Bug 29920

Summary: usbview new security issue CVE-2022-23220
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thomas Backlund <tmb>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fri
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: usbview-2.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-01-21 19:18:29 CET 
A security issue fixed upstream in usbview has been announced today (January 21):
https://www.openwall.com/lists/oss-security/2022/01/21/1

The issue is fixed upstream in 2.2.
David Walser 2022-01-21 19:18:37 CET

Status comment: (none) => Fixed upstream in 2.2

Comment 1 David Walser 2022-01-21 19:28:23 CET 
Debian has issued an advisory for this today (January 21):
https://www.debian.org/security/2022/dsa-5052
Comment 2 Thomas Backlund 2022-01-22 17:38:22 CET 
fixed in upstream 3.0


SRPM:
usbview-3.0-1.mga8.src.rpm

i586:
usbview-3.0-1.mga8.i586.rpm

x86_64:
usbview-3.0-1.mga8.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 3 David Walser 2022-01-22 17:53:16 CET 
Mageia 8 actually isn't affected as its version doesn't include the polkit rule.

Assignee: qa-bugs => tmb
Status: NEW => RESOLVED
Status comment: Fixed upstream in 2.2 => (none)
Resolution: (none) => FIXED

Comment 4 Morgan Leijström 2022-01-22 18:52:25 CET 
For completeness: I see 3.0-1 is in Cauldron now.

For mga8, should the update get purged from testing, or set to QA and get tested?

CC: (none) => fri

Comment 5 David Walser 2022-01-22 18:55:49 CET 
(In reply to Morgan Leijström from comment #4)
> For completeness: I see 3.0-1 is in Cauldron now.
> 
> For mga8, should the update get purged from testing, or set to QA and get
> tested?

It depends on if there's another reason tmb wants to push the update for Mageia 8; if so, it should have its own bug since this CVE isn't relevant there.