Bug 29429

Summary: squashfs-tools new security issues CVE-2021-40153 and CVE-2021-41072
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: squashfs-tools-4.4-3.git1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-08-31 19:44:29 CEST 
Ubuntu has issued an advisory today (August 31):
https://ubuntu.com/security/notices/USN-5057-1

Mageia 8 is also affected.
David Walser 2021-08-31 19:44:44 CEST

Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-31 19:51:05 CEST 
Fedora has issued an advisory for this on August 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
Comment 2 Lewis Smith 2021-08-31 20:06:27 CEST 
A coincidence: another update for a parentless SRPM which you tv have largely maintained.

Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2021-09-07 19:48:16 CEST 
Debian has issued an advisory for this on September 4:
https://www.debian.org/security/2021/dsa-4967
Comment 4 David Walser 2021-09-15 16:04:31 CEST 
Ubuntu has issued an advisory today (September 15):
https://ubuntu.com/security/notices/USN-5078-1

Mageia 8 is also affected.

Summary: squashfs-tools new security issue CVE-2021-40153 => squashfs-tools new security issues CVE-2021-40153 and CVE-2021-41072
Status comment: Patch available from Ubuntu => Patches available from Ubuntu

Comment 5 Nicolas Lécureuil 2021-09-23 23:06:49 CEST 
fixed in mga9

CC: (none) => mageia
Status comment: Patches available from Ubuntu => (none)
Version: Cauldron => 8

Comment 6 Nicolas Lécureuil 2021-09-23 23:14:14 CEST 
fixed in mga8:

src:
    - squashfs-tools-4.4-3.git1.1.mga8

Assignee: thierry.vignaud => qa-bugs

David Walser 2021-09-23 23:21:35 CEST

Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2021-09-26 19:38:21 CEST 
Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/

They fixed an additional security issue.

Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Status comment: (none) => Patch available from Cauldron

David Walser 2021-09-26 19:53:33 CEST

Status comment: Patch available from Cauldron => Patch available from Fedora

Comment 8 David Walser 2021-10-15 20:55:21 CEST 
Debian has issued an advisory for the newer issue today (October 15):
https://www.debian.org/security/2021/dsa-4987
Comment 9 David Walser 2021-10-15 20:56:06 CEST 
Ubuntu has issued an advisory for the newer issue on October 13:
https://ubuntu.com/security/notices/USN-5078-3
Comment 10 Nicolas Lécureuil 2021-11-25 22:45:34 CET 
(In reply to David Walser from comment #7)
> Fedora has issued an advisory on September 24:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
> 
> They fixed an additional security issue.

this is not the same version ( 4.4 VS 4.5 )

i think we need to validate this and then see with our squashfs-tools maintainer to have his agreement for an update to version 4.5.

Assignee: mageia => qa-bugs
Status comment: Patch available from Fedora => (none)

Comment 11 David Walser 2021-11-26 01:23:53 CET 
(In reply to Nicolas Lécureuil from comment #10)
> (In reply to David Walser from comment #7)
> > Fedora has issued an advisory on September 24:
> > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
> > 
> > They fixed an additional security issue.
> 
> this is not the same version ( 4.4 VS 4.5 )
> 
> i think we need to validate this and then see with our squashfs-tools
> maintainer to have his agreement for an update to version 4.5.

Then you need to make a new bug for it and not just pretend it never happened.
Comment 12 Brian Rockwell 2021-12-09 20:32:18 CET 
MGA8-64, Gnome

Installed squashfs

followed the guidance in:  https://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html

I was able to test this out and it does work as expected.

CC: (none) => brtians1
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 13 Thomas Andrews 2021-12-16 17:36:16 CET 
(In reply to David Walser from comment #11)
> (In reply to Nicolas Lécureuil from comment #10)
> > (In reply to David Walser from comment #7)
> > > Fedora has issued an advisory on September 24:
> > > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > > fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
> > > 
> > > They fixed an additional security issue.
> > 
> > this is not the same version ( 4.4 VS 4.5 )
> > 
> > i think we need to validate this and then see with our squashfs-tools
> > maintainer to have his agreement for an update to version 4.5.
> 
> Then you need to make a new bug for it and not just pretend it never
> happened.

I'm confused. I've held off from validating for Mageia 8 because I don't see a "new bug" yet. Should i continue to wait, or go ahead with the validation? 

And what about Cauldron? Should this be made a Mageia 8 only bug now, since Comment 5 says it's "fixed" there?

CC: (none) => andrewsfarm

Comment 14 David Walser 2021-12-16 21:20:56 CET 
Assigning back to Nicolas so Comment 10 and Comment 11 can be addressed in some manner.

Assignee: qa-bugs => mageia

Comment 15 Nicolas Lécureuil 2021-12-19 00:13:33 CET 
updating first in cauldron. Mga8 will follow.
Comment 16 Nicolas Lécureuil 2021-12-19 00:25:15 CET 
New version pushed in mga8/9

src:
    - squashfs-tools-4.5-1.git5ae723.1.mga8

Whiteboard: MGA8TOO MGA8-64-OK => (none)
Assignee: mageia => qa-bugs

Comment 17 Thomas Andrews 2021-12-28 17:47:03 CET 
Nicolas, you changed this to a Cauldron-only bug, and I freely admit that I've been ignoring it because I don't go anywhere near Cauldron at this stage. 

But, I decided to take a look today anyway, and I see Comment 16 shows a mga8 src. Did you miss changing the "Version" field to Mageia 8?
David Walser 2021-12-28 19:34:07 CET

Version: Cauldron => 8

Comment 18 Herman Viaene 2021-12-29 15:52:47 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Followed guidance as Brian pointed ti in Comment 12, went OK with the remark that I hadd to use the "-noappend" option to write to a formatted USB-stick.
As far as I am concerned, this update is good, provided TJ and Brian and Nicolas have sorted out their problems.

CC: (none) => herman.viaene

Comment 19 Thomas Andrews 2022-01-07 04:18:20 CET 
I had no problem with Brian's test. We just needed another on the new package.

Giving this an OK and validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-01-11 01:00:03 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 20 Mageia Robot 2022-01-11 08:13:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0010.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED