Bug 23370 - yum-utils new security issue CVE-2018-10897
Summary: yum-utils new security issue CVE-2018-10897
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2018-07-30 16:29 CEST by David Walser
Modified: 2018-08-14 09:39 CEST (History)
4 users (show)

See Also:
Source RPM: yum-utils-1.1.31-5.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-30 16:29:59 CEST
RedHat has issued an advisory today (July 30):
https://access.redhat.com/errata/RHSA-2018:2285

The RedHat bug has links to the commits that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1600221

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-30 16:30:24 CEST

CC: (none) => ngompa13
Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-07-30 17:46:39 CEST
Mageia Cauldron updated with the proposed patch into rev 1.1.31-6
rebuild in progress.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2018-07-30 17:52:25 CEST
Update also submitted for mga6 (1.1.31-5.1)
Comment 3 David Walser 2018-07-30 19:08:33 CEST
Advisory:
========================

Updated yum-utils packages fix security vulnerability:

A directory traversal issue was found in reposync, a part of yum-utils, where
reposync fails to sanitize paths in remote repository configuration files. If an
attacker controls a repository, they may be able to copy files outside of the
destination directory on the targeted system via path traversal. If reposync is
running with heightened privileges on a targeted system, this flaw could
potentially result in system compromise via the overwriting of critical system
files (CVE-2018-10897).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897
https://access.redhat.com/errata/RHSA-2018:2285
========================

Updated packages in core/updates_testing:
========================
yum-utils-1.1.31-5.1.mga6
yum-updateonboot-1.1.31-5.1.mga6
yum-plugin-changelog-1.1.31-5.1.mga6
yum-plugin-fastestmirror-1.1.31-5.1.mga6
yum-plugin-protectbase-1.1.31-5.1.mga6
yum-plugin-versionlock-1.1.31-5.1.mga6
yum-plugin-tsflags-1.1.31-5.1.mga6
yum-plugin-priorities-1.1.31-5.1.mga6
yum-plugin-refresh-updatesd-1.1.31-5.1.mga6
yum-plugin-merge-conf-1.1.31-5.1.mga6
yum-plugin-upgrade-helper-1.1.31-5.1.mga6
yum-plugin-aliases-1.1.31-5.1.mga6
yum-plugin-list-data-1.1.31-5.1.mga6
yum-plugin-filter-data-1.1.31-5.1.mga6
yum-plugin-tmprepo-1.1.31-5.1.mga6
yum-plugin-verify-1.1.31-5.1.mga6
yum-plugin-keys-1.1.31-5.1.mga6
yum-plugin-remove-with-leaves-1.1.31-5.1.mga6
yum-plugin-post-transaction-actions-1.1.31-5.1.mga6
yum-NetworkManager-dispatcher-1.1.31-5.1.mga6
yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6
yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6
yum-plugin-show-leaves-1.1.31-5.1.mga6
yum-plugin-local-1.1.31-5.1.mga6
yum-plugin-fs-snapshot-1.1.31-5.1.mga6
yum-plugin-ps-1.1.31-5.1.mga6
yum-plugin-puppetverify-1.1.31-5.1.mga6
yum-plugin-copr-1.1.31-5.1.mga6
yum-plugin-ovl-1.1.31-5.1.mga6

from yum-utils-1.1.31-5.1.mga6.src.rpm

Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => bruno
Version: Cauldron => 6

Comment 4 Herman Viaene 2018-08-01 16:32:09 CEST
MGA6-32 MATE on IBM Thinkpad R5oe
Installation draws in a lot of other stuff and that results in error:
2 installation-transactions failed

Er is een fout opgetreden tijdens de installatie:

file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch

createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch

yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch

yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch

yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch

yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

Does this mean the updates cannot run on an installation which did not have yum before??
How would this affect a user which would try to install yum when those packages would be included in the normal repos???

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-08-01 17:18:28 CEST
@Herman, re comment 4:
Don't know how to answer your specific queries but I tried this installation on x86_64.

I took the precaution of installing yum first then the packages named in the update list.  There was a single conflict - lost the reference - but the rest succeeded.

Enabled updates testing and ran MageiaUpdate.  All the packages installed cleanly.
That is far as I have got.  Busy just now.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-08-01 17:26:55 CEST
re comment 5;
I take your point about yum not being pulled in by yum-utils.  Looks like it is a missing dependency.  Feedback?
Len Lawrence 2018-08-03 08:33:25 CEST

Keywords: (none) => feedback

Comment 7 Bruno Cornec 2018-08-14 09:39:05 CEST
Yes I'll fix that ASAP

Note You need to log in before you can comment on or make changes to this bug.