Bug 26937

Summary: bubblewrap new security issue CVE-2020-5291
Product: Mageia Reporter: Aurelien Oudelet <ouaurelien>
Component: SecurityAssignee: Neal Gompa <ngompa13>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: zombie_ryushu
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: bubblewrap-0.3.3-1.mga7.src.rpm CVE: CVE-2020-5291
Status comment: Fixed upstream in 0.4.1

Description Aurelien Oudelet 2020-07-11 14:13:01 CEST 
Description of problem:
The main change in this version is a fix for a regression in the progress calculation
for applications using extra-data. Additionally the bundled version of bubblewrap
is updated to 0.4.1 which fixes a security issue in some cases.

See: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

for details.

Other changes:

    Updated translations
    Don't break if users primary gid is not in the nsswitch database
    Fix crash in flatpak repair if no remotes are configured
    Some updates to the oci authenticator
    Retry downloads of extra data

Also, latest flatpak version is Release 1.8.1.
Comment 1 Aurelien Oudelet 2020-07-11 14:15:44 CEST 
Cauldron (mga8a1) current version is flatpak-1.6.2 which has vulnerability.

CVE: (none) => CVE-2020-5291

David Walser 2020-07-11 15:36:09 CEST

Assignee: bugsquad => ngompa13

Comment 2 David Walser 2020-07-11 16:10:35 CEST 
We don't bundle bubblewrap, we build against the system one.

Upstream advisory says only 0.4.0 is affected, so we're not affected.

Source RPM: flatpak-1.6.2-1.mga8.src.rpm => bubblewrap-0.3.3-1.mga7.src.rpm
Version: Cauldron => 7
URL: https://github.com/flatpak/flatpak/releases => (none)
Resolution: (none) => INVALID
Summary: Bundled bubblewrap is updated upstream to 0.4.1 which fixes a security issue in some cases. => bubblewrap new security issue CVE-2020-5291
Status: NEW => RESOLVED
Status comment: (none) => Fixed upstream in 0.4.1

Comment 3 David Walser 2020-12-04 13:31:08 CET 
*** Bug 27732 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu