Bug 30735

Summary: ytnef new security issues CVE-2021-3403 and CVE-2021-3404
Product: Mageia Reporter: Nicolas Lécureuil <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ytnef-1.9.3-2.mga8.src.rpm CVE:
Status comment:

Description Nicolas Lécureuil 2022-08-11 10:09:07 CEST 
Hello,

here a new version of ytnef version fixing CVE-2021-3403 and CVE-2021-3404

src:
    - ytnef-2.0-1.mga8

links:
      https://github.com/Yeraze/ytnef/releases
Nicolas Lécureuil 2022-08-11 10:09:41 CEST

Assignee: bugsquad => qa-bugs

Jani Välimaa 2022-08-11 18:26:27 CEST

Component: RPM Packages => Security
QA Contact: (none) => security

David Walser 2022-08-11 23:47:43 CEST

Summary: New ytnef version fixing CVE-2021-3403 and CVE-2021-3404 => ytnef new security issues CVE-2021-3403 and CVE-2021-3404

Comment 1 Herman Viaene 2022-08-22 15:45:46 CEST 
Sorry, the following package cannot be selected:

- ytnef-2.0-1.mga8.x86_64 (due to unsatisfied lib64ytnef0[== 1:2.0])

CC: (none) => herman.viaene

Comment 2 Dave Hodgins 2022-08-22 19:18:10 CEST 
Herman ...
http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/lib64ytnef0-2.0-1.mga8.x86_64.rpm
# urpmi --test ytnef
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/ytnef-2.0-1.mga8.x86_64.rpm
installing ytnef-2.0-1.mga8.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ###############################################################################################################################################################################
Installation is possible
[root@x3 ~]# rpm -qa|grep ytnef
lib64ytnef0-2.0-1.mga8

# urpmq --whatrequires lib64ytnef0 |sort -u
evolution
geary
lib64ytnef0
lib64ytnef-devel
ytnef

Looks like I have it installed for evolution.

CC: (none) => davidwhodgins

Comment 3 Herman Viaene 2022-08-24 09:48:35 CEST 
# urpmi --test ytnef
A requested package cannot be installed:
ytnef-2.0-1.mga8.x86_64 (due to unsatisfied lib64ytnef0[== 1:2.0])
Comment 4 Dave Hodgins 2022-08-24 20:18:55 CEST 
Herman what do you have shown for "urpmq --list-media active"?

# urpmi --test ytnef
To satisfy dependencies, the following packages are going to be installed:
(test only, installation will not be actually done)
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  lib64ytnef0                    2.0          1.mga8        x86_64  
  ytnef                          2.0          1.mga8        x86_64  
171KB of additional disk space will be used.
62KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) 


    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/lib64ytnef0-2.0-1.mga8.x86_64.rpm
installing ytnef-2.0-1.mga8.x86_64.rpm lib64ytnef0-2.0-1.mga8.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                              
Preparing...                     ###############################################################################################################################################################################
Installation is possible
Comment 5 Herman Viaene 2022-08-26 09:48:56 CEST 
# urpmq --list-media active
QA Testing (64-bit)
Core Release (distrib1)
Core Updates (distrib3)
Nonfree Release (distrib11)
Nonfree Updates (distrib13)
Tainted Release (distrib21)
Tainted Updates (distrib23)

The first one is my QARepo folder
Comment 6 David Walser 2022-08-26 16:32:48 CEST 
Your QA Testing repo is missing lib64ytnef0.
Comment 7 Herman Viaene 2022-08-26 17:13:45 CEST 
That I know, but this package isn't listed anywhere in the Description.
Comment 8 David Walser 2022-08-26 17:30:04 CEST 
Indeed, no package list was posted.

x86_64:
lib64ytnef-devel-2.0-1.mga8
lib64ytnef0-2.0-1.mga8
ytnef-2.0-1.mga8

i586:
libytnef-devel-2.0-1.mga8
libytnef0-2.0-1.mga8
ytnef-2.0-1.mga8

from ytnef-2.0-1.mga8.src.rpm

Not sure why madb couldn't generate it either.

Source RPM: ytnef-2.0-1.mga8 => ytnef-1.9.3-2.mga8.src.rpm

Comment 9 Herman Viaene 2022-08-27 10:50:00 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Ref bug 20893 for testing, so installed evolution and used it to send to/receive from hotmail account.
$ strace evolution 2>&1 | grep ytnef
openat(AT_FDCWD, "/usr/lib64/evolution/libytnef.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libytnef.so.0", O_RDONLY|O_CLOEXEC) = 18
All worked OK.

Whiteboard: (none) => MGA8-64-OK

Comment 10 Thomas Andrews 2022-08-29 03:00:18 CEST 
@David Walser: I have seen other times over the last couple of years or so when madb's rpm list either was blank or was incomplete.

Glad we go this one straightened out, anyway. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-01 19:57:06 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-09-02 22:00:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0316.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED