| Summary: | blosc new security issue CVE-2020-29367 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | geiger.david68210, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | blosc-1.16.3-1.mga7.src.rpm | CVE: | CVE-2020-29367 |
| Status comment: | |||
|
Description
David Walser
2020-12-28 00:06:19 CET
David Walser
2020-12-28 19:20:56 CET
Status comment:
(none) =>
Fixed upstream in 1.20.1 Done for mga7! Advisory: ======================== Updated blosc packages fix security vulnerability: A heap-based buffer overflow vulnerability was found in the blosc library. Depending on how the library is used, if there is a lack of space to write compressed data, an attacker might exploit this flaw to crash the program or potentially execute arbitrary code (CVE-2020-29367). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29367 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VPTII3AXCRZZGBCOLCFY7HQI24L2PGVQ/ ======================== Updated packages in core/updates_testing: ======================== libblosc1-1.20.1-1.mga7 libblosc-devel-1.20.1-1.mga7 from blosc-1.20.1-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 This could be a tricky one to test. It centres on the storage of hierarchical data structures and seems to sit somewhere between our hdf5 libraries and python{2,3}-tables (PyTables?). The CVE issue can be reproduced if you can get hold of a fuzzer compiled with asan support, which is probably a little outside QA's remit.
Shall try to find a way of connecting all of this but may have to adopt the fallback position.CC:
(none) =>
tarazed25 Comment 3 was a little bit off target. See introduction at https://blosc.org/pages/blosc-in-depth/ and https://github.com/Blosc/python-blosc which says: a Python wrapper for the extremely fast Blosc compression library. It compresses binary data. The two packages updated cleanly. Hoping to be able to run an example session as portrayed on github - it involves python-numpy as well. Did not get very far with the timing test. Had to drop the %time macro. The blosc module does not exist here either. $ python Python 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import numpy as np >>> a = np.linspace( 0, 100, 1e7 ) >>> bytes_array = a.tostring( ) >>> import zlib >>> %time zpacked = zlib.compress( bytes_array ) File "<stdin>", line 1 %time zpacked = zlib.compress( bytes_array ) ^ SyntaxError: invalid syntax >>> zpacked = zlib.compress( bytes_array ) >>> import blosc Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named blosc $ pip install --user blosc Collecting blosc Downloading https://files.pythonhosted.org/packages/16/9e/cd2256d981973b5c6d6c42f1fa8327afc1cb491359c4701d507b48acf708/blosc-1.10.2-cp37-cp37m-manylinux2010_x86_64.whl (2.3MB) 100% |████████████████████████████████| 2.3MB 2.5MB/s Installing collected packages: blosc Successfully installed blosc-1.10.2 >>> import blosc Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named blosc >>> exit() We might need a bundled version of python-blosc to get this demo to work. Tried python3 but warnings indicated that the script is intended for python2. So, this has to be passed on the basis of the clean upgrade. Whiteboard:
(none) =>
MGA7-64-OK Validating, thanks Len for your work. Advisory in SVN. CVE:
(none) =>
CVE-2020-29367 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0051.html Status:
NEW =>
RESOLVED |