| Summary: | libzypp new security issue CVE-2019-18900 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, mageia, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libzypp-17.9.0-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-01-13 23:39:27 CET
David Walser
2020-01-13 23:39:44 CET
Whiteboard:
(none) =>
MGA7TOO openSUSE has issued an advisory for this today (February 27): https://lists.opensuse.org/opensuse-updates/2020-02/msg00106.html Debian-LTS has issued an advisory for this on March 3: https://www.debian.org/lts/security/2020/dla-2132 On Cauldron seems fixed in current 17.20.0 release. CC:
(none) =>
geiger.david68210 This issue is fixed from release 17.19.0 and higher.
David Walser
2020-03-05 04:30:00 CET
Source RPM:
libzypp-17.15.0-1.mga8.src.rpm =>
libzypp-17.9.0-1.mga7.src.rpm Advisory: Libzypp from mageia 7 is affected by a security issue. This update fixes this. Incorrect Default Permissions vulnerability in libzypp allowed local attackers to read a cookie store used by libzypp, exposing private cookies. References: https://bugzilla.suse.com/show_bug.cgi?id=1158763 https://github.com/openSUSE/libzypp/pull/196 https://github.com/openSUSE/libzypp/commit/ea50981352bb5c7ab48663edaeb2df1ddd66953e https://github.com/openSUSE/libzypp/commit/508b1201f23b44ee90dee6dbbeb3ac5f8bd4c089 rpms: zypp-common-17.9.0-1.1.mga7 libzypp1709-17.9.0-1.1.mga7 libzypp-devel-17.9.0-1.1.mga7 libzypp-doc-17.9.0-1.1.mga7 from: libzypp-17.9.0-1.1.mga7 CC:
(none) =>
mageia MGA7-64 Plasma on Lenovo B50 No installation issues. No previous update, so hunting around. # urpmq --whatrequires-recursive zypp-common lib64zypp-devel lib64zypp-devel lib64zypp1709 lib64zypp1709 libzypp-doc libzypp-doc zypp-common zypp-common zypper Installed zypper, but this a a complex command from what zypper -h shows. $ zypper -V zypper 1.14.16 $ zypper list-updates Loading repository data... Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed. Reading installed packages... No updates found. Googling brings me https://www.thegeekstuff.com/2015/04/zypper-examples/ This seems SUSE exclusive stuff, so I wonder what it is doing in Mageia. Suggesting OK on clean install??? CC:
(none) =>
herman.viaene @Herman with respect to comment 6: If what is required is to test this within a SUSE subsystem then it does look like a lot of work, setting up repositories and all; dozens of them at https://download.opensuse.org/repositories/ with lots of subdivisions (SuseStudio has versions of Mandriva going way back). The bug seems to be about cookie based authentication and file permissions. Hard to see how to set up something to test that. $ locate zypp | grep etc | grep -vi fetch /etc/zypp /etc/dnf/aliases.d/zypper.conf /etc/logrotate.d/zypp-history.lr /etc/zypp/needreboot /etc/zypp/systemCheck /etc/zypp/zypp.conf The last file shows how complex a problem it would be to set things up. Nearly all the parameters are commented out. Conclusion - go ahead and release it. CC:
(none) =>
tarazed25
Herman Viaene
2020-05-27 11:28:16 CEST
Whiteboard:
(none) =>
MGA7-64-OK If you two are in agreement, who am I to argue? ;-) Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Nicolas Lécureuil
2020-06-10 23:09:00 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0245.html Resolution:
(none) =>
FIXED |