Bug 30742

Summary:	squirrel new security issue CVE-2021-41556
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, jean-pierre, mageia, marja11, matteo.pasotti, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	squirrel-3.1-2.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-08-12 18:59:56 CEST

Fedora has issued an advisory on August 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/

We fixed the second issue listed in Bug 30430.  We should make sure this one doesn't also affect supertux.

David Walser 2022-08-12 19:00:14 CEST

Status comment: (none) => Patches available from upstream and Fedora

Comment 1 Marja Van Waes 2022-08-12 22:56:30 CEST

Assigning to the registered maintainer, but CC'ing neoclust (who fixed the previous CVE for this package) and all packagers collectively, because pasmatt is likely unavailable

CC: (none) => mageia, marja11, pkg-bugs
Assignee: bugsquad => matteo.pasotti

Comment 2 Jean-Pierre Aubin 2022-08-15 14:04:58 CEST

Seems good.

Squirrel version is 3-1-2 (Fedora 2-2-5). 

The only CVE for this version is CVE-2022-30292.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squirrel
https://github.com/sprushed/CVE-2022-30292

It's already fix by neoclust on Mga8 and Cauldron.

CC: (none) => jean-pierre

Comment 3 David Walser 2022-08-15 14:11:58 CEST

As I said, we already fixed CVE-2022-30292, but we missed this one.

Comment 4 Jean-Pierre Aubin 2022-08-15 16:57:29 CEST

My bad, 3.1.2 and 3.2.1 are too close for my eyes ;)

I will patch squirrel on Mga8 and control supertux.

Comment 5 Jean-Pierre Aubin 2022-08-16 17:31:49 CEST

Squirrel v3.2.1 is submit on Mga8 Update Testing : 
- update from 3.1.2 but no bound with another package
- native correction for CVE-2021-41556
- patch for CVE-2022-30292

supertux v0.6.2 is coming 
- same version which include squirrel's source code
- already patched for CVE-2022-30292
- new patch for CVE-2021-41556

Comment 6 David Walser 2022-08-16 22:56:05 CEST

What about building supertux against the system squirrel as we discussed, instead of using the bundled one?

Comment 7 Jean-Pierre Aubin 2022-08-17 06:26:15 CEST

Hi,

It's the editor choice "If you got this version of Supertux from a tarball (.tar), squirrel and tinygettext are already in the tarball."
https://github.com/SuperTux/supertux/blob/v0.6.3/INSTALL.md

Comment 8 David Walser 2022-08-17 14:25:19 CEST

Just because it's in the tarball doesn't mean we can't build against the system squirrel.

Comment 9 Jean-Pierre Aubin 2022-08-17 14:43:35 CEST

Off course not :)

The problem is the version of squirrel :
- squirrel version inside supertux : 3.1.1
- squirrel version for Mga8 : 3.1.2 (before patch) -> 3.2.1 (after patch)

So build supertux with the squirrel of Mga may have consequences.

Comment 10 David Walser 2022-08-17 17:21:36 CEST

I don't know much about squirrel, but hopefully being 3.x is enough.  Things don't always exactly match bundled versions, but as long as they're close it usually works.

Comment 11 David Walser 2023-03-28 16:51:55 CEST

openSUSE has issued an advisory for this on March 23:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/

Comment 12 David GEIGER 2023-03-29 13:26:54 CEST

So to clarify the situation right now:

On Cauldron:

- squirrel-3.2-3.mga9 -> fixes the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.3-4.mga9 -> unbundled squirrel to use system patched one

So for Cauldron all is fine and fixed!


For mga8 in Core/Updates_testing:

- squirrel-3.2-1.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.2-4.2.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292


I can if needed to unbundled squirrel also for mga8 but for this we have to update to latest 0.6.3 upstream release.

CC: (none) => geiger.david68210

Comment 13 David Walser 2023-03-29 14:52:05 CEST

Has squirrel/supertux been pushed to the build system for mga8?  I don't see it on pkgsubmit.

Comment 14 David GEIGER 2023-03-29 17:18:21 CEST

Yes some times ago:


:v supertux
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, x86_64)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, armv7hl)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, i586)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, aarch64)


:v squirrel
3.2-1.mga8 // core-updates_testing (Mga, 8, x86_64)
3.2-1.mga8 // core-updates_testing (Mga, 8, armv7hl)
3.2-1.mga8 // core-updates_testing (Mga, 8, i586)
3.2-1.mga8 // core-updates_testing (Mga, 8, aarch64)

Comment 15 David Walser 2023-03-30 01:20:34 CEST

libsquirrel-devel-3.2-1.mga8
libsquirrel0-3.2-1.mga8
squirrel-3.2-1.mga8
supertux-0.6.2-4.2.mga8
supertux-data-0.6.2-4.2.mga8

from SRPMS:
squirrel-3.2-1.mga8.src.rpm
supertux-0.6.2-4.2.mga8.src.rpm

CC: pkg-bugs => matteo.pasotti
Status comment: Patches available from upstream and Fedora => (none)
Assignee: matteo.pasotti => qa-bugs

Comment 16 Herman Viaene 2023-04-14 17:03:22 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Got the supertux penguin ot move, jump on whatever those snowballs are, collect coins for some time.
Seems to work OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2023-04-16 03:05:20 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-04-23 23:33:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2023-04-24 02:21:48 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED