Bug 30919

Summary: bash new security issue rhbz#2122331 (CVE-2022-3715)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: bash-5.1-4.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-09-30 20:56:26 CEST 
Fedora has issued an advisory today (September 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/74PP54LG2K7UGPIE2CEEQU7MJD4HBMS7/

I'm guessing bash 5.2 isn't affected (Cauldron) but that should be checked.
David Walser 2022-09-30 20:56:34 CEST

Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2022-10-01 20:43:07 CEST 
Stig has done several version updates to bash, so assigning this to you.

Assignee: bugsquad => smelror

Comment 2 Dave Hodgins 2022-10-01 23:11:42 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=2122331 is restricted. Any idea how
to test this change?

Also, as bash is in the initrd shouldn't any bash update trigger "dracut -f" and
suggest a reboot?

CC: (none) => davidwhodgins

Comment 3 David Walser 2022-10-02 00:09:46 CEST 
Not if it doesn't already do that.  Going to guess the issue isn't exploitable in any meaningful way in the initrd.

Maybe look at the patch we/Fedora added and see if it has any info about the vulnerability.
Comment 4 Dave Hodgins 2022-10-02 00:35:25 CEST 
The patch (bash-5.2-check-xform.patch) doesn't help to understand how it's
triggered. At least not for me.

Once this is assigned to qa, I'll validated it based on no regressions.
Comment 5 Stig-Ørjan Smelror 2022-10-03 07:24:58 CEST 
Advisory
========

Bash has been updated to version 5.1.16 and a patch from Fedora to fix a security issue.


References
==========
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/74PP54LG2K7UGPIE2CEEQU7MJD4HBMS7/


Files
=====

Uploaded to core/updates_testing

bash-5.1-16.1.mga8
bash-doc-5.1-16.1.mga8

from bash-5.1-16.1.mga8.src.rpm

Assignee: smelror => qa-bugs

Dave Hodgins 2022-10-05 01:33:51 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-10-05 01:37:41 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-10-05 07:25:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0358.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2023-01-23 17:07:58 CET 
RedHat has issued an advisory for this today (January 23):
https://access.redhat.com/errata/RHSA-2023:0340

It is CVE-2022-3715 and was fixed upstream in 5.1.8.

Summary: bash new security issue rhbz#2122331 => bash new security issue rhbz#2122331 (CVE-2022-3715)
Status comment: Patch available from Fedora => (none)