Bug 26133

Summary: Update procps-ng to v3.3.16
Product: Mageia Reporter: Mario Blättermann <mario.blaettermann>
Component: RPM PackagesAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: zombie_ryushu
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://gitlab.com/procps-ng/procps/issues/157
Whiteboard:
Source RPM: procps-ng-3.3.15-2.mga8.src.rpm CVE: CVE-2018-1126
Status comment:

Description Mario Blättermann 2020-01-25 13:07:59 CET 
Description of problem:

The version 3.3.16 of procps-ng has been released some weeks ago.

Version-Release number of selected component (if applicable):

procps-ng-3.3.15-2.mga8.src.rpm

Note, the current tarball v3.3.16 comes with some translated man pages. Hence the following addition is needed:

BuildRequires:  po4a  

Some of the translated man pages are also included in the packages man-pages-de, man-pages-fr, man-pages-pl and man-pages-zh. Because the translations from upstream projects should have always priority over those from the external man-pages-* projects, the appropriate (conflicting) files need to be removed there. Otherwise users who have one of the man-pages-* packages installed would be unable to update to procps-ng-3.3.16.

I should mention that I don't use Mageia at all. But I'm one of the translators of that man pages and involved in both GNU TP and the manpages-l10n project. So I'm very interested in to get the translation finally working. Almost six years ago I had initiated this extension, and now it works...
Comment 1 Lewis Smith 2020-01-25 20:03:45 CET 
The version update has already been done in Cauldron:
> Modified Sat Jan 25 14:33:33 2020 UTC (4 hours, 20 minutes ago) by daviddavid
> - new version: 3.3.16
But I am passing this note to DavidG for comment, if necessary. It looks good for resolved-fixed apart from:
> Note, the current tarball v3.3.16 comes with some translated man pages.
> Hence the following addition is needed:
> BuildRequires:  po4a  
but the subsequent remarks in comment 0 cloud the issue.

Source RPM: (none) => procps-ng-3.3.15-2.mga8.src.rpm
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2020-01-26 08:33:15 CET 
Done! so closing as fixed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 Mario Blättermann 2020-01-26 20:38:29 CET 
Note, po4a generates lots of new files in %{_mandir}/*/man*/. The current spec file wouldn't work. Please test whether such files will be created, and if yes (hopefully!), then expand the %files section. Moreover, make sure to remove translated versions of the man page of kill(1) because the English version comes from util-linux, not from procps-ng.

BTW, the current static file list is not the best approach. Po4a generates a man page only if the translation status of the *.po file is at least at 80%. Depending on the translation teams this value could be undershot in future versions of procps-ng, and the appropriate man page won't be built anymore (and your file list gets broken and needs to be fixed). Better use wildcards:

%{_mandir}/*/man?/*

(of course, that presupposes that Mageia allows such radical use of wildcards in its packaging policies)

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 David Walser 2020-01-28 18:32:38 CET 
We don't typically statically list translated man pages in SPEC files.  We use %find_lang to dynamically generate the list and then include it by doing something like %files -f foo.lang, to include it.
Comment 5 Mario Blättermann 2020-02-09 13:01:37 CET 
The installation of the translated man pages doesn't work out of the box, just tested with the current Archlinux package. I've filed an upstream bug:
https://gitlab.com/procps-ng/procps/issues/157
Mario Blättermann 2020-02-09 13:01:48 CET

See Also: (none) => https://gitlab.com/procps-ng/procps/issues/157

Comment 6 Zombie Ryushu 2020-12-19 18:53:06 CET 
procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124.

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2018-1126
CVE: (none) => CVE-2018-1126
QA Contact: (none) => security
Component: RPM Packages => Security
CC: (none) => zombie_ryushu

Comment 7 David Walser 2020-12-19 19:19:13 CET 
There is no security issue Zombie, the CVEs were fixed in 3.3.15 before Mageia 7.

The update to 3.3.16 was done the day this bug was filed.

Component: Security => RPM Packages
URL: https://nvd.nist.gov/vuln/detail/CVE-2018-1126 => (none)
Status: REOPENED => RESOLVED
QA Contact: security => (none)
Resolution: (none) => FIXED