Bug 29493

Summary: libss7 new security issue rhbz#1932066
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, olav, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libss7-2.0.0-4.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-09-26 19:08:30 CEST 
Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/

The issue is fixed upstream in 2.0.1.

Mageia 8 is also affected.
David Walser 2021-09-26 19:08:46 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.0.1

Comment 1 Marja Van Waes 2021-09-26 22:23:07 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing ovitters, because he's the only one, apart from umeabot, who touched this package in the last five years.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, olav

Comment 2 Nicolas Salguero 2021-09-27 10:10:55 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unsafe use of strncpy. (rhbz#1932066)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/
========================

Updated packages in core/updates_testing:
========================
lib(64)ss7_2-2.0.1-1.mga8
lib(64)ss7-devel-2.0.1-1.mga8

from SRPM:
libss7-2.0.1-1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2.0.1 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-10-05 13:48:20 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
No previous updates, googling for an example draws a zero, and at CLI:
]# urpmq --whatrequires lib64ss7_2
lib64ss7-devel
lib64ss7_2
# urpmq --whatrequires-recursive lib64ss7_2
lib64ss7-devel
lib64ss7_2
OK'ing on clean install, unless someone's gor a better idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-10-05 17:02:37 CEST 
I did the same yesterday. I did find a description of ss7 at https://en.wikipedia.org/wiki/Signalling_System_No._7 but have no idea if it is applicable. Too complicated to expect QA to master sufficiently to test, anyway.

Clean install it is. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Herman Viaene 2021-10-05 17:19:38 CEST 
I should have known. As telephony is switching over to VOIP, I doubt there is still much use for ss7. In Belgium in analogue times (but computer controlled), ss7 was used to transfer info on call-setup and -duration from the switching exchange to a "Taxation Center" which calculated the cost of calls to be billed to the call-originator.
Dave Hodgins 2021-10-06 20:00:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-10-06 21:43:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0465.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED