Bug 27241

Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Packagers: Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => ngompa13
Keywords: (none) => Triaged

RedHat has issued an advisory for this today (September 8):
https://access.redhat.com/errata/RHSA-2020:3658

Fedora has issued an advisory for this today (October 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/

The issue is fixed upstream in 1.12.1.

The RedHat bug links the upstream commit that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1866498

Severity: major => critical

RedHat has issued an advisory for this today (November 10):
https://access.redhat.com/errata/RHSA-2020:5012

Upgraded cauldron to 1.12.1.

Patched package uploaded for Mageia 7.

Advisory:
========================

Updated librepo package fixes security vulnerability:

It was discovered that librepo was subject to a directory traversal vulnerability where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files (CVE-2020-14352).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14352
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/
========================

Updated packages in core/updates_testing:
========================
lib64repo0-1.10.3-1.1.mga7.x86_64.rpm
lib64repo-devel-1.10.3-1.1.mga7.x86_64.rpm
python3-librepo-1.10.3-1.1.mga7.x86_64.rpm

from librepo-1.10.3-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CC: (none) => mrambo
Assignee: ngompa13 => qa-bugs
Version: Cauldron => 7
Keywords: Triaged => (none)

MGA7-64 MATE on Peaq C1011
No installation issues.
No previous updates on this, so starting wild hunt.
# urpmq --whatrequires lib64repo0
lib64dnf2
lib64hif1
lib64repo0
python3-librepo
python3-librepo
Not promissing
# urpmq --whatrequires-recursive lib64repo0
shows pages full.
Tried some of the list, but many of them are either KDE- or Gnome-dependent, and i don't want those on this restricted notebook.
Final test will be dnfdragora, reporting later

CC: (none) => herman.viaene

Installed dnfdragora and run
# strace -o /home/tester7/Documents/librepo.txt dnfdragora 
Skipped exception: <[Errno 2] No such file or directory: './dnfdragora.yaml'> 
/usr/lib/python3.7/site-packages/dnfdragora/config.py:55: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  self._systemSettings = yaml.load(ymlfile)
Skipped exception: <[Errno 2] No such file or directory: '/root/.config/dnfdragora.yaml'> 
<_M_> [ui] YUILoader.cc:50 loadUI(): DISPLAY: ":0"
<_M_> [ui] YUILoader.cc:51 loadUI(): XDG_CURRENT_DESKTOP: ""
<_M_> [ui] YUILoader.cc:52 loadUI(): YUI_PREFERED_BACKEND: ""
and lots more .....
But it runs, and enabled the nonfree and tainted repos and the three update repos, and then installed one update.
The trace file shows a call to /lib64/librepo.so.0 which is what I wanted to see.
OK for me.

Whiteboard: (none) => MGA7-64-OK

Validating.
Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0429.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED