Bug 30025

Summary:	phoronix-test-suite new security issues CVE-2022-0157, CVE-2022-019[67], CVE-2022-0238
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	brtians1, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	phoronix-test-suite-10.2.1-1.mga8.src.rpm	CVE:	CVE-2022-0157, CVE-2022-0196, CVE-2022-0197, CVE-2022-0238
Status comment:

Description David Walser 2022-02-10 22:00:11 CET

Fedora has issued an advisory today (February 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/57V2CSFU5MKWKL6RJUKMXSD4PCRFTMMQ/

The issues are fixed upstream in 10.8.1.

Mageia 8 is also affected.

David Walser 2022-02-10 22:00:30 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 10.8.1

Comment 1 Lewis Smith 2022-02-11 20:40:02 CET

This one is unambiguously for you, DavidG.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2022-02-15 13:46:02 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

phoronix-test-suite is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). (CVE-2022-0157)

phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF). (CVE-2022-0196, CVE-2022-0197, CVE-2022-0238)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0238
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/57V2CSFU5MKWKL6RJUKMXSD4PCRFTMMQ/
========================

Updated package in core/updates_testing:
========================
phoronix-test-suite-10.8.2-1.mga8

from SRPM:
phoronix-test-suite-10.8.2-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-0157, CVE-2022-0196, CVE-2022-0197, CVE-2022-0238
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 10.8.1 => (none)
Version: Cauldron => 8
Source RPM: phoronix-test-suite-10.4.0-1.mga9.src.rpm => phoronix-test-suite-10.2.1-1.mga8.src.rpm
Assignee: geiger.david68210 => qa-bugs

Comment 3 Brian Rockwell 2022-02-15 23:46:02 CET

This was fun, note the installation is big and as you install test suites, they are bigger.

The following 231 packages are going to be installed:

