Bug 23693

Summary: libtirpc new security issues CVE-2018-14621 and CVE-2018-14622
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, marja11, mhrambo3501, smelror, tmb
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libtirpc-1.0.1-5.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-10-15 22:17:58 CEST 
SUSE has issued an advisory today (October 15):
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004670.html

Cauldron's version most likely already contains the fixes, linked from:
https://bugzilla.suse.com/show_bug.cgi?id=1106517
https://bugzilla.suse.com/show_bug.cgi?id=1106519
Comment 1 Marja Van Waes 2018-10-16 19:32:25 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, smelror, tmb

Comment 2 Mike Rambo 2018-10-17 19:33:13 CEST 
Both of the Suse patches linked above have already been applied to the Mageia 6 version of libtirpc. I did not specifically check cauldron but would expect David to be correct that they were also applied there.

CC: (none) => mrambo
Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 3 David Walser 2018-10-17 20:37:04 CEST 
Mike, which patches are they and for which update (which bug) were they applied?

We should leave a note on the bug/update that fixed them that that update also fixed these CVEs.
Comment 4 Mike Rambo 2018-10-17 21:01:42 CEST 
The patches suse linked to are here.

http://git.linux-nfs.org/?p=steved/libtirpc.git;a=patch;h=fce98161d9815ea016855d9f00274276452c2c4b

http://git.linux-nfs.org/?p=steved/libtirpc.git;a=patch;h=1c77f7a869bdea2a34799d774460d1f9983d45f0

I already deleted the libtirpc I had worked on but I just did a fresh checkout to confirm that the patches are already applied and they are. Looking at the history on svnweb I don't see where they might have been applied but they certainly are there.

Is it explained by suse having patched 0.2.1 and our package being 1.0.1?

From the first link above...

Package List:

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libtirpc-devel-0.2.1-1.13.6.1

   - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libtirpc1-0.2.1-1.13.6.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libtirpc-debuginfo-0.2.1-1.13.6.1
      libtirpc-debugsource-0.2.1-1.13.6.1
Comment 5 David Walser 2018-10-17 21:06:10 CEST 
Ahh so they were already applied upstream before Mageia 6.  Thanks.

Resolution: FIXED => INVALID