Bug 20816

Summary:	lrzip new security issues CVE-2017-884[2-7]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	All Packagers <pkg-bugs>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	mageia, marja11, oe
Version:	5
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	lrzip-0.621-2.mga6.src.rpm	CVE:
Status comment:	No upstream fix as of 15 August 17

Description David Walser 2017-05-09 16:33:07 CEST

Several security issues in lrzip have been announced:
http://openwall.com/lists/oss-security/2017/05/09/2
http://openwall.com/lists/oss-security/2017/05/09/4
http://openwall.com/lists/oss-security/2017/05/09/6
http://openwall.com/lists/oss-security/2017/05/09/5
http://openwall.com/lists/oss-security/2017/05/09/7
http://openwall.com/lists/oss-security/2017/05/09/3

No fixes appear to be available yet.  Mageia 5 may also be affected.

David Walser 2017-05-09 16:33:15 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-09 21:54:42 CEST

@ Oden

You're still the registered maintainer.... if that's not what you want, could you then please release maintainership, so that either someone else can grab maintainership or, if no one grabs it, that it's more clear that BugSquad should assign lrzip bugs to all packagers collectively?

Thanks :-)

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => oe

Comment 2 Rémi Verschelde 2017-06-30 13:10:52 CEST

Corresponding (yet unresolved) upstream bug reports:

CVE-2017-8842: https://github.com/ckolivas/lrzip/issues/66
CVE-2017-8843: https://github.com/ckolivas/lrzip/issues/69
CVE-2017-8844: https://github.com/ckolivas/lrzip/issues/70
CVE-2017-8845: https://github.com/ckolivas/lrzip/issues/68
CVE-2017-8846: https://github.com/ckolivas/lrzip/issues/71
CVE-2017-8847: https://github.com/ckolivas/lrzip/issues/67

Might be worth checking reverse deps to see if we really need it.

Rémi Verschelde 2017-06-30 13:11:14 CEST

Status comment: (none) => No upstream fix as of June 30

Comment 3 Rémi Verschelde 2017-07-01 09:02:27 CEST

Here's a reverse dep check:

$ rd.rb lrzip
=== Working on binary packages ["lib64lrzip0", "lib64lrzip-devel", "lrzip", "lrzip-debuginfo", "liblrzip-devel", "liblrzip0", "lrzip"]
==== Looking up reverse deps of lib64lrzip-devel:
lib64lrzip-devel
==== Looking up reverse deps of lib64lrzip0:
lib64lrzip-devel
lib64lrzip0
==== Looking up reverse deps of liblrzip-devel:
liblrzip-devel
==== Looking up reverse deps of liblrzip0:
liblrzip-devel
liblrzip0
==== Looking up reverse deps of lrzip:
amavisd-new
kolab
kolab-mta
lrzip
[...]
=== rpms that will have to be deleted ===
amavisd-new
kolab
kolab-mta
lrzip

Comment 4 Rémi Verschelde 2017-07-01 09:06:37 CEST

So basically only amavisd-new uses lrzip as optional dependency to support the lrzip format (among many other archive formats). The two kolab packages are metapackages dependency on amavisd-new, hence why they show above.

Since upstream has had known security issues unaddressed over 3 months, and the use of lrzip in Mageia is limited, I will drop it and disable the requirement in amavisd-new.

Assignee: oe => rverschelde

Comment 5 Rémi Verschelde 2017-07-01 09:14:57 CEST

Fixed in Cauldron as mentioned above by dropping lrzip, and disabling its support in amavisd-new.

For Mageia 5, I guess we have no choice but to wait for upstream.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Rémi Verschelde 2017-07-01 09:17:57 CEST

Assignee: rverschelde => pkg-bugs
CC: pkg-bugs => oe

Nicolas Lécureuil 2017-08-15 23:49:16 CEST

Status comment: No upstream fix as of June 30 => No upstream fix as of 15 August 17
CC: (none) => mageia

Comment 6 David Walser 2017-12-28 05:02:08 CET

Nothing ever happened upstream.

Status: NEW => RESOLVED
Resolution: (none) => OLD