Bug 19710

Summary: Update candidate: rpm
Product: Mageia Reporter: Thierry Vignaud <thierry.vignaud>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: lewyssmith, luigiwalser, mageia, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: rpm-4.12.0.2-1.7.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 26576    

Description Thierry Vignaud 2016-11-03 15:29:36 CET 
Advisory:
==========
This update of rpm fixes several security issues:
http://rpm.org/wiki/Releases/4.12.0.2

All of those fixes were already backported in Mageia but for :
- Fix out-of-bounds read on signature checking of malformed package (RhBug:1373107) 

List of generated packages:
=============================
lib64rpm3-4.12.0.2-1.7.mga5.x86_64.rpm
lib64rpmbuild3-4.12.0.2-1.7.mga5.x86_64.rpm
lib64rpm-devel-4.12.0.2-1.7.mga5.x86_64.rpm
lib64rpmsign3-4.12.0.2-1.7.mga5.x86_64.rpm
python3-rpm-4.12.0.2-1.7.mga5.x86_64.rpm
python-rpm-4.12.0.2-1.7.mga5.x86_64.rpm
rpm-4.12.0.2-1.7.mga5.x86_64.rpm
rpm-build-4.12.0.2-1.7.mga5.x86_64.rpm
rpm-debuginfo-4.12.0.2-1.7.mga5.x86_64.rpm
rpm-sign-4.12.0.2-1.7.mga5.x86_64.rpm

(s/lib64/lib/ + s/x86_64/i586/ for i586)
Comment 1 Thierry Vignaud 2016-11-03 15:33:25 CET 
Also, I've fixed & reenabled the testsuite like I did in Cauldron, so that we've some sanity checks.
William Kenney 2016-11-03 21:32:00 CET

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 2 Nicolas Lécureuil 2016-11-03 23:42:36 CET 
Hi,

please upload the advisory

CC: (none) => mageia

Comment 3 Lewis Smith 2016-11-04 10:08:14 CET 
(In reply to Nicolas Lécureuil from comment #2)
> please upload the advisory
Starting to do so, I realise that there is not enough information here:
- I take it that it should be a 'security' update.
- What SRPM are we talking about?
- The link in the advisory only shows 2 CVEs for 6 security fixes.

"All of those fixes were already backported in Mageia but for :
- Fix out-of-bounds read on signature checking of malformed package (RhBug:1373107)"
Not sure what is meant here. Does this update fix *just* the 1373107 issue (the others already having been fixed), or what?

CC: (none) => lewyssmith

Comment 4 Thierry Vignaud 2016-11-04 10:23:49 CET 
1) yes, this should be a security update
2) I don't understand.  The SRPM is in the "Source RPM" field
3) yes, only the #1373107 fix is new.
the other fixes were already included. We dropped the patches as they're now included in a new official security update.

CC: (none) => luigiwalser

Comment 5 Nicolas Lécureuil 2016-11-04 14:45:48 CET 
I just added the advisory
Nicolas Lécureuil 2016-11-04 14:46:19 CET

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-11-04 14:55:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0366.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2016-11-04 15:18:42 CET 
For future reference, the "Source RPM" field in Bugzilla is not what Lewis was talking about.  The "Source RPM" field in Bugzilla should be the old version, i.e. the version the bug is being reported against.  The SRPM that goes in the advisory is the updated version.  So, in the list of generated packages in Comment 0, you should also include the Source RPM file name when assigning a bug to QA.
Thierry Vignaud 2020-05-01 00:58:58 CEST

Blocks: (none) => 26576

Thierry Vignaud 2020-05-02 09:55:33 CEST

Blocks: (none) => 26581

Thierry Vignaud 2020-05-02 09:56:43 CEST

Blocks: 26581 => (none)

Thierry Vignaud 2020-06-02 16:39:59 CEST

Blocks: (none) => 26715

David Walser 2020-06-02 23:42:36 CEST

Blocks: 26715 => (none)