Mageia Advisory: MGASA-2019-0396 - Updated flightcrew packages fix security vulnerabilities

Updated flightcrew packages fix security vulnerabilities

Publication date: 19 Dec 2019
Modification date: 19 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-13032 , CVE-2019-13241

Description

The updated packages fix security vulnerabilities:

An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL
pointer dereference occurs in GetRelativePathToNcx() or
GetRelativePathsToXhtmlDocuments() when a NULL pointer is passed to
xc::XMLUri::isValidURI(). This affects third-party software (not Sigil)
that uses FlightCrew as a library. (CVE-2019-13032)

FlightCrew v0.9.2 and older are vulnerable to a directory traversal,
allowing attackers to write arbitrary files via a ../ (dot dot slash)
in a ZIP archive entry that is mishandled during extraction.
(CVE-2019-13241)

References

https://bugs.mageia.org/show_bug.cgi?id=25281
https://usn.ubuntu.com/4055-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13241

SRPMS

7/core

flightcrew-0.9.0-10.1.mga7

Advisories » MGASA-2019-0396

Updated flightcrew packages fix security vulnerabilities

Description

References

SRPMS

7/core