Bug 29167

libsolv is committed by various people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Working on it.

Status: NEW => ASSIGNED
Assignee: pkg-bugs => ngompa13

Fixed upstream in 0.7.17, so Cauldron is not affected.

This would be the commit to backport for Mageia 7:
https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec

Neal built an update for Mageia 8:
libsolv1-0.7.19-1.mga8
perl-solv-0.7.19-1.mga8
python3-solv-0.7.19-1.mga8
libsolv-tools-0.7.19-1.mga8
ruby-solv-0.7.19-1.mga8
libsolv-devel-0.7.19-1.mga8
libsolv-demo-0.7.19-1.mga8
libsolv-doc-0.7.19-1.mga8

from libsolv-0.7.19-1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: (none) => Patch available from upstream

Fix for Mageia 7 is in SVN.  Any chance a sysadmin could freeze push it?  (yes we know EOL just hit)

CC: (none) => sysadmin-bugs

(In reply to David Walser from comment #4)
> Fix for Mageia 7 is in SVN.  Any chance a sysadmin could freeze push it? 
> (yes we know EOL just hit)

It is not in SVN, I am unable to commit it.

Weird, I can still commit to SVN.  You must be having a different issue.

I'll just assign this to QA then, maybe we can deal with mga7 if you get that sorted out.

Assignee: ngompa13 => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Patch available from upstream => (none)

Created attachment 12839 [details]
libsolv mga7 update diff

(In reply to David Walser from comment #6)
> Weird, I can still commit to SVN.  You must be having a different issue.
> 
> I'll just assign this to QA then, maybe we can deal with mga7 if you get
> that sorted out.

ngompa@localhost ~/m/7/libsolv> mgarepo ci -m "Backport fix for CVE-2021-3200"
svn: E170001: Commit failed (details follow):
svn: E170001: Authorization failed

If someone wants to, I've attached the diff, they can commit themselves and get it done for Mageia 7.

Installed the package list in Mga 8.
I will do now some qa testing with  dnf.

Ulrich

CC: (none) => bequimao.de

Advisory:
========================

Updated libsolv packages fix a security vulnerability:

Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service (CVE-2021-3200).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29167
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3200
 - https://lists.suse.com/pipermail/sle-security-updates/2021-June/009080.html
========================

Updated packages in core/updates_testing:
========================
lib(64)solv1-0.7.19-1.mga8
perl-solv-0.7.19-1.mga8
python3-solv-0.7.19-1.mga8
libsolv-tools-0.7.19-1.mga8
ruby-solv-0.7.19-1.mga8
lib(64)solv-devel-0.7.19-1.mga8
libsolv-demo-0.7.19-1.mga8
libsolv-doc-0.7.19-1.mga8

from libsolv-0.7.19-1.mga8.src.rpm

Source RPM: libsolv-0.7.19-1.mga9.src.rpm => libsolv-0.7.16-1.mga8.src.rpm
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-3200

Created attachment 12858 [details]
dnf history of test

Installed the package list on MGA 8 64-bit and did some upgrades and qa-testing. Transaction numbers from 51 to 65.

No problems occured.

Ulrich

MGA8-64 VM using dnf.

MGA8-64-OK.
Validating

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0351.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

This update also fixed CVE-2021-44569 and CVE-2021-4457[01345679]:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XVLRHB6CUX3SHYOIGVUQNWAOW5JYANWH/

It looks like those were fixed in 0.7.17.

This update also fixed:
* libsolv: various flaws (CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938)
* libsolv: Heap overflow (CVE-2021-44568)

https://access.redhat.com/errata/RHSA-2022:5498