| Summary: | libguestfs new security issue CVE-2013-4419 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Joseph Wang <joequant> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | tmb |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/571976/ | ||
| Whiteboard: | |||
| Source RPM: | libguestfs-1.23.31-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-10-19 18:03:25 CEST
Fix uploaded to cauldron. Freeze push requested. Status:
NEW =>
RESOLVED It has not yet been uploaded, reopening. We can close when it's pushed. Status:
RESOLVED =>
REOPENED Thomas did push this in Cauldron, but the build failed (due to an unpackaged man page): http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20131023142712.tmb.valstar.6033/log/libguestfs-1.24.0-2.mga4/build.0.20131023142726.log Also, I noticed in the build log a "supermin" command that looks like it's downloading a bunch of packages. If I'm not mistaken, package builds shouldn't download things. It looks like it's just Mageia packages it downloaded, so with proper BuildRequires I'd think it should be able to get the files it needs directly from the build chroot. CC:
(none) =>
tmb Ok, it's built now and uploaded in libguestfs-1.24.0-2.mga4. Status:
REOPENED =>
RESOLVED The problem with putting in buildrequires is that libguestfs calls supermin which calls urpmi to install the rpm onto the virtual guest disk. A build requires would unpack the rpms into the chroot environment, but not the virtual disk which is created by libguestfs. Assuming that everything works the way that I think it does, the supermin actually doesn't download the rpm's from the network, but from the build cache.
David Walser
2013-10-28 22:24:21 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/571976/ |