WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions) such that suitably-constructed images can be made to run arbitrary commands when viewed with zgv - not as root, but as the user running zgv. This still has the potential to cause serious trouble, so I strongly recommend that existing users upgrade to the current version.
Can someone verify this, please?
Well, seems valid sure enough. Nothing in the Changelog suggests any off-the-trunk fixes, so IMHO we should get the machine rolling.
I'd change this to C2 [ebuild] / minor (but there's no maintainer), but, uhm, I can't.
no herd, no maintainer.
Joy, gonna send a mail to -dev or something like that soon.
Also see #127008 as there seems to be a 5.9 patch there.
bumped this to 5.9 with the patch frilled mentioned, altough the 5.8 version should be fine.
x86 please test (really test, since I commited this mess - and this was my first ebuild commit) and stable, thanks.
I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10):
"Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might allow user-complicit attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space, which causes less memory to be allocated than required."
- there is really no liable description of the vulnerability (and no other source)
- the Changelog for zgv 5.8 does not mention any security issue
Other viewpoint ?
> I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10):
any news on this ?
According to the changelog 5.9 was released on 2005-01-28. So unless the changelog is wrong this is probably not something new.
I'd say post maintainer mail to -core and punt the package if noone steps up as upstream appears a bit slow.
I had no in depth look, but I assume that we were safe before (last GLSA, so I'm not entirely sure if we need a new GLSA for this at all).
At least, we should be safe now, since 5.9 was bumped with a patch included and is stabled.
Taviso any comments on this one?
It seems questionable wether this really fixes any security issues, therefor I tend to vote for NO GLSA.
(In reply to comment #7)
> > I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10):
Yes, this is the same. However, 200604-10 is wrong. It has >= 5.8 as unaffected while in reality the issue is fixed in 5.9+thisPatch (we never got a 5.8-r1 into the tree). So we need a new GLSA or an errata.
(In reply to comment #0)
> WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions)
> such that suitably-constructed images can be made to run arbitrary commands
> when viewed with zgv - not as root, but as the user running zgv. This still has
> the potential to cause serious trouble, so I strongly recommend that existing
> users upgrade to the current version.
> Can someone verify this, please?
This actually refers to bug #69150 which we fixed a looooong time ago... but the problem with the jpeg mess remains; thanks for uh, getting one of us to notice it :)
Thx Tim for clearing this up.
I'll issue an errata (and someone ought to find a maintainer for this one).
Errata issued to GLSA 200604-10. Hopefully this mess is solved. Thx everyone.