Bug 8070 - gegl new security issue CVE-2012-4433
: gegl new security issue CVE-2012-4433
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/524704/
: MGA1TOO, MGA2-64-OK, MGA1-32-OK, MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-14 00:25 CET by David Walser
Modified: 2012-11-21 20:58 CET (History)
3 users (show)

See Also:
Source RPM: gegl-0.2.0-6.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-11-14 00:25:56 CET
RedHat has issued an advisory on November 12:
https://rhn.redhat.com/errata/RHSA-2012-1455.html

It is unclear exactly which versions are affected, but Mageia 1, Mageia 2, and Cauldron all may be.

The upstream commits to fix this are linked in the RedHat bug:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=856300
Comment 1 David Walser 2012-11-16 23:09:29 CET
All three versions are affected.  I have checked the patches into SVN to fix this.

It builds fine locally on Mageia 1 and Mageia 2.

It does not build in Cauldron, with this seeming to be the problem:
"unknown type name 'luaL_reg'

from:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20121116215912.luigiwalser.valstar.23507/log/gegl-0.2.0-7.mga3/build.0.20121116220006.log

Funda, could you please look into this?
Comment 2 David Walser 2012-11-17 17:30:39 CET
Thanks for fixing the Cauldron package Funda.
Comment 3 David Walser 2012-11-17 17:38:05 CET
Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated gegl packages fix security vulnerability:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the gegl utility processed .ppm (Portable Pixel Map) image
files. An attacker could create a specially-crafted .ppm file that, when
opened in gegl, would cause gegl to crash or, potentially, execute
arbitrary code (CVE-2012-4433).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4433
https://rhn.redhat.com/errata/RHSA-2012-1455.html
========================

Updated packages in core/updates_testing:
========================
gegl-0.1.2-3.1.mga1
libgegl0.1_0-0.1.2-3.1.mga1
libgegl0.1-devel-0.1.2-3.1.mga1
gegl-0.2.0-2.1.mga2
libgegl0.2_0-0.2.0-2.1.mga2
libgegl-devel-0.2.0-2.1.mga2

from SRPMS:
gegl-0.1.2-3.1.mga1.src.rpm
gegl-0.2.0-2.1.mga2.src.rpm
Comment 4 Marc Lattemann 2012-11-18 13:24:58 CET
no public PoC found and I have no really clue how to test?

tested on cli and convert pictures from png to ppm and ppm to png (e.g. # gegl gegl.png -o gegl.ppm) and played around with gegl plugin in gimp. Everything works fine. 
Are there any more specific tests needed or known?
Comment 5 David Walser 2012-11-18 18:03:26 CET
If you could reverse your command line test and make it use a PPM file as input, that will hit the affected code, so that would be good.
Comment 6 Marc Lattemann 2012-11-18 19:13:53 CET
did both ways, but do not have a prepared ppm file for testing the overflow. So tested successfully on mga2 64bit. Will proceed testing the other versions.
Comment 7 Marc Lattemann 2012-11-18 21:08:31 CET
same tests performed for mga2 i586 and mga1 x86_64. But no gegl package found in Core_Update_testing for mga1 i586?

[root@localhost urpmi]# LC_ALL=C urpmi gegl
Package gegl-0.1.2-3.mga1.i586 is already installed
[root@localhost urpmi]# LC_ALL=C urpmi --media 'Core Updates Testing (distrib5)' gegl
No package named gegl

according to Sophie the package is there.
[20:05] <Latte> :v gegl -r 1
[20:05] <Sophie> Latte: 0.1.2-3.1.mga1 // core-updates_testing (Mga, 1, i586)
[20:05] <Sophie> Latte: 0.1.2-3.mga1 // core-release (Mga, 1, i586)

What am I doing wrong?
Comment 8 David Walser 2012-11-18 21:20:12 CET
I don't know, but I see it here:
http://mageia.c3sl.ufpr.br/distrib/1/i586/media/core/updates_testing/gegl-0.1.2-3.1.mga1.i586.rpm
Comment 9 Thomas Backlund 2012-11-18 21:54:41 CET
maybe you forgot to update media hdlists...

urpmi.update "core updates testing"
Comment 10 Marc Lattemann 2012-11-18 22:37:56 CET
I don't know (I always using 'urpmi.update -a' after activating testing repos)  - some server don't seem to be up-to-date. However using server David mentioned I could install gegl from updates_testing and everything is working on mga1 i586 as well.


Validating update:

please use advisory from Comment 3

Can sysadmin push package to updates? Thanks.
Comment 11 Thomas Backlund 2012-11-21 20:58:16 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0335

Note You need to log in before you can comment on or make changes to this bug.