Bug 6525

Summary: sos new security issue CVE-2012-2664
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: Bruno Cornec <bruno>
Status: RESOLVED INVALID QA Contact:
Severity: minor    
Priority: Low CC: doktor5000, oe, remco, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: sos-2.2-2.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-06-20 21:09:40 CEST 
RedHat has issued an advisory today (June 20):
https://rhn.redhat.com/errata/RHSA-2012-0958.html

Mageia 1 and Mageia 2 are also affected.
David Walser 2012-06-20 21:10:00 CEST

CC: (none) => doktor5000
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 Florian Hubold 2012-07-02 18:36:08 CEST 
They didn't do a new release, but added 60 patches :/
http://pkgs.fedoraproject.org/gitweb/?p=sos.git;a=commitdiff;h=13178ca5faa95adb05ac3c93a5c99ea0c7db6d4a#patch63

Assigning to current maintainer.

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2012-09-09 12:44:05 CEST 
As the real security issue is linked to anaconda that Mageia doesn't use, I don't think we have anything forcing us to take these 60 patches in account atm. Once they release a new version, we'll update to it.

Does that sound ok ?

Priority: Normal => Low
Severity: normal => minor

Comment 3 David Walser 2012-09-09 13:59:49 CEST 
In theory, sure.  It's just weird that they didn't already do a new version.  Are they the upstream maintainers, or is there someone else?  Is it maintained at all?
David Walser 2012-10-10 00:47:57 CEST

CC: (none) => oe

Comment 4 Florian Hubold 2012-10-10 20:58:20 CEST 
Project moved a while ago from https://fedorahosted.org/sos/ to https://github.com/sosreport/sosreport FWIW ...
Comment 5 Remco Rijnders 2012-10-12 14:24:53 CEST 
See https://github.com/gkotton/sosreport/commit/a4a7942531a2034b2408422f10587190e2e9bdc1 for (what I believe to be) the fix to this problem

CC: (none) => remco

Comment 6 Remco Rijnders 2012-10-13 07:42:10 CEST 
So, seeing how Mageia does not ship anaconda, I think this does not apply to us.

@luigi: Are you ok with removing this as a security bug?

@bruno: I guess that only leaves to change the URL for the source in the package then to the new project home, right?

URL: http://lwn.net/Vulnerabilities/502714/ => (none)
Component: Security => RPM Packages
Whiteboard: MGA2TOO, MGA1TOO => (none)

Comment 7 David Walser 2012-10-13 15:53:38 CEST 
If this doesn't impact us, you can mark the bug as WONTFIX.
Comment 8 claire robinson 2012-10-13 18:45:59 CEST 
If we're not vulnerable, what about having a statement of such on the wiki update pages so it doesn't appear we have just not looked in to it. The MGASA ones.

CC: (none) => tmb

Comment 9 Remco Rijnders 2012-11-11 04:55:19 CET 
@MrsB: I don't think one can search our pages by CVE, and I don't think we should issue a MGASA when there is no advisory. Hopefully people searching for this CVE for Mageia will end up on this bugreport instead and see we are not affected by this.

Closing as INVALID for now as this issue does not affect Mageia.

Status: NEW => RESOLVED
Resolution: (none) => INVALID