Bug 23370

Mageia Cauldron updated with the proposed patch into rev 1.1.31-6
rebuild in progress.

Status: NEW => ASSIGNED

Update also submitted for mga6 (1.1.31-5.1)

Advisory:
========================

Updated yum-utils packages fix security vulnerability:

A directory traversal issue was found in reposync, a part of yum-utils, where
reposync fails to sanitize paths in remote repository configuration files. If an
attacker controls a repository, they may be able to copy files outside of the
destination directory on the targeted system via path traversal. If reposync is
running with heightened privileges on a targeted system, this flaw could
potentially result in system compromise via the overwriting of critical system
files (CVE-2018-10897).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897
https://access.redhat.com/errata/RHSA-2018:2285
========================

Updated packages in core/updates_testing:
========================
yum-utils-1.1.31-5.1.mga6
yum-updateonboot-1.1.31-5.1.mga6
yum-plugin-changelog-1.1.31-5.1.mga6
yum-plugin-fastestmirror-1.1.31-5.1.mga6
yum-plugin-protectbase-1.1.31-5.1.mga6
yum-plugin-versionlock-1.1.31-5.1.mga6
yum-plugin-tsflags-1.1.31-5.1.mga6
yum-plugin-priorities-1.1.31-5.1.mga6
yum-plugin-refresh-updatesd-1.1.31-5.1.mga6
yum-plugin-merge-conf-1.1.31-5.1.mga6
yum-plugin-upgrade-helper-1.1.31-5.1.mga6
yum-plugin-aliases-1.1.31-5.1.mga6
yum-plugin-list-data-1.1.31-5.1.mga6
yum-plugin-filter-data-1.1.31-5.1.mga6
yum-plugin-tmprepo-1.1.31-5.1.mga6
yum-plugin-verify-1.1.31-5.1.mga6
yum-plugin-keys-1.1.31-5.1.mga6
yum-plugin-remove-with-leaves-1.1.31-5.1.mga6
yum-plugin-post-transaction-actions-1.1.31-5.1.mga6
yum-NetworkManager-dispatcher-1.1.31-5.1.mga6
yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6
yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6
yum-plugin-show-leaves-1.1.31-5.1.mga6
yum-plugin-local-1.1.31-5.1.mga6
yum-plugin-fs-snapshot-1.1.31-5.1.mga6
yum-plugin-ps-1.1.31-5.1.mga6
yum-plugin-puppetverify-1.1.31-5.1.mga6
yum-plugin-copr-1.1.31-5.1.mga6
yum-plugin-ovl-1.1.31-5.1.mga6

from yum-utils-1.1.31-5.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => bruno
Assignee: bruno => qa-bugs

MGA6-32 MATE on IBM Thinkpad R5oe
Installation draws in a lot of other stuff and that results in error:
2 installation-transactions failed

Er is een fout opgetreden tijdens de installatie:

file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch

createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch

yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch

yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch

yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch

yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

Does this mean the updates cannot run on an installation which did not have yum before??
How would this affect a user which would try to install yum when those packages would be included in the normal repos???

CC: (none) => herman.viaene

@Herman, re comment 4:
Don't know how to answer your specific queries but I tried this installation on x86_64.

I took the precaution of installing yum first then the packages named in the update list.  There was a single conflict - lost the reference - but the rest succeeded.

Enabled updates testing and ran MageiaUpdate.  All the packages installed cleanly.
That is far as I have got.  Busy just now.

CC: (none) => tarazed25

re comment 5;
I take your point about yum not being pulled in by yum-utils.  Looks like it is a missing dependency.  Feedback?

Yes I'll fix that ASAP

Mageia 6.1 new installation, x86_64

Before updating created a manifest from the listed packages and installed against that to create a 1.1.31.5 yum system.  This pulled in yum automatically so if we follow the correct procedure for QA testing, updating from a preinstalled system, then there is no problem.

Since there is no explicit procedure posted for reproducing CVE-2018-10897 shall skip straight to updating.

Wrong about that.  There is a problem still. as Herman reported.
    http://ftp.klid.dk/ftp/mageia/distrib/6/x86_64/media/core/updates_testing/yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm
installing lib64gamin1_0-0.1.10-17.mga6.x86_64.rpm python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Installation failed:	file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch
 
Looks like this is basically dnf.

$ yum check
$ yum check-update
Mageia 6 - x86_64                               2.0 MB/s |  33 MB     00:16    
Mageia 6 - x86_64 - Updates                     4.7 MB/s |  33 MB     00:07    
Last metadata expiration check: 0:00:09 ago on Wed 26 Sep 2018 18:50:58 BST.
$ yum deplist vlc
Last metadata expiration check: 0:02:47 ago on Wed 26 Sep 2018 18:53:55 BST.
package: vlc-3.0.0-0.git.19.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
  dependency: libc.so.6(GLIBC_2.14)(64bit)
   provider: glibc-6:2.22-29.mga6.x86_64
[...]
   provider: lib64vlc5-3.0.2-0.1.mga6.x86_64
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64

package: vlc-3.0.2-0.1.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
[...]
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64
$ sudo yum reinstall celestia
Last metadata expiration check: 0:08:20 ago on Wed 26 Sep 2018 18:50:58 BST.
Dependencies resolved.
================================================================================
 Package         Arch          Version               Repository            Size
================================================================================
Reinstalling:
 celestia        x86_64        1.6.1-18.mga6         mageia-x86_64         33 M
Transaction Summary
================================================================================
Total download size: 33 M
Is this ok [y/N]: y
Downloading Packages:
celestia-1.6.1-18.mga6.x86_64.rpm               2.1 MB/s |  33 MB     00:15    
--------------------------------------------------------------------------------
Total                                           2.0 MB/s |  33 MB     00:16     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Reinstalling     : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Erasing          : celestia-1.6.1-18.mga6.x86_64                          2/2 
  Running scriptlet: celestia-1.6.1-18.mga6.x86_64                          2/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          2/2 
Reinstalled:
  celestia.x86_64 1.6.1-18.mga6                                                 
Complete!

It looks OK so far.

The man pages show this for yum-utils:
debuginfo-install - install debuginfo packages and their dependencies
package-cleanup - manage package cleanup, duplicates, orphaned packages and outstanding dependency problems
repo-graph - outputs a full package dependency list in dot format
repo-rss - generates an RSS feed from one or more repositories
repoclosure - reads metadata of repositories, checks dependencies and displays list of unresolved dependencies
repodiff - takes two or more repositories, returns a list of added, removed or changed packages
repomanage - manages a directory of rpm packages, returns a list of newest or oldest packages in a directory
repoquery - query yum repositories and get additional information on the them
reposync - synchronize a remote yum repository to a local directory using yum to retrieve packages
repotrack - track packages and its dependencies and downloads them
yum-builddep - installs missing dependencies to build a specified package
yum-complete-transaction - finds incomplete or aborted yum transactions and attempts to complete them
yum-installed - print a compact package list making use of comps groups
yumdownloader - downloads packages from yum repositories including source RPMs

Investigating.

$ cd /bin
$ ls -1 repo*
repoclosure-deprecated*
repodiff-deprecated*
repo-graph-deprecated*
repomanage-deprecated*
repoquery-deprecated*
repo-rss-deprecated*
reposync-deprecated*
repotrack-deprecated*
$ ls -1 yum*
yum-builddep-deprecated*
yum-config-manager-deprecated*
yum-debug-dump-deprecated*
yum-debug-restore-deprecated*
yum-deprecated*
yumdownloader-deprecated*
yum-groups-manager-deprecated*

So most utilities are deprecated and others are missing.
Better leave this at that point.

On IRC in QA chan, Neal mantioned last night that he couldn't comment in bug 23370 (this bug) since he couldn't remember his password

He then mentioned that the 

       
                 reposync-deprecated


command is what should be tested for this.
And that in Mageia, /usr/bin/reposync is normally provided by dnf-utils rather than yum-utils.

Keywords: feedback => (none)
CC: (none) => marja11

Oops, the feedback keyword was set for something else, sorry, setting it again.

Keywords: (none) => feedback

Fedora has issued an advisory for this on September 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YI7EHWQR75S5AV7RAV4VGWO535PTZAO/

Still on 32-bit
Update now draws in yum, but then:
file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch

Back to the start on a system without yum.
Installed yum and all the listed files.

Used dnf to find out how repositories are named.
$ dnf repolist
Last metadata expiration check: 0:21:37 ago on Wed 19 Dec 2018 09:35:09 GMT.
repo id                       repo name                                   status
mageia-x86_64                 Mageia 6 - x86_64                           28,136
updates-x86_64                Mageia 6 - x86_64 - Updates                  9,600

Enabled updates-testing and tried this:
# reposync-deprecated updates-testing-x86_64
Yum-utils package has been deprecated, use dnf instead.
See 'man yum2dnf' for more information.

Traceback (most recent call last):
  File "/bin/reposync-deprecated", line 334, in <module>
    main()
  File "/bin/reposync-deprecated", line 139, in main
    my.doConfigSetup(fn=opts.config, init_plugins=opts.plugins)
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 299, in doConfigSetup
    return self.conf
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1099, in <lambda>
    conf = property(fget=lambda self: self._getConfig(),
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 350, in _getConfig
    startupconf = config.readStartupConfig(fn, root, releasever)
  File "/usr/lib/python2.7/site-packages/yum/config.py", line 1073, in readStartupConfig
    confpp_obj = ConfigPreProcessor(configfile)
  File "/usr/lib/python2.7/site-packages/yum/parser.py", line 94, in __init__
    fo = self._pushfile( url )
  File "/usr/lib/python2.7/site-packages/yum/parser.py", line 207, in _pushfile
    'Error accessing file for config %s' % (absurl)
yum.Errors.ConfigError: Error accessing file for config file:///etc/yum.conf

which probably indicates that something has not been run properly.
Don't know what it is supposed to do.  Does it download and install all the packages in the repository or just the hdlists?  'help' would indicate the former.

There is no yum.conf file in /etc.

# yum --repo updates-testing-x86-64
usage: dnf [options] COMMAND
.....

# dnf check
finds no problems with the package database but
# yum check
is not recognized.

Noticed that yum-plugin-refresh-updatesd had not been installed.
# urpmi yum-plugin-refresh-updatesd
offered:
  python-gamin                   0.1.10       17.mga6       x86_64  
  yum-updatesd                   0.9          1.mga6        noarch  
(medium "Core Updates Testing")
  yum-plugin-refresh-updatesd    1.1.31       5.1.mga6      noarch  
[...]
installing python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Installation failed:	file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch

Something to be sorted out there?

Isn't yum obsolete, and it's successor dnf is supported since Mageia 6?

I personally purged everything related to yum from my installs and use dnf exclusively. So I am certainly not willing to test yum-utils.

Ulrich Beckmann

CC: (none) => bequimao.de

We keep around yum and yum-utils primarily so that people can use mock to build CentOS/RHEL packages.

Neal, can you please fix the packaging conflict between yum and yum-updatesd?

Assignee: qa-bugs => ngompa13
Keywords: feedback => (none)
CC: (none) => qa-bugs

Mageia 6 is EOL.

Status: ASSIGNED => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo