Bug 29723

Summary: gmp new security issue CVE-2021-43618
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: gmp-6.2.1-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-12-03 22:08:29 CET 
Debian-LTS has issued an advisory on December 2:
https://www.debian.org/lts/security/2021/dla-2837

Mageia 8 is also affected.
David Walser 2021-12-03 22:08:53 CET

Status comment: (none) => Patch available from Debian and upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-12-03 22:54:14 CET 
fixed in mga 8/9:


src:
    - gmp-6.2.1-1.1.mga8

CC: (none) => mageia
Status comment: Patch available from Debian and upstream => (none)
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 2 David Walser 2021-12-03 23:00:57 CET 
libgmp10-6.2.1-1.1.mga8
libgmpxx-devel-6.2.1-1.1.mga8
libgmpxx4-6.2.1-1.1.mga8
libgmp-devel-6.2.1-1.1.mga8

from gmp-6.2.1-1.1.mga8.src.rpm
Comment 3 Herman Viaene 2021-12-06 12:05:45 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues.
No wiki or previous updates.
# urpmq --whatrequires lib64gmp10
returned a long list with many things that point me to developer's tools, but picked another one.
$ strace -o ~/Documenten/gmp.txt genius
Genius 1.0.25
Copyright (C) 1997-2020 Jiří (George) Lebl
This is free software with ABSOLUTELY NO WARRANTY.
For license details type `warranty'.
For help type `manual' or `help'.

genius> 2+2
= 4
genius> help

Voor een handleiding voor Genius en de GEL-taal typ:
  handleiding

Voor hulp over een specifiek functietype, typ:
  hulp FunctieNaam

Opdrachten:
help                 - Hulp tonen (of de hulp bij een functie/opdracht)
load                 - Load a file into the interpreter
cd                   - Van map veranderen
pwd                  - Huidige map tonen
ls                   - Bestanden in de huidige map tonen
plugin               - Een plugin laden

Eenvoudig:
AskButtons           - Ask a question and present a list of buttons.  Returns the 1-based index of the button pressed (or null on failure).
AskString            - Ask a question and return a string.  Optionally pass in a default.
and that goes on forever.
But the trace shows a call to libgmp.
BTW: the list of dependencies shows also coreutils, but a trace on a mkdir command gave no result, so I abandoned the idea of trying these basic commands. But notice that the normal operation of the machine is not disturbed, so it should be OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-12-07 14:04:21 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-08 01:25:41 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-12-08 21:05:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0544.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED