Bug 12415

Summary: yum new security issue CVE-2014-0022
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Sandro CAZZANIGA <cazzaniga.sandro>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: bruno, cazzaniga.sandro, thierry.vignaud
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/607642/
Whiteboard: MGA3TOO
Source RPM: yum-3.4.3-6.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-01-24 13:54:10 CET 
A security issue in yum-cron was made public by RedHat here:
http://openwall.com/lists/oss-security/2014/01/23/7

It was fixed by syncing with upstream in version control in this commit:
http://pkgs.fedoraproject.org/cgit/yum.git/commit/?h=f20&id=e4412a50b76e7cd9233224baf20fcdc8f2bf9d3c

There are a couple more commits since then:
http://pkgs.fedoraproject.org/cgit/yum.git/log/?h=f20

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-24 13:54:37 CET

CC: (none) => bruno, cazzaniga.sandro, thierry.vignaud
Whiteboard: (none) => MGA3TOO

Comment 1 Sandro CAZZANIGA 2014-01-24 14:08:06 CET 
Is it really time to fix it? 

We are very near from Mageia 4. 

Maybe when cauldron will reopen ? What do you think ?
Comment 2 David Walser 2014-01-24 14:14:39 CET 
Since yum isn't our default package manager, I don't think it's urgent to fix this.  It can wait until after Mageia 4.
Comment 3 Sandro CAZZANIGA 2014-01-24 14:18:59 CET 
I take this bug and I'll fix it then, so.
Sandro CAZZANIGA 2014-01-24 14:19:13 CET

Assignee: bugsquad => cazzaniga.sandro

Comment 4 Sandro CAZZANIGA 2014-02-05 07:50:24 CET 
Cauldron is opening again, let's fix it now ! :)

Status: NEW => ASSIGNED

Comment 5 Sandro CAZZANIGA 2014-02-07 23:18:09 CET 
I've found this fix [1], but there's no yum-cron.py in our yum src rpm.

[1] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
Comment 6 David Walser 2014-02-07 23:26:13 CET 
Indeed, yum-cron.py is introduced by yum-HEAD.patch, which we do not have.

This is INVALID.

Status: ASSIGNED => RESOLVED
Resolution: (none) => INVALID

David Walser 2014-08-05 18:17:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/607642/