Bug 31059

Summary: glances new security issue CVE-2022-25844
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK MGA8-32-OK
Source RPM: glances-3.1.5-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-31 15:46:48 CET 
Fedora has issued an advisory on October 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/

Mageia 8 is also affected.
David Walser 2022-10-31 15:47:13 CET

Whiteboard: (none) => MGA8TOO
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 1 Lewis Smith 2022-10-31 18:38:44 CET 
Assigning this globally in the absence of an obvious packager.

Assignee: bugsquad => pkg-bugs

Comment 2 papoteur 2023-06-27 15:01:32 CEST 
The fix is done in 3.3.0
Cauldron is actually in 3.3.1. Thus this is OK.

Whiteboard: MGA8TOO => (none)
CC: (none) => yves.brungard_mageia
Source RPM: glances-3.1.6.2-3.mga9.src.rpm => glances-3.1.5-1.mga8.src.rpm
Version: Cauldron => 8

Comment 3 papoteur 2023-06-27 15:35:36 CEST 
New:
glances-3.3.1-1.mga8.noarch.rpm
Source:
glances-3.3.1-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Thomas Andrews 2023-06-28 16:30:31 CEST 
No previous updates, so I installed glances plus dependencies. The man page shows a long list of possible options, but I decided to try the basic command "glances" with whatever the default configuration is. This appeared to work, filling the terminal window with monitoring information.

I closed the terminal, then used QArepo to get the updated package. That drew in two new dependencies:

The following 3 packages are going to be installed:

- glances-3.3.1-1.mga8.noarch
- python3-defusedxml-0.6.0-3.mga8.noarch
- python3-packaging-20.4-1.mga8.noarch

There were no installation issues. But when I opened a new terminal window and attempted to run the basic command again, I got this:

$ glances
Traceback (most recent call last):
  File "/usr/bin/glances", line 33, in <module>
    sys.exit(load_entry_point('Glances==3.3.1', 'console_scripts', 'glances')())
  File "/usr/bin/glances", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/lib64/python3.8/importlib/metadata.py", line 77, in load
    module = import_module(match.group('module'))
  File "/usr/lib64/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 843, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/usr/lib/python3.8/site-packages/glances/__init__.py", line 35, in <module>
    from glances.compat import PY3
  File "/usr/lib/python3.8/site-packages/glances/compat.py", line 24, in <module>
    from glances.logger import logger
  File "/usr/lib/python3.8/site-packages/glances/logger.py", line 20, in <module>
    from glances.globals import safe_makedirs
  File "/usr/lib/python3.8/site-packages/glances/globals.py", line 16, in <module>
    import ujson
ModuleNotFoundError: No module named 'ujson'

I have no familiarity with this program, so I don't know if this result was due to user error on my part, or if it's an issue with the program.

Please let me know.

CC: (none) => andrewsfarm

Comment 5 papoteur 2023-06-28 17:08:56 CEST 
OK,
There is a missing dependency:
python3-ujson
I will add it
Comment 6 papoteur 2023-06-28 17:39:02 CEST 
Submitted:
glances-3.3.1-1.1.mga8.noarch

Source:
glances-3.3.1-1.1.mga8
Comment 7 Thomas Andrews 2023-06-28 19:34:36 CEST 
Updated the install from comment 4, and it did bring in the new dependency, and glanes now works from the simple command.

So, I decided to try a new install(not an update) o mga8-32 install on the same hardware. This time the list of dependencies to install was longer, probably because someof them were already installed on the other one from previous testing:

The following 22 packages are going to be installed:

- glances-3.3.1-1.1.mga8.noarch
- multiarch-utils-1.0.14-3.mga8.noarch
- net-snmp-5.9-1.2.mga8.i586
- net-snmp-mibs-5.9-1.2.mga8.i586
- net-snmp-utils-5.9-1.2.mga8.i586
- perl-JSON-4.20.0-2.mga8.noarch
- perl-Mail-Sender-0.903.0-3.mga8.noarch
- perl-NetSNMP-5.9-1.2.mga8.i586
- python3-batinfo-0.4.2-3.mga8.noarch
- python3-bottle-0.12.20-1.mga8.noarch
- python3-defusedxml-0.6.0-3.mga8.noarch
- python3-future-0.18.3-1.mga8.noarch
- python3-packaging-20.4-1.mga8.noarch
- python3-ply-3.11-5.mga8.noarch
- python3-psutil-5.7.3-1.mga8.i586
- python3-pyasn1-0.4.8-2.mga8.noarch
- python3-pycryptodomex-3.9.8-1.mga8.i586
- python3-pyparsing-2.4.7-1.mga8.noarch
- python3-pysmi-0.3.3-3.mga8.noarch
- python3-pysnmp-4.4.8-3.mga8.noarch
- python3-sensors-0.0.2-1.hg0cf96f4e2cfe.9.mga8.noarch
- python3-ujson-5.6.0-1.mga8.i586

No installation issues, and afterward glances works as I believe it should.
Comment 8 Thomas Andrews 2023-06-28 19:35:54 CEST 
Validating.

Whiteboard: (none) => MGA8-64-OK MGA8-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-07-06 22:17:23 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-07-07 07:56:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0215.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED