Bug 29834

Summary: libgda, libgda5.0 new security issue CVE-2021-39359
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libgda5.0-5.2.9-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-12-31 19:28:44 CET 
Fedora has issued an advisory today (December 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HRPPP47WRCAPAEJGRMEKYYJZBQCYXTLQ/

Mageia 8 is also affected.
David Walser 2021-12-31 19:28:56 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-12-31 19:46:52 CET 
This is wally's baby.

Assignee: bugsquad => jani.valimaa

Comment 2 Jani Välimaa 2021-12-31 21:51:00 CET 
libgda doesn't exist in mga8. libgda and libga5.0 fixed in cauldron.

Updated cauldron pkgs:
libgda-6.0.0-3.mga9
libgda5.0-5.2.10-2.mga9

Version: Cauldron => 8
Source RPM: libgda-6.0.0-2.mga9.src.rpm, libgda5.0-5.2.9-3.mga8.src.rpm => libgda5.0-5.2.9-3.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 3 Jani Välimaa 2021-12-31 21:57:19 CET 
Pushed fixed libgda5.0-5.2.9-3.1.mga8 to mga8 core/updates_testing. Please test.

SRPMS:
libgda5.0-5.2.9-3.1.mga8

RPMS:
libgda5.0-5.2.9-3.1.mga8
lib(64)gda5.0_4-5.2.9-3.1.mga8
lib(64)gda5.0-devel-5.2.9-3.1.mga8
lib(64)gda-gir5.0-5.2.9-3.1.mga8
lib(64)gdaui-gir5.0-5.2.9-3.1.mga8
libgda5.0-postgres-5.2.9-3.1.mga8
libgda5.0-mysql-5.2.9-3.1.mga8
libgda5.0-bdb-5.2.9-3.1.mga8
libgda5.0-sqlite-5.2.9-3.1.mga8

Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

David Walser 2021-12-31 22:16:11 CET

Status comment: Patch available from Fedora => (none)

Comment 4 Thomas Andrews 2022-01-02 20:53:52 CET 
No previous updates, but a recursive search with urpmq revealed that the Gnome app Planner requires libgda5.0, or at least one of its dependencies. Checked my Gnome VirtualBox guest, and found that Planner was already installed, so used qarepo to update. No installation issues.

Ran strace on planner, and found several references to libgda-related files. No obvious issues noted, though for the record I don't recall ever using the app.

Then I took a look at the file list in drakrpm for libgda5.0, and found a bin for "gdaui-demo-5.0" Ran that in a terminal, and after several warnings about Gtk theme parsing errors regarding depreciated button borders, a small gui came up with a list of demos. Double-clicked on some to run them, and no issues were noted.

Looks like this one is OK. Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-03 03:02:50 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-01-03 08:37:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0005.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED