Bug 28674

Summary: Update candidate: rpm
Product: Mageia Reporter: Thierry Vignaud <thierry.vignaud>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillaume.royer, luigiwalser, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK MGA8-32-OK
Source RPM: rpm-4.16.1.2-1.mga8 CVE: CVE-2021-3421, CVE-2021-20271, CVE-2021-20266
Status comment:
Bug Depends on:    
Bug Blocks: 32594    

Description Thierry Vignaud 2021-03-29 15:05:13 CEST 
Advisory:
==========
This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM package manager, including several security issues:
- Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421)
- Fix signature check bypass with corrupted package (CVE-2021-20271)
- Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266)
- Fix missing sanity checks on header entry count and region data overlap
- Fix access past end of header if the last entry is string type
- Fix unsafe headerCopyLoad() still used in codebase

See https://rpm.org/wiki/Releases/4.16.1.3 for the full details

List of generated packages:
=============================
i586:
librpm9-4.16.1.3-1.mga8.i586.rpm
librpmbuild9-4.16.1.3-1.mga8.i586.rpm
librpm-devel-4.16.1.3-1.mga8.i586.rpm
librpmsign9-4.16.1.3-1.mga8.i586.rpm
python3-rpm-4.16.1.3-1.mga8.i586.rpm
rpm-4.16.1.3-1.mga8.i586.rpm
rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm
rpm-build-4.16.1.3-1.mga8.i586.rpm
rpm-cron-4.16.1.3-1.mga8.noarch.rpm
rpm-debugsource-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-audit-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-ima-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-prioreset-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-selinux-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-syslog-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.i586.rpm
rpm-sign-4.16.1.3-1.mga8.i586.rpm

x86_64:
lib64rpm9-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmbuild9-4.16.1.3-1.mga8.x86_64.rpm
lib64rpm-devel-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmsign9-4.16.1.3-1.mga8.x86_64.rpm
python3-rpm-4.16.1.3-1.mga8.x86_64.rpm
rpm-4.16.1.3-1.mga8.x86_64.rpm
rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm
rpm-build-4.16.1.3-1.mga8.x86_64.rpm
rpm-cron-4.16.1.3-1.mga8.noarch.rpm
rpm-debugsource-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-audit-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-ima-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-prioreset-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-selinux-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-syslog-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.x86_64.rpm
rpm-sign-4.16.1.3-1.mga8.x86_64.rpm

Debuginfo packages:

librpm9-debuginfo-4.16.1.3-1.mga8.i586.rpm
librpmbuild9-debuginfo-4.16.1.3-1.mga8.i586.rpm
librpmsign9-debuginfo-4.16.1.3-1.mga8.i586.rpm
python3-rpm-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-build-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-audit-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-ima-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-prioreset-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-selinux-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-syslog-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-plugin-systemd-inhibit-debuginfo-4.16.1.3-1.mga8.i586.rpm
rpm-sign-debuginfo-4.16.1.3-1.mga8.i586.rpm

lib64rpm9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmbuild9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmsign9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
python3-rpm-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-build-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-audit-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-ima-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-prioreset-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-selinux-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-syslog-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-systemd-inhibit-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
rpm-sign-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
Thierry Vignaud 2021-03-29 15:05:43 CEST

Keywords: (none) => Security
CC: (none) => luigiwalser

Aurelien Oudelet 2021-03-29 15:26:31 CEST

CVE: (none) => CVE-2021-3421, CVE-2021-20271, CVE-2021-20266
Component: RPM Packages => Security
QA Contact: (none) => security
Keywords: Security => (none)
CC: (none) => ouaurelien

Comment 1 Aurelien Oudelet 2021-03-30 17:30:44 CEST 
MGA8 x86_64 Plasma

updating is OK.
Installation of new RPM is OK
Removing RPM is OK.

No useful PoC upstream. Needs examples ill-crafted RPM.
Therefore, as this needs untrusted RPM, this is mitigated.

This should be approved.

Whiteboard: (none) => MGA8-64-OK

Comment 2 Thomas Andrews 2021-03-31 01:37:54 CEST 
Validated. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Thomas Backlund 2021-03-31 13:13:57 CEST 
dropping validation for now to get some more testers as this is a basesystem package that is very important to not screw up

Keywords: validated_update => (none)

Comment 4 Thomas Backlund 2021-03-31 13:14:35 CEST 
and it should be tested on i586 too
Comment 5 Thomas Andrews 2021-03-31 14:31:27 CEST 
Mga8 64-bit Plasma on an HP Probook 6550b.

Installed using qarepo, after removing the "debugsource" package from the list in Comment 0. (qarepo said that one wasn't in updates_testing.)

No installation issues. Clicked on a downloaded third-party rpm to install it, then removed it using urpme, asked MCC to check for updates(There were none). No issues noted.

Looks OK here. Will check on my i586 laptop later today.
Comment 6 Dave Hodgins 2021-03-31 15:32:06 CEST 
No regressions noticed here with x86_64 and aarch64 (rpi4).

CC: (none) => davidwhodgins

Comment 7 Thomas Andrews 2021-03-31 18:03:21 CEST 
Tested on a Dell Inspiron 5100, 32-bit P4, 32-bit Xfce system.

No installation issues. After update, used it with qarepo and MCC to get and test some potential updates, with no issues noted.

Giving this a 32-bit OK.

Whiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OK

Comment 8 Guillaume Royer 2021-03-31 21:12:29 CEST 
MGA 8 XFCE,

Update with QA repo and :

lib64rpm9-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmbuild9-4.16.1.3-1.mga8.x86_64.rpm
lib64rpm-devel-4.16.1.3-1.mga8.x86_64.rpm
lib64rpmsign9-4.16.1.3-1.mga8.x86_64.rpm
python3-rpm-4.16.1.3-1.mga8.x86_64.rpm
rpm-4.16.1.3-1.mga8.x86_64.rpm
rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm
rpm-build-4.16.1.3-1.mga8.x86_64.rpm
rpm-cron-4.16.1.3-1.mga8.noarch.rpm
rpm-plugin-audit-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-ima-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-prioreset-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-selinux-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-syslog-4.16.1.3-1.mga8.x86_64.rpm
rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.x86_64.rpm
rpm-sign-4.16.1.3-1.mga8.x86_64.rpm

No issues at installation.
Installation and uninstallation of some software ok

CC: (none) => guillaume.royer

Comment 9 Len Lawrence 2021-04-01 00:07:15 CEST 
mga8, x64

Installed the update packages, which pulled in lua5 and selinux-policy as well.

$ sudo rpm -qilp mplayer-skins-1.9-1.nodist.rf.noarch.rpmName        : mplayer-skins
Version     : 1.9
Release     : 1.nodist.rf
Architecture: noarch
Install Date: (not installed)
Group       : Applications/Multimedia
Size        : 17542283
License     : GPL
Signature   : DSA/SHA1, Wed 20 Mar 2013 15:59:28 GMT, Key ID a20e52146b8d79e6
Source RPM  : mplayer-skins-1.9-1.nodist.rf.src.rpm
Build Date  : Wed 20 Mar 2013 14:11:50 GMT
Build Host  : lisse.hasselt.wieers.com
Packager    : Dag Wieers <dag@wieers.com>
Vendor      : Dag Apt Repository, http://dag.wieers.com/apt/
URL         : http://mplayerhq.hu/
Summary     : Collection of skins for MPlayer
Description :
This package contains a collection of additional skins for the GUI version
of MPlayer, the movie player for Linux. Install this package if you wish to
change the appeareance of MPlayer.
/usr/share/mplayer/skins/Abyss
........................

$ sudo rpm -i mplayer-skins-1.9-1.nodist.rf.noarch.rpm 
warning: mplayer-skins-1.9-1.nodist.rf.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
ls /usr/share/mplayer/skins
Abyss/         CornerMP-aqua/  iTunes-mini/   Orange/       softgrip/
................................

$ sudo rpm -e mplayer-skins
$ ls /usr/share/mplayer/skins
$

That's all I know.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2021-04-01 00:09:18 CEST 
Edit:
$ sudo rpm -qilp mplayer-skins-1.9-1.nodist.rf.noarch.rpm
Name        : mplayer-skins
............
Comment 11 Thomas Andrews 2021-04-01 18:00:15 CEST 
I have run this for testing updates for several days now, on several sets of hardware, and in both 32 and 64 bit systems, with zero problems.

Restoring the validation.

Keywords: (none) => validated_update

Comment 12 Thomas Backlund 2021-04-01 20:02:24 CEST 
ACK. thanks for the extra testing
Thomas Backlund 2021-04-02 11:05:18 CEST

Keywords: (none) => advisory

Comment 13 Mageia Robot 2021-04-02 12:17:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0167.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 Thierry Vignaud 2021-07-02 09:08:30 CEST 
*** Bug 28926 has been marked as a duplicate of this bug. ***
David Walser 2021-07-02 16:21:54 CEST

Source RPM: rpm-4.16.1.3-1.mga8 => rpm-4.16.1.2-1.mga8

Thierry Vignaud 2021-07-02 18:43:29 CEST

Source RPM: rpm-4.16.1.2-1.mga8 => rpm-4.16.1.3-1.mga8

Comment 15 Aurelien Oudelet 2021-07-02 18:56:18 CEST 
Sorry Thierry, the SRC field in Bugzilla must refer to the SRPM that contains the issues/vulnerabilities.

So, in this case David Walser is true doing this.
Thanks.

Source RPM: rpm-4.16.1.3-1.mga8 => rpm-4.16.1.2-1.mga8

Comment 16 Thierry Vignaud 2021-07-02 19:12:29 CEST 
Oups sorry, I though this was an error
Thierry Vignaud 2023-12-04 19:16:08 CET

Blocks: (none) => 32594