- autoconf-2.70-4.mga8.noarch
- automake-1.16.3-1.mga8.noarch
- bison-3.7.5-1.mga8.x86_64
- byacc-20200910-1.mga8.x86_64
- ctags-5.8-15.mga8.x86_64
- cvs-1.12.13-32.mga8.x86_64
- cvs-fast-export-1.55-3.mga8.x86_64
- docbook-style-dsssl-1.79-19.mga8.noarch
- docbook-style-xsl-1.79.2-5.mga8.noarch
- docbook-utils-0.6.14-23.mga8.noarch
- flex-2.6.4-5.mga8.x86_64
- ftjam-2.5.3rc2-0.18.mga8.x86_64
- gcc-c++-10.3.0-2.mga8.x86_64
- gcc-gfortran-10.3.0-2.mga8.x86_64
- gettext-devel-0.21-8.mga8.x86_64
- git-2.30.2-1.mga8.x86_64
- git-arch-2.30.2-1.mga8.x86_64
- git-core-2.30.2-1.mga8.x86_64
- git-core-oldies-2.30.2-1.mga8.x86_64
- git-cvs-2.30.2-1.mga8.x86_64
- git-email-2.30.2-1.mga8.x86_64
- git-prompt-2.30.2-1.mga8.x86_64
- git-svn-2.30.2-1.mga8.x86_64
- gitk-2.30.2-1.mga8.x86_64
- glib-gettextize-2.66.8-1.mga8.x86_64
- gtk-doc-1.32-4.mga8.noarch
- help2man-1.47.16-1.mga8.noarch
- lib64aa-devel-1.4.0-0.rc5.34.mga8.x86_64
- lib64acl-devel-2.2.53-2.mga8.x86_64
- lib64aio-devel-0.3.112-1.mga8.x86_64
- lib64alsa2-devel-1.2.4-1.mga8.x86_64
- lib64atk1.0-devel-2.36.0-1.mga8.x86_64
- lib64boost_regex1.75.0-1.75.0-1.mga8.x86_64
- lib64bsd-devel-0.10.0-2.mga8.x86_64
- lib64cairo-devel-1.16.0-6.1.mga8.x86_64
- lib64datrie-devel-0.2.12-2.mga8.x86_64
- lib64dri-drivers-21.3.6-2.mga8.x86_64
- lib64drm-devel-2.4.109-3.mga8.x86_64
- lib64event-devel-2.1.12-1.mga8.x86_64
- lib64expat-devel-2.2.10-1.2.mga8.x86_64
- lib64ffi-devel-3.3-2.mga8.x86_64
- lib64fftw-devel-3.3.9-1.mga8.x86_64
- lib64fftwmpi3-3.3.9-1.mga8.x86_64
- lib64fftwomp3-3.3.9-1.mga8.x86_64
- lib64flac-devel-1.3.3-3.mga8.x86_64
- lib64fontconfig-devel-2.13.93-4.mga8.x86_64
- lib64freeimage-devel-3.18.0-4.mga8.x86_64
- lib64freeimage3-3.18.0-4.mga8.x86_64
- lib64freetype2-devel-2.10.4-2.mga8.x86_64
- lib64fribidi-devel-1.0.10-1.mga8.x86_64
- lib64gdk_pixbuf2.0-devel-2.42.2-1.mga8.x86_64
- lib64ggi-devel-2.2.2-28.mga8.x86_64
- lib64gii-devel-1.0.2-26.mga8.x86_64
- lib64glapi-devel-21.3.6-2.mga8.x86_64
- lib64glapi0-21.3.6-2.mga8.x86_64
- lib64glesv1_cm1-1.3.2-16.mga8.x86_64
- lib64glew-devel-2.2.0-2.mga8.x86_64
- lib64glew2.2-2.2.0-2.mga8.x86_64
- lib64glib2.0-devel-2.66.8-1.mga8.x86_64
- lib64glvnd-devel-1.3.2-16.mga8.x86_64
- lib64gpm-devel-1.20.7-14.mga8.x86_64
- lib64graphite2-devel-1.3.14-1.mga8.x86_64
- lib64gtk+2.0-devel-2.24.33-1.mga8.x86_64
- lib64gtk-gir2.0-2.24.33-1.mga8.x86_64
- lib64harfbuzz-devel-2.7.4-1.mga8.x86_64
- lib64hwloc-devel-2.3.0-1.mga8.x86_64
- lib64hwloc15-2.3.0-1.mga8.x86_64
- lib64ibverbs-devel-1.2.1-4.mga8.x86_64
- lib64ibverbs1-1.2.1-4.mga8.x86_64
- lib64icu-devel-68.2-1.1.mga8.x86_64
- lib64ilmbase-devel-2.5.7-1.3.mga8.x86_64
- lib64imlib2-devel-1.7.1-1.mga8.x86_64
- lib64jack-devel-1.9.14-1.mga8.x86_64
- lib64jasper-devel-2.0.27-1.mga8.x86_64
- lib64jbig-devel-2.1-7.mga8.x86_64
- lib64jpeg-devel-2.0.6-1.mga8.x86_64
- lib64jxr-devel-1.1-5.mga8.x86_64
- lib64jxr0-1.1-5.mga8.x86_64
- lib64kms1-2.4.109-3.mga8.x86_64
- lib64lcms2-devel-2.11-1.mga8.x86_64
- lib64mesagl-devel-21.3.6-2.mga8.x86_64
- lib64mesagl1-21.3.6-2.mga8.x86_64
- lib64mesaglu1-devel-9.0.1-2.mga8.x86_64
- lib64mesakhr-devel-21.3.6-2.mga8.x86_64
- lib64mesavulkan-drivers-21.3.6-2.mga8.x86_64
- lib64mikmod-devel-3.3.11.1-4.mga8.x86_64
- lib64mikmod3-3.3.11.1-4.mga8.x86_64
- lib64modplug-devel-0.8.9.0-4.mga8.x86_64
- lib64mount-devel-2.36.1-5.mga8.x86_64
- lib64nl-cli3_200-3.5.0-2.mga8.x86_64
- lib64nl-idiag3_200-3.5.0-2.mga8.x86_64
- lib64nl-nf3_200-3.5.0-2.mga8.x86_64
- lib64nl-route3_200-3.5.0-2.mga8.x86_64
- lib64nl-xfrm3_200-3.5.0-2.mga8.x86_64
- lib64nl3-devel-3.5.0-2.mga8.x86_64
- lib64ogg-devel-1.3.4-2.mga8.x86_64
- lib64openal-devel-1.21.0-1.mga8.x86_64
- lib64opencl-devel-2.2.13-1.mga8.x86_64
- lib64openexr-devel-2.5.7-1.3.mga8.x86_64
- lib64opengl0-1.3.2-16.mga8.x86_64
- lib64openjade0-1.3.3-0.pre1.26.mga8.x86_64
- lib64openjpeg-devel-1.5.2-11.mga8.x86_64
- lib64openjpeg2-devel-2.4.0-1.2.mga8.x86_64
- lib64openjpeg5-1.5.2-11.mga8.x86_64
- lib64openmpi-devel-4.0.5-2.mga8.x86_64
- lib64openmpi40-4.0.5-2.mga8.x86_64
- lib64openpmix-devel-3.2.2-1.mga8.x86_64
- lib64openpmix2-3.2.2-1.mga8.x86_64
- lib64opus-devel-1.3.1-3.mga8.x86_64
- lib64osp5-1.5.2-21.mga8.x86_64
- lib64pango1.0-devel-1.48.4-1.mga8.x86_64
- lib64pciaccess-devel-0.16-2.mga8.x86_64
- lib64pcre-devel-8.44-1.mga8.x86_64
- lib64pcre16_0-8.44-1.mga8.x86_64
- lib64pcre32_0-8.44-1.mga8.x86_64
- lib64pixman-devel-0.40.0-1.mga8.x86_64
- lib64png-devel-1.6.37-2.mga8.x86_64
- lib64popt-devel-1.18-1.mga8.x86_64
- lib64portaudio-devel-19.6.0-snapshot20161030.8.mga8.x86_64
- lib64portaudiocpp0-19.6.0-snapshot20161030.8.mga8.x86_64
- lib64raw-devel-0.20.2-1.mga8.x86_64
- lib64raw_r20-0.20.2-1.mga8.x86_64
- lib64rdmacm-devel-1.1.0-4.mga8.x86_64
- lib64rdmacm1-1.1.0-4.mga8.x86_64
- lib64samplerate-devel-0.1.9-4.mga8.x86_64
- lib64SDL-devel-1.2.15-26.mga8.x86_64
- lib64SDL_gfx-devel-2.0.26-2.mga8.x86_64
- lib64SDL_image-devel-1.2.12-14.mga8.x86_64
- lib64SDL_image1.2_0-1.2.12-14.mga8.x86_64
- lib64SDL_net-devel-1.2.8-10.mga8.x86_64
- lib64SDL_net1.2_0-1.2.8-10.mga8.x86_64
- lib64SDL_sound-devel-1.0.3-21.mga8.x86_64
- lib64SDL_sound1.0_1-1.0.3-21.mga8.x86_64
- lib64SDL_ttf-devel-2.0.11-11.mga8.x86_64
- lib64SDL_ttf2.0_0-2.0.11-11.mga8.x86_64
- lib64serf2_2-1.4.0-0.7.mga8.x86_64
- lib64slang-devel-2.3.2-2.mga8.x86_64
- lib64sndio-devel-1.7.0-1.mga8.x86_64
- lib64source-highlight4-3.1.9-8.mga8.x86_64
- lib64speex-devel-1.2.0-3.1.mga8.x86_64
- lib64svn0-1.14.1-1.1.mga8.x86_64
- lib64thai-devel-0.1.28-2.mga8.x86_64
- lib64tiff-devel-4.2.0-1.1.mga8.x86_64
- lib64turbojpeg0-2.0.6-1.mga8.x86_64
- lib64utf8proc2-2.6.1-1.mga8.x86_64
- lib64vorbis-devel-1.3.7-1.mga8.x86_64
- lib64webp-devel-1.1.0-2.mga8.x86_64
- lib64webpdecoder3-1.1.0-2.mga8.x86_64
- lib64x11-devel-1.7.0-1.2.mga8.x86_64
- lib64xau-devel-1.0.9-2.mga8.x86_64
- lib64xcb-damage0-1.14-1.mga8.x86_64
- lib64xcb-devel-1.14-1.mga8.x86_64
- lib64xcb-dpms0-1.14-1.mga8.x86_64
- lib64xcb-record0-1.14-1.mga8.x86_64
- lib64xcb-res0-1.14-1.mga8.x86_64
- lib64xcb-screensaver0-1.14-1.mga8.x86_64
- lib64xcb-xf86dri0-1.14-1.mga8.x86_64
- lib64xcb-xtest0-1.14-1.mga8.x86_64
- lib64xcb-xvmc0-1.14-1.mga8.x86_64
- lib64xcomposite-devel-0.4.5-3.mga8.x86_64
- lib64xcursor-devel-1.2.0-2.mga8.x86_64
- lib64xdamage-devel-1.1.5-2.mga8.x86_64
- lib64xdmcp-devel-1.1.3-2.mga8.x86_64
- lib64xext-devel-1.3.4-2.mga8.x86_64
- lib64xfixes-devel-5.0.3-3.mga8.x86_64
- lib64xft-devel-2.3.3-2.mga8.x86_64
- lib64xi-devel-1.7.10-2.mga8.x86_64
- lib64xinerama-devel-1.1.4-3.mga8.x86_64
- lib64xml2-devel-2.9.10-7.2.mga8.x86_64
- lib64xrandr-devel-1.5.2-2.mga8.x86_64
- lib64xrender-devel-0.9.10-3.mga8.x86_64
- lib64xshmfence-devel-1.3-3.mga8.x86_64
- lib64xxf86vm-devel-1.1.4-4.mga8.x86_64
- libgomp-devel-10.3.0-2.mga8.x86_64
- libpthread-stubs-0.4-3.mga8.x86_64
- libquadmath-devel-10.3.0-2.mga8.x86_64
- libtool-2.4.6-13.mga8.x86_64
- libtool-base-2.4.6-13.mga8.x86_64
- m4-1.4.18-3.mga8.x86_64
- mesa-21.3.6-2.mga8.x86_64
- opencl-headers-2.2-0.20200218.1.mga8.noarch
- openjade-1.3.3-0.pre1.26.mga8.x86_64
- openjpeg-1.5.2-11.mga8.x86_64
- openjpeg2-2.4.0-1.2.mga8.x86_64
- openmpi-4.0.5-2.mga8.x86_64
- opensp-1.5.2-21.mga8.x86_64
- pango-doc-1.48.1-1.mga8.noarch
- perl-Authen-SASL-2.160.0-12.mga8.noarch
- perl-DBI-1.643.0-4.1.mga8.x86_64
- perl-devel-5.32.1-1.1.mga8.x86_64
- perl-Digest-HMAC-1.30.0-11.mga8.noarch
- perl-Digest-SHA1-2.130.0-28.mga8.x86_64
- perl-Error-0.170.290-3.mga8.noarch
- perl-Git-2.30.2-1.mga8.x86_64
- perl-Git-SVN-2.30.2-1.mga8.x86_64
- perl-libintl-perl-1.320.0-1.mga8.x86_64
- perl-MIME-Base64-3.160.0-1.mga8.x86_64
- perl-OpenGL-0.700.0-8.mga8.x86_64
- perl-SGMLSpm-1.03ii-4.mga8.noarch
- perl-SVN-1.14.1-1.1.mga8.x86_64
- perl-Text-Unidecode-1.300.0-4.mga8.noarch
- perl-Unicode-EastAsianWidth-12.0.0-2.mga8.noarch
- perl-YAML-1.300.0-2.mga8.noarch
- phoronix-test-suite-10.8.2-1.mga8.noarch
- php-cli-8.1.0-1.mga8.x86_64
- php-curl-8.1.0-1.mga8.x86_64
- php-dom-8.1.0-1.mga8.x86_64
- php-gd-8.1.0-1.mga8.x86_64
- php-ini-8.1.0-1.mga8.x86_64
- php-openssl-8.1.0-1.mga8.x86_64
- php-pcntl-8.1.0-1.mga8.x86_64
- php-pdo-8.1.0-1.mga8.x86_64
- php-posix-8.1.0-1.mga8.x86_64
- php-sockets-8.1.0-1.mga8.x86_64
- php-sqlite3-8.1.0-1.mga8.x86_64
- php-sysvsem-8.1.0-1.mga8.x86_64
- php-sysvshm-8.1.0-1.mga8.x86_64
- php-zlib-8.1.0-1.mga8.x86_64
- python3-pygments-2.7.4-1.1.mga8.noarch
- python3-pyparsing-2.4.7-1.mga8.noarch
- scons-4.0.1-1.mga8.noarch
- source-highlight-3.1.9-8.mga8.x86_64
- subversion-1.14.1-1.1.mga8.x86_64
- systemtap-sdt-devel-4.4-4.mga8.x86_64
- task-c++-devel-2011.0-9.mga8.noarch
- task-c-devel-2011.0-9.mga8.noarch
- tcsh-6.22.03-1.mga8.x86_64
- texinfo-6.7-3.mga8.x86_64
- valgrind-devel-3.16.1-10.mga8.x86_64
- x11-proto-devel-2020.1-2.mga8.noarch
- xsltproc-1.1.34-2.mga8.x86_64

426MB of additional disk space will be used.



--- testing 

result
$ phoronix-test-suite install git/x265
$ phoronix-test-suite run git/x265


x265 Git:
    git/x265-1.1.0
    Test 1 of 1
    Estimated Trial Run Count:    3                     
    Estimated Time To Completion: 6 Minutes [16:34 CST] 
        Started Run 1 @ 16:28:45
        Started Run 2 @ 16:31:53
        Started Run 3 @ 16:35:01

    H.265 1080p Video Encoding:
        3.28
        3.27
        3.28

    Average: 3.28 Frames Per Second
    Deviation: 0.18%

    Comparison of 97 OpenBenchmarking.org samples since 8 March 2019; median result: 26.98 Frames Per Second. Box plot of samples:
    [|-*-----################!#################-----*-----------------|        ]
       ^ This Result (13th Percentile): 3.28
                           Ryzen 5 PRO 4650G: 51.54 ^

Yes this puppy is a barn burner at 13th percentile

I was able to open the web-page.  This works.


- Works as designed

Anybody out there able to beat 3.28 frames per second.   ;-)

CC: (none) => brtians1

Comment 4 Dave Hodgins 2022-02-16 01:21:47 CET

Oops. Replied on the qa-bugs ml by mistake. :-)

On my 9 year old desktop system ...
    Average: 2.65 Frames Per Second
    Deviation: 0.87%
    Comparison of 97 OpenBenchmarking.org samples since 8 March 2019; median result: 26.98 Frames Per Second. Box plot of samples:
    [ |----*------------------###########################################!###########################################---------------*--*----------------------------------------------|                          ]
           ^ This Result (8th Percentile): 2.65

CC: (none) => davidwhodgins

Comment 5 Brian Rockwell 2022-02-16 20:22:34 CET

Wow my old (10 year old desktop) rig beat someone.  ;-)

I'm okaying this as it appears to work as designed.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Dave Hodgins 2022-02-16 21:34:49 CET

(In reply to Brian Rockwell from comment #5)
> Wow my old (10 year old desktop) rig beat someone.  ;-)
> 
> I'm okaying this as it appears to work as designed.

The test is testing the video card, not just the cpu.
$ lspcidrake -v|grep Card
Card:ATI Radeon HD 5000 to HD 6300 (radeon): Advanced Micro Devices, Inc. [AMD/ATI]|Cedar [Radeon HD 5000/6000/7350/8350 Series] [DISPLAY_VGA] (vendor:1002 device:68f9 subv:1043 subd:03ca)

Validating the update.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-16 21:42:37 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-02-18 01:15:28 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0067.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2022-03-31 22:10:16 CEST

This update also fixed CVE-2022-0571:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KSQH5OWXAMWSM7H6VSBRDGTOE7UIOZHZ/