Bug 29773

Summary: olm new security issue CVE-2021-44538
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: olm-3.2.3-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-12-16 20:31:05 CET 
Upstream has issued an advisory on December 13:
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

Fedora has issued an advisory for this today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KV6JC75W3QMSB2MM4EQL5FRQP3K7VFO3/

The issue is fixed upstream in 3.2.8.

Mageia 8 is also affected.
David Walser 2021-12-16 20:31:17 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.2.8

Comment 1 Lewis Smith 2021-12-16 20:39:25 CET 
This is DavidG's baby.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Lécureuil 2021-12-16 22:04:49 CET 
Patch addded in cauldron and mga8

src:
    - olm-3.2.1-1.1.mga8

CC: (none) => mageia
Status comment: Fixed upstream in 3.2.8 => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 3 David Walser 2021-12-16 22:43:07 CET 
Nicolas, please update Cauldron to 3.2.8 if you can.  It needs to happen at some point, might as well be now.  Thanks.

For this update for Mageia 8:
libolm3-3.2.1-1.1.mga8
python3-olm-3.2.1-1.1.mga8
libolm-devel-3.2.1-1.1.mga8

from olm-3.2.1-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Herman Viaene 2021-12-17 11:47:36 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
In MCC: lib64olm3 - Double Ratchet cryptographic library​
]# urpmq --whatrequires lib64olm3
lib64olm-devel
lib64olm3
lib64qtolm3
lib64qtolm3
python3-olm
python3-olm
python3-olm
# urpmq --whatrequires-recursive lib64olm3
lib64olm-devel
lib64olm3
lib64qtolm-devel
lib64qtolm-devel
lib64qtolm3
lib64qtolm3
python3-olm
python3-olm
python3-olm

Seems all developer's stuff, so I propose OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-12-18 19:54:40 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-12-19 16:19:59 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-12-19 17:14:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0571.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED