Bug 31740

Summary: zstd new security issue CVE-2022-4899
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: zstd-1.4.8-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-03-30 23:12:18 CEST 
SUSE has issued an advisory on March 29:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014246.html

Mageia 8 is also affected.
David Walser 2023-03-30 23:12:37 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-03-30 23:37:08 CEST 
Fedora has issued an advisory for this today (March 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HPJ26L3GAUDVNKJFCJNA2GLTI6EUJXO/
Comment 2 David GEIGER 2023-03-31 08:17:36 CEST 
From fedora:

Update Information:

Update to zstd-1.5.4, fixes CVE-2022.4899.

So it is fixed for Cauldron.

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2023-03-31 09:02:11 CEST 
Done for mga8 adding upstream patches!
Comment 4 David Walser 2023-03-31 14:38:29 CEST 
zstd-1.4.8-1.2.mga8
libzstd1-1.4.8-1.2.mga8
libzstd-devel-1.4.8-1.2.mga8

from zstd-1.4.8-1.2.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Source RPM: zstd-1.5.4-2.mga9.src.rpm => zstd-1.4.8-1.1.mga8.src.rpm
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 5 Herman Viaene 2023-04-01 15:57:25 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed examples (more or less) from bug 25375 Comment 3
cd tmp
$ zstd --train ~/Pictures/*
Trying 5 different sets of parameters                                          
k=50                                                                           
d=8
f=20
steps=4
split=75
accel=1
Save dictionary of size 10149 into file dictionary 
File is there of indicated size, but not human readable, so accepting as it is.
Created test directory under tmp and went on after copying all files from ~/Pictures/.
$ cd  zstdtest/   
$ zstd -z *
40 files compressed : 39.77%  (404504369 => 160862163 bytes)  
Copied compressed files to new folder zstddecomp 
$ cd ../zstddecomp/
$ zstd -d *.zst
zstd: test.tiff.xz already exists; overwrite (y/n) ? y                         
zstd: yann2 already exists; overwrite (y/n) ? y                                
37 files decompressed : 358153709 bytes total
There were files which were remnants from other tests (tar e.a.) and zstd excluded those, fair enough.
All decompressed files look OK.
Good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2023-04-02 22:08:39 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-06 20:58:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-04-06 23:21:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0128.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED