Bug 17268

Summary: rpm crash parsing corrupted RPM files
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, thierry.vignaud
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/665705/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: rpm-4.12.0.1-20.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-01 21:21:38 CET 
Fedora has issued an advisory on November 30:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172944.html

Patched package uploaded for Mageia 5.  The issue is already fixed in Cauldron.

Advisory:
----------------------------------------

It was discovered that rpm did not properly parse certain corrupt RPM files.
This can be exploited to cause a crash by tricking an unsuspecting user into
processing a specially crafted RPM file (rhbz#1273360).

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172944.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
rpm-4.12.0.1-20.4.mga5
librpmbuild3-4.12.0.1-20.4.mga5
librpmsign3-4.12.0.1-20.4.mga5
librpm3-4.12.0.1-20.4.mga5
librpm-devel-4.12.0.1-20.4.mga5
rpm-build-4.12.0.1-20.4.mga5
rpm-sign-4.12.0.1-20.4.mga5
python-rpm-4.12.0.1-20.4.mga5
python3-rpm-4.12.0.1-20.4.mga5

from rpm-4.12.0.1-20.4.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Thierry Vignaud 2015-12-02 09:00:41 CET 
Note that for mga6, it'll be easier to sync patches with FC.
I could do the same work on the mga5 branch if really needed.

CC: (none) => thierry.vignaud

Comment 2 Thierry Vignaud 2015-12-02 09:05:27 CET 
In cauldron, we apply first FC patches with the same number as in FC (making it easier to compare spec files between FC & mga with diff -uwBbd), then ours.

From http://pkgs.fedoraproject.org/cgit/rpm.git/log/?h=f22, we could get one more fix:
	- Add query options for weak dependencies to the man page

But it's not that important
Comment 3 claire robinson 2015-12-02 09:47:58 CET 
It's untested as yet, and just a man page fix, so go ahead if you like Thierry.
Comment 4 David Walser 2015-12-02 12:08:58 CET 
Yeah, I saw that weakdeps man patch, and there was one other, a python3 something-or-other.  I did use the same patch number as Fedora for the patch that I added.  I thought about adding the two intermediate patches, but they didn't look important.  Feel free to add them though if you would like.
Comment 5 Thierry Vignaud 2015-12-02 21:43:14 CET 
We already have the py3 fix (under another form)
Comment 6 Herman Viaene 2015-12-04 11:31:00 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
After installing operations seem normal.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 7 Thomas Andrews 2015-12-04 16:28:45 CET 
On my way to check out the fix for Bug 17267, concerning MageiaSync, Mageia Update insisted I test the 64-bit versions of these packages on my KDE system first. 

Fortunately for all concerned, they appear to be working. Adding a 64 OK to the whiteboard.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2015-12-04 16:41:03 CET 
Confirmed also seems OK on my 32-bit Intel system.
Dave Hodgins 2015-12-05 04:27:56 CET

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2015-12-05 11:04:59 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED