Bug 31486

Summary: apr-util new security issue CVE-2022-25147
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: apr-util-1.6.1-4.mga8.src.rpm CVE: CVE-2022-25147
Status comment:

Description David Walser 2023-02-01 16:19:29 CET 
Apache has announced a security issue fixed upstream in apr-util on January 31:
https://www.openwall.com/lists/oss-security/2023/01/31/4

The issue is fixed upstream in 1.6.2.

Mageia 8 is also affected.
David Walser 2023-02-01 16:19:41 CET

Status comment: (none) => Fixed upstream in 1.6.2
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-04 22:35:15 CET 
Assigning to all packagers collectively, because there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2023-02-06 13:47:09 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. (CVE-2022-25147)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25147
https://www.openwall.com/lists/oss-security/2023/01/31/4
========================

Updated packages in core/updates_testing:
========================
apr-util-dbd-ldap-1.6.3-1.mga8
apr-util-dbd-mysql-1.6.3-1.mga8
apr-util-dbd-odbc-1.6.3-1.mga8
apr-util-dbd-pgsql-1.6.3-1.mga8
apr-util-dbd-sqlite3-1.6.3-1.mga8
apr-util-dbm-db-1.6.3-1.mga8
apr-util-nss-1.6.3-1.mga8
apr-util-openssl-1.6.3-1.mga8
lib(64)apr-util1_0-1.6.3-1.mga8
lib(64)apr-util-devel-1.6.3-1.mga8

from SRPM:
apr-util-1.6.3-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 1.6.2 => (none)
Source RPM: apr-util-1.6.1-8.mga9.src.rpm => apr-util-1.6.1-4.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-25147
Version: Cauldron => 8

Comment 3 Herman Viaene 2023-02-09 17:14:36 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 22054 Comment 5
# systemctl stop httpd
# strace -o /home/tester8/Documents/aprutil.txt httpd
# systemctl stop httpd
Trace file shows call to the lib as in refered bug.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-02-09 18:42:04 CET 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2023-02-13 17:56:15 CET 
openSUSE has issued an advisory for this today (February 13):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGPECRBP6DD7JUZRKAPXR2B37ATR4POJ/
Dave Hodgins 2023-02-14 21:04:33 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-02-14 23:45:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0045.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED