an advisory on November 12:
It is unclear exactly which versions are affected, but Mageia 1, Mageia 2, and Cauldron all may be.
The upstream commits to fix this are linked in the RedHat bug:
All three versions are affected. I have checked the patches into SVN to fix this.
It builds fine locally on Mageia 1 and Mageia 2.
It does not build in Cauldron, with this seeming to be the problem:
"unknown type name 'luaL_reg'
Funda, could you please look into this?
Thanks for fixing the Cauldron package Funda.
Patched package uploaded for Mageia 1 and Mageia 2.
Updated gegl packages fix security vulnerability:
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the gegl utility processed .ppm (Portable Pixel Map) image
files. An attacker could create a specially-crafted .ppm file that, when
opened in gegl, would cause gegl to crash or, potentially, execute
arbitrary code (CVE-2012-4433).
Updated packages in core/updates_testing:
no public PoC found and I have no really clue how to test?
tested on cli and convert pictures from png to ppm and ppm to png (e.g. # gegl gegl.png -o gegl.ppm) and played around with gegl plugin in gimp. Everything works fine.
Are there any more specific tests needed or known?
If you could reverse your command line test and make it use a PPM file as input, that will hit the affected code, so that would be good.
did both ways, but do not have a prepared ppm file for testing the overflow. So tested successfully on mga2 64bit. Will proceed testing the other versions.
same tests performed for mga2 i586 and mga1 x86_64. But no gegl package found in Core_Update_testing for mga1 i586?
[root@localhost urpmi]# LC_ALL=C urpmi gegl
Package gegl-0.1.2-3.mga1.i586 is already installed
[root@localhost urpmi]# LC_ALL=C urpmi --media 'Core Updates Testing (distrib5)' gegl
No package named gegl
according to Sophie the package is there.
[20:05] <Latte> :v gegl -r 1
[20:05] <Sophie> Latte: 0.1.2-3.1.mga1 // core-updates_testing (Mga, 1, i586)
[20:05] <Sophie> Latte: 0.1.2-3.mga1 // core-release (Mga, 1, i586)
What am I doing wrong?
I don't know, but I see it here:
maybe you forgot to update media hdlists...
urpmi.update "core updates testing"
I don't know (I always using 'urpmi.update -a' after activating testing repos) - some server don't seem to be up-to-date. However using server David mentioned I could install gegl from updates_testing and everything is working on mga1 i586 as well.
please use advisory from Comment 3
Can sysadmin push package to updates? Thanks.