Bug 30758

Summary: schroot new security issue CVE-2022-2787
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: schroot-1.7.2-18.mga8.src.rpm CVE: CVE-2022-2787
Status comment:

Description David Walser 2022-08-19 17:30:30 CEST 
Debian has issued an advisory on August 18:
https://www.debian.org/security/2022/dsa-5213

Mageia 8 is also affected.
David Walser 2022-08-19 17:30:37 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-24 11:17:26 CEST 
Various people update this SRPM, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-08-29 13:24:58 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session. (CVE-2022-2787)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2787
https://www.debian.org/security/2022/dsa-5213
========================

Updated packages in core/updates_testing:
========================
dchroot-1.7.2-18.1.mga8
lib(64)sbuild1.7.2-1.7.2-18.1.mga8
lib(64)sbuild-devel-1.7.2-18.1.mga8
schroot-1.7.2-18.1.mga8

from SRPM:
schroot-1.7.2-18.1.mga8.src.rpm

Version: Cauldron => 8
CVE: (none) => CVE-2022-2787
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: schroot-1.7.2-23.mga9.src.rpm => schroot-1.7.2-18.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 3 Thomas Andrews 2022-09-13 03:50:51 CEST 
Installed schroot and dependencies, then updated using qarepo. No installation issues.

This is completely unknown territory for me, but fortunately there are those who have been here before and blazed a trail to follow. For testing, I used copy-and-paste to apply the procedure outlined in https://bugs.mageia.org/show_bug.cgi?id=10166#c6 (Thank you, Claire!)

The test was successful, so I'm giving this an OK, and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 19:54:17 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-09-16 21:41:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0329.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED