openSUSE Security Update: Security update for feh ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1139-1 Rating: moderate References: #1034567 #955576 Cross-References: CVE-2017-7875 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for feh on Leap 42.1 fixes this security issue: - CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567). This update for feh on Leap 42.2 to version 2.18.3 fixes several issues. This security issue was fixed on Leap 42.2: - CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567). These non-security issue was fixed on Leap 42.2: - boo#955576: added jpegexiforient - Fixed image-specific format specifiers not being updated correctly in thumbnail mode window titles - Fixed memory leak when closing images opened from thumbnail mode - Fixed a possible out of bounds read caused by an unterminated string when using --output to save images in long paths - Fixed out of bounds read/write when handling empty or broken caption files. - Fixed memory leak when saving a filelist or image whose target filename already exists. - Fixed image-specific format specifiers not being updated correctly - New key binding: ! - zoom_fill (zoom to fill window, may cut off image parts - Disable EXIF-based auto rotation by default - Added --auto-rotate option to enable auto rotation - Added feh-makefile_app.patch -- fix install location of icons - Install feh icon (both 48x48 and scalable SVG) to /usr/share/icons when running "make install app=1" - Fixed --sort not being respected after the first reload when used in conjunction with --reload - All key actions can now also be bound to a button by specifying them in .config/feh/buttons. However, note that button actions can not be bound to keys. - Rename "menu" key action to "toggle_menu", "prev" to "prev_img" and "next" to "next_img". The old names are still supported, but no longer documented. - feh now also sets the X11 _NET_WM_PID and WM_CLIENT_MACHINE window properties - Fixed compilation on systems where HOST_NAME_MAX is not defined - Also support in-place editing for images loaded via libcurl or imagemagick. Results will not be written back to disk in this case. - Fixed crash when trying to rotate a JPEG image without having jpegtran / jpegexiforient installed - Handle failing fork() calls gracefully - Fixed invalid key/button definitions mis-assigning keys/buttons to other actions - Added sort mode --sort dirname to sort images by directory instead of by name. - Added navigation keys next_dir (]) and prev_dir ([) to jump to the first image of the nex/previous directory - Fixed toggle_filenames key displaying wrong file numbers in multiwindow mode - Rescale image when resizing a window and --scale-down or --geometry is active. - Fixed --keep-zoom-vp not keeping the viewport x/y offsets - Fixed w (size_to_image) key not updating window size when --scale-down or --geometry is active - Added --insecure option to disable HTTPS certificate checks - Added --no-recursive option to disable recursive directory expansion. - Improve --scale-down in tiling environments. - --action and --action[1..9] now support action titles - -f / --filelist: Do not print useless error message when a correct filelist file is specified - -f / --filelist: Fix bug in "-" / "/dev/stdin" handling affecting feh running in ksh and possibly other environments - Add --xinerama-index option for background setting - When removing the last image in slidsehow mode, stay on the last (previously second-to-last) image - Allow --sort and --randomize to override each other (most recently specified option wins) instead of always preferring --sort - Thumbnail mode: Mark image as processed when executing an action (--action) by clicking on an image - It is now possible to override feh's idea of the active xinerama screen using the --xinerama-index option - Removed (undocumented) feature allowing to override feh's idea of the active xinerama screen by setting the XINERAMA_SCREEN environment variable - Removed obsolete gpg macro Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-531=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-531=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): feh-2.18.3-6.3.1 feh-debuginfo-2.18.3-6.3.1 feh-debugsource-2.18.3-6.3.1 - openSUSE Leap 42.1 (i586 x86_64): feh-2.13.1-6.1 feh-debuginfo-2.13.1-6.1 feh-debugsource-2.13.1-6.1 References: https://www.suse.com/security/cve/CVE-2017-7875.html https://bugzilla.suse.com/1034567 https://bugzilla.suse.com/955576