Bug 31883

Summary: dmidecode new security issue CVE-2023-30630
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dmidecode-3.3-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-05-06 23:12:01 CEST 
SUSE has issued an advisory on April 21:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014548.html

The issue is fixed upstream in 3.5.

The fix apparently exposed another bug which was fixed later:
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html

Mageia 8 is also affected.
David Walser 2023-05-06 23:12:12 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.5

Comment 1 David GEIGER 2023-05-07 17:23:22 CEST 
Done for both mga8 and cauldron!

freeze_move asked for cauldron.

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-05-07 19:38:31 CEST 
dmidecode-3.5-1.mga8

from dmidecode-3.5-1.mga8.src.rpm


Freeze move pending for Cauldron.

Source RPM: dmidecode-3.4-1.mga9.src.rpm => dmidecode-3.3-1.mga8.src.rpm
Status comment: Fixed upstream in 3.5 => (none)

Comment 3 Lewis Smith 2023-05-07 21:09:27 CEST 
Another security update you have already done, DavidG! Better to assign the bug to you.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 4 David GEIGER 2023-05-12 06:35:37 CEST 
Assigning to QA

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

David Walser 2023-05-14 01:42:42 CEST

CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2023-05-16 11:27:39 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Following rather blindly the commands from bug 18371
# dmidecode >dmidecode.old
[root@mach7 Documents]# dmidecode >dmidecode.new
[root@mach7 Documents]# diff -u  dmidecode.old dmidecode.new
--- dmidecode.old	2023-05-16 11:04:34.848335847 +0200
+++ dmidecode.new	2023-05-16 11:05:55.257950578 +0200
@@ -1,4 +1,4 @@
-# dmidecode 3.3
+# dmidecode 3.5
 Getting SMBIOS data from sysfs.
 SMBIOS 2.7 present.
 51 structures occupying 2220 bytes.
@@ -381,13 +381,6 @@
 	Bank Locator: BANK0
 	Type: Unknown
 	Type Detail: None
-	Speed: Unknown
-	Manufacturer: Not Specified
-	Serial Number: Not Specified
-	Asset Tag: Unknown
-	Part Number: Not Specified
-	Rank: 8
-	Configured Memory Speed: Unknown
 
 Handle 0x0026, DMI type 6, 12 bytes
 Memory Module Information

I haven't a clus why the output from the current and this new version are different, othet than the version of the command itself.
The new version has some less lines on the memory module than the old version. Is that significant, I have no idea.

CC: (none) => herman.viaene

Comment 6 David Walser 2023-05-16 16:46:34 CEST 
It looks like it's just being less verbose where it isn't able to provide useful information.
Herman Viaene 2023-05-17 10:06:24 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-05-17 13:55:46 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 03:16:57 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-05-21 10:44:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0180.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED