| Summary: | dpkg new security issue CVE-2022-1664 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, davidwhodgins, herman.viaene, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | dpkg-1.20.9-2.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-05-26 17:50:36 CEST
David Walser
2022-05-26 17:50:46 CEST
Status comment:
(none) =>
Fixed upstream in 1.20.10 Ubuntu has issued an advisory for this today (May 26): https://ubuntu.com/security/notices/USN-5446-1 Severity:
normal =>
major This looks good to assign to its registered maintainer, bcornec. Assignee:
bugsquad =>
bruno 1.12.8 pushed to cauldron 1.20.10 not available upstream yet :-( Whiteboard:
MGA8TOO =>
(none) (In reply to Bruno Cornec from comment #3) > 1.12.8 pushed to cauldron I meant 1.21.8 Debian bullseye already updated to 1.20.10, so you should be able to get a tarball from them. 1.20.10 (now available upstream) has been pushed to mga8 updates_testing CC:
(none) =>
bruno dpkg-dev-1.20.10-1.mga8 dselect-1.20.10-1.mga8 dpkg-devel-1.20.10-1.mga8 perl-Dpkg-1.20.10-1.mga8 dpkg-1.20.10-1.mga8 from dpkg-1.20.10-1.mga8.src.rpm Status comment:
Fixed upstream in 1.20.10 =>
(none) This was silently rebuilt. Package list is now: dpkg-dev-1.20.10-2.mga8 dselect-1.20.10-2.mga8 perl-Dpkg-1.20.10-2.mga8 dpkg-devel-1.20.10-2.mga8 dpkg-1.20.10-2.mga8 from dpkg-1.20.10-2.mga8.src.rpm mga8, x64 Attempt at updating after qarepo downloads: The following package has to be removed for others to be upgraded: dpkg-dev-1.20.5-4.mga8.noarch (due to unsatisfied dpkg-perl == 1.20.5-4.mga8) yes Sorry, the following package cannot be selected: - dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1(LIBSELINUX_1.0)) Proceeded without dpkg-dev. Tried a manual update: $ sudo urpmi *.rpm Packages perl-Dpkg-1.20.10-2.mga8.noarch, dpkg-1.20.10-2.mga8.x86_64, dselect-1.20.10-2.mga8.x86_64, dpkg-devel-1.20.10-2.mga8.x86_64 are already installed A requested package cannot be installed: dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1) Continue installation anyway? (Y/n) Marking dpkg as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list While some packages may have been installed, there were failures. A requested package cannot be installed: dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1) Continue installation anyway? $ rpm -qa | grep -i dpkg dpkg-devel-1.20.10-2.mga8 perl-Dpkg-1.20.10-2.mga8 dpkg-1.20.10-2.mga8 $ rpm -qa | grep dselect dselect-1.20.10-2.mga8 $ rpm -q dpkg-dev package dpkg-dev is not installed $ rpm -q libselinux libselinux-3.2-0.rc1.4.mga8 What to do now? Keywords:
(none) =>
feedback SUSE has issued an advisory for this on August 5: https://lists.suse.com/pipermail/sle-security-updates/2022-August/011813.html Bruno, Len's issue in Comment 9 is because dpkg-dev is a noarch package linked to an arch'd library. Looks like either it should not be noarch, or it contains an arch'd file that should be in a different subpackage. Keywords:
feedback =>
(none) Thx David for the warning. i've now uploaded the following: dpkg-dev-1.20.10-3.mga8 dselect-1.20.10-3.mga8 perl-Dpkg-1.20.10-3.mga8 dpkg-devel-1.20.10-3.mga8 dpkg-1.20.10-3.mga8 from dpkg-1.20.10-3.mga8.src.rpm It is fixing the reported issue by Len on my system. MGA8-64 Plasma on Acer Aspire 5253 No installation issues Ref bug 23411 for testing. # dpkg --version Debian 'dpkg' package management program version 1.20.10 (amd64). This is free software; see the GNU General Public License version 2 or later for copying conditions. There is NO warranty. # dpkg --print-architecture amd64 Downloaded stable debian package for bash, then # dpkg -c bash_5.1-2+deb11u1_amd64.deb drwxr-xr-x root/root 0 2022-03-27 20:40 ./ drwxr-xr-x root/root 0 2022-03-27 20:40 ./bin/ -rwxr-xr-x root/root 1234376 2022-03-27 20:40 ./bin/bash drwxr-xr-x root/root 0 2022-03-27 20:40 ./etc/ -rw-r--r-- root/root 1994 2022-03-27 20:40 ./etc/bash.bashrc drwxr-xr-x root/root 0 2022-03-27 20:40 ./etc/skel/ -rw-r--r-- root/root 220 2022-03-27 20:40 ./etc/skel/.bash_logout -rw-r--r-- root/root 3526 2022-03-27 20:40 ./etc/skel/.bashrc -rw-r--r-- root/root 807 2022-03-27 20:40 ./etc/skel/.profile drwxr-xr-x root/root 0 2022-03-27 20:40 ./usr/ drwxr-xr-x root/root 0 2022-03-27 20:40 ./usr/bin/ -rwxr-xr-x root/root 6759 2022-03-27 20:40 ./usr/bin/bashbug -rwxr-xr-x root/root 14648 2022-03-27 20:40 ./usr/bin/clear_console and a load more.... dpkg -x bash_5.1-2+deb11u1_amd64.deb /home/tester8/tmp/ checked that above files have been created in the correct folders under /home/tester8/tmp/: all OK. I couldn't get my headaround Len's test with coapp, so leaving it. I will not object someone else OK'ing this. CC:
(none) =>
herman.viaene As no objections have been forthcoming, I'm giving this an OK based on the test in Comment 13. Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-09-16 19:54:29 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0327.html Resolution:
(none) =>
FIXED |