RPM 4.13.0.2 has been released today (October 26), fixing two security issues: http://rpm.org/wiki/Releases/4.13.0.2 Thierry has already uploaded an updated package for Mageia 6. Advisory: ======================== Updated rpm packages fix security vulnerabilities: It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege (CVE-2017-7500). It was found that rpm uses temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (CVE-2017-7501). The rpm package has been updated to version 4.13.0.2, fixing these issues and other bugs. See the release announcement for details. References: http://rpm.org/wiki/Releases/4.13.0.2 https://bugzilla.redhat.com/show_bug.cgi?id=1450369 https://bugzilla.redhat.com/show_bug.cgi?id=1452133 ======================== Updated packages in core/updates_testing: ======================== rpm-4.13.0.2-3.1.mga6 librpm7-4.13.0.2-3.1.mga6 librpmbuild7-4.13.0.2-3.1.mga6 librpm-devel-4.13.0.2-3.1.mga6 librpmsign7-4.13.0.2-3.1.mga6 rpm-build-4.13.0.2-3.1.mga6 rpm-sign-4.13.0.2-3.1.mga6 python2-rpm-4.13.0.2-3.1.mga6 python3-rpm-4.13.0.2-3.1.mga6 rpm-apidocs-4.13.0.2-3.1.mga6 from rpm-4.13.0.2-3.1.mga6.src.rpm
Mageia 6 :: x86_64 Installed any missing packages before the update then ran the update. No problems. Shall leave this for a few hours or a day to see that it works via urpmi. Tried a local installation, which I expected would fail, and it did. $ sudo rpm -i glmark2*.rpm error: Failed dependencies: libGLESv2.so.2 is needed by glmark2-2012.12-2.fc20.i686 libjpeg.so.62 is needed by glmark2-2012.12-2.fc20.i686 libjpeg.so.62(LIBJPEG_6.2) is needed by glmark2-2012.12-2.fc20.i686 libpng12.so.0 is needed by glmark2-2012.12-2.fc20.i686 libpng12.so.0(PNG12_0) is needed by glmark2-2012.12-2.fc20.i686 Interrogated local packages. $ rpm -qilp w_scan-0-0.20120605.5.mga5.x86_64.rpm Name : w_scan Version : 0 Release : 0.20120605.5.mga5 Architecture: x86_64 Install Date: (not installed) Group : Video/Television Size : 291215 License : GPLv2+ Signature : RSA/SHA1, Sat 18 Oct 2014 02:05:52 BST, Key ID b742fa8b80420f66 Source RPM : w_scan-0-0.20120605.5.mga5.src.rpm Build Date : Sat 18 Oct 2014 01:47:19 BST Build Host : valstar.mageia.org Relocations : (not relocatable) Packager : umeabot <umeabot> Vendor : Mageia.Org URL : http://edafe.org/vdr/w_scan/ Summary : Channel scan tool for DVB-T and DVB-C Description : w_scan is an application that greatly simplifies the task of scanning for DVB-T, DVB-C and ATSC channel information. Winfried Köhler’s w_scan is special because it does not require any region-specific initial transponder data for operation. It will create configuration files for VDR, Kaffeine and Xine. /usr/bin/w_scan /usr/share/doc/w_scan /usr/share/doc/w_scan/README /usr/share/man/man1/w_scan.1.xz $ rpm -qpl tkimg-1.4-2.1.mga4.x86_64.rpm /usr/lib64/libjpegtcl8.2.so /usr/lib64/libpngtcl1.4.3.so /usr/lib64/libtifftcl3.9.4.so /usr/lib64/libzlibtcl1.2.5.so /usr/lib64/tcl8.5/Img1.4 /usr/lib64/tcl8.5/Img1.4/libjpegtcl8.2.so /usr/lib64/tcl8.5/Img1.4/libpngtcl1.4.3.so .......... /usr/share/man/mann/img-window.n.xz /usr/share/man/mann/img-xbm.n.xz /usr/share/man/mann/img-xpm.n.xz /usr/share/man/mann/img.n.xz That all looks OK.
CC: (none) => tarazed25
Further to comment 1: $ sudo urpmi celestia To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") celestia 1.6.1 18.mga6 x86_64 lib64gtkglext-1.0_0 1.2.0 21.mga6 x86_64 lib64pangox1.0_0 0.0.2 6.mga6 x86_64 66MB of additional disk space will be used. 32MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) $MIRRORLIST: media/core/release/lib64gtkglext-1.0_0-1.2.0-21.mga6.x86_64.rpm $MIRRORLIST: media/core/release/lib64pangox1.0_0-0.0.2-6.mga6.x86_64.rpm $MIRRORLIST: media/core/release/celestia-1.6.1-18.mga6.x86_64.rpm installing celestia-1.6.1-18.mga6.x86_64.rpm lib64pangox1.0_0-0.0.2-6.mga6.x86_64.rpm lib64gtkglext-1.0_0-1.2.0-21.mga6.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/3: lib64pangox1.0_0 ############################################# 2/3: lib64gtkglext-1.0_0 ############################################# 3/3: celestia ############################################# Good enough.
Whiteboard: (none) => MGA6-64-OK
Mageia 6 for i586 in virtualbox Installed all of the packages listed in the Description. Downloaded a celestia RPM from a mirror using wget. $ sudo rpm -i cherrytree-0.37.5-1.mga6.noarch.rpm error: Failed dependencies: python-gtksourceview is needed by cherrytree-0.37.5-1.mga6.noarch $ sudo urpmi python-gtksourceview $ sudo rpm -i cherrytree-0.37.5-1.mga6.noarch.rpm $ rpm -qilp cherrytree-0.37.5-1.mga6.noarch.rpm Name : cherrytree Version : 0.37.5 Release : 1.mga6 Architecture: noarch Install Date: (not installed) Group : Office/Utilities Size : 3635891 License : GPLv3+ ........................................... $ rpm -qlp cherrytree-0.37.5-1.mga6.noarch.rpm /usr/bin/cherrytree /usr/share/appdata/cherrytree.appdata.xml /usr/share/applications/cherrytree.desktop /usr/share/cherrytree /usr/share/cherrytree/glade /usr/share/cherrytree/glade/add.png ............................... $ sudo rpm -e cherrytree $ sudo rpm -e python-gtksourceview $ sudo urpmi cherrytree Use of uninitialized value in null operation at /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi/URPM/Resolve.pm line 1847. To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") cherrytree 0.37.5 1.mga6 noarch python-gtksourceview 2.10.1 13.mga6 i586 3MB of additional disk space will be used. 908KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) ....................... 1/2: python-gtksourceview ############################################# 2/2: cherrytree ############################################# $ urpmq -f cherrytree cherrytree-0.37.5-1.mga6.noarch $ urpmf -i /usr/bin/cherrytree $MIRRORLIST: media/core/release/media_info/20170714-192023-files.xml.lzma cherrytree:/usr/bin/cherrytree .......................... $MIRRORLIST: media/core/updates/media_info/20171027-065238-files.xml.lzma This is OK for 32 bits.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0394.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED