RedHat has issued an advisory today (July 30): https://access.redhat.com/errata/RHSA-2018:2285 The RedHat bug has links to the commits that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1600221 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOCC: (none) => ngompa13
Mageia Cauldron updated with the proposed patch into rev 1.1.31-6 rebuild in progress.
Status: NEW => ASSIGNED
Update also submitted for mga6 (1.1.31-5.1)
Advisory: ======================== Updated yum-utils packages fix security vulnerability: A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files (CVE-2018-10897). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897 https://access.redhat.com/errata/RHSA-2018:2285 ======================== Updated packages in core/updates_testing: ======================== yum-utils-1.1.31-5.1.mga6 yum-updateonboot-1.1.31-5.1.mga6 yum-plugin-changelog-1.1.31-5.1.mga6 yum-plugin-fastestmirror-1.1.31-5.1.mga6 yum-plugin-protectbase-1.1.31-5.1.mga6 yum-plugin-versionlock-1.1.31-5.1.mga6 yum-plugin-tsflags-1.1.31-5.1.mga6 yum-plugin-priorities-1.1.31-5.1.mga6 yum-plugin-refresh-updatesd-1.1.31-5.1.mga6 yum-plugin-merge-conf-1.1.31-5.1.mga6 yum-plugin-upgrade-helper-1.1.31-5.1.mga6 yum-plugin-aliases-1.1.31-5.1.mga6 yum-plugin-list-data-1.1.31-5.1.mga6 yum-plugin-filter-data-1.1.31-5.1.mga6 yum-plugin-tmprepo-1.1.31-5.1.mga6 yum-plugin-verify-1.1.31-5.1.mga6 yum-plugin-keys-1.1.31-5.1.mga6 yum-plugin-remove-with-leaves-1.1.31-5.1.mga6 yum-plugin-post-transaction-actions-1.1.31-5.1.mga6 yum-NetworkManager-dispatcher-1.1.31-5.1.mga6 yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6 yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6 yum-plugin-show-leaves-1.1.31-5.1.mga6 yum-plugin-local-1.1.31-5.1.mga6 yum-plugin-fs-snapshot-1.1.31-5.1.mga6 yum-plugin-ps-1.1.31-5.1.mga6 yum-plugin-puppetverify-1.1.31-5.1.mga6 yum-plugin-copr-1.1.31-5.1.mga6 yum-plugin-ovl-1.1.31-5.1.mga6 from yum-utils-1.1.31-5.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => brunoAssignee: bruno => qa-bugs
MGA6-32 MATE on IBM Thinkpad R5oe Installation draws in a lot of other stuff and that results in error: 2 installation-transactions failed Er is een fout opgetreden tijdens de installatie: file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch Does this mean the updates cannot run on an installation which did not have yum before?? How would this affect a user which would try to install yum when those packages would be included in the normal repos???
CC: (none) => herman.viaene
@Herman, re comment 4: Don't know how to answer your specific queries but I tried this installation on x86_64. I took the precaution of installing yum first then the packages named in the update list. There was a single conflict - lost the reference - but the rest succeeded. Enabled updates testing and ran MageiaUpdate. All the packages installed cleanly. That is far as I have got. Busy just now.
CC: (none) => tarazed25
re comment 5; I take your point about yum not being pulled in by yum-utils. Looks like it is a missing dependency. Feedback?
Keywords: (none) => feedback
Yes I'll fix that ASAP
Mageia 6.1 new installation, x86_64 Before updating created a manifest from the listed packages and installed against that to create a 1.1.31.5 yum system. This pulled in yum automatically so if we follow the correct procedure for QA testing, updating from a preinstalled system, then there is no problem. Since there is no explicit procedure posted for reproducing CVE-2018-10897 shall skip straight to updating. Wrong about that. There is a problem still. as Herman reported. http://ftp.klid.dk/ftp/mageia/distrib/6/x86_64/media/core/updates_testing/yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm installing lib64gamin1_0-0.1.10-17.mga6.x86_64.rpm python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# Installation failed: file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch Looks like this is basically dnf. $ yum check $ yum check-update Mageia 6 - x86_64 2.0 MB/s | 33 MB 00:16 Mageia 6 - x86_64 - Updates 4.7 MB/s | 33 MB 00:07 Last metadata expiration check: 0:00:09 ago on Wed 26 Sep 2018 18:50:58 BST. $ yum deplist vlc Last metadata expiration check: 0:02:47 ago on Wed 26 Sep 2018 18:53:55 BST. package: vlc-3.0.0-0.git.19.mga6.x86_64 dependency: /bin/sh provider: bash-4.3-48.3.mga6.x86_64 dependency: fonts-ttf-vera provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch dependency: libc.so.6(GLIBC_2.14)(64bit) provider: glibc-6:2.22-29.mga6.x86_64 [...] provider: lib64vlc5-3.0.2-0.1.mga6.x86_64 dependency: vlc-plugin-common provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64 package: vlc-3.0.2-0.1.mga6.x86_64 dependency: /bin/sh provider: bash-4.3-48.3.mga6.x86_64 dependency: fonts-ttf-vera provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch [...] dependency: vlc-plugin-common provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64 $ sudo yum reinstall celestia Last metadata expiration check: 0:08:20 ago on Wed 26 Sep 2018 18:50:58 BST. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: celestia x86_64 1.6.1-18.mga6 mageia-x86_64 33 M Transaction Summary ================================================================================ Total download size: 33 M Is this ok [y/N]: y Downloading Packages: celestia-1.6.1-18.mga6.x86_64.rpm 2.1 MB/s | 33 MB 00:15 -------------------------------------------------------------------------------- Total 2.0 MB/s | 33 MB 00:16 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : celestia-1.6.1-18.mga6.x86_64 1/2 Erasing : celestia-1.6.1-18.mga6.x86_64 2/2 Running scriptlet: celestia-1.6.1-18.mga6.x86_64 2/2 Verifying : celestia-1.6.1-18.mga6.x86_64 1/2 Verifying : celestia-1.6.1-18.mga6.x86_64 2/2 Reinstalled: celestia.x86_64 1.6.1-18.mga6 Complete! It looks OK so far.
The man pages show this for yum-utils: debuginfo-install - install debuginfo packages and their dependencies package-cleanup - manage package cleanup, duplicates, orphaned packages and outstanding dependency problems repo-graph - outputs a full package dependency list in dot format repo-rss - generates an RSS feed from one or more repositories repoclosure - reads metadata of repositories, checks dependencies and displays list of unresolved dependencies repodiff - takes two or more repositories, returns a list of added, removed or changed packages repomanage - manages a directory of rpm packages, returns a list of newest or oldest packages in a directory repoquery - query yum repositories and get additional information on the them reposync - synchronize a remote yum repository to a local directory using yum to retrieve packages repotrack - track packages and its dependencies and downloads them yum-builddep - installs missing dependencies to build a specified package yum-complete-transaction - finds incomplete or aborted yum transactions and attempts to complete them yum-installed - print a compact package list making use of comps groups yumdownloader - downloads packages from yum repositories including source RPMs Investigating.
$ cd /bin $ ls -1 repo* repoclosure-deprecated* repodiff-deprecated* repo-graph-deprecated* repomanage-deprecated* repoquery-deprecated* repo-rss-deprecated* reposync-deprecated* repotrack-deprecated* $ ls -1 yum* yum-builddep-deprecated* yum-config-manager-deprecated* yum-debug-dump-deprecated* yum-debug-restore-deprecated* yum-deprecated* yumdownloader-deprecated* yum-groups-manager-deprecated* So most utilities are deprecated and others are missing. Better leave this at that point.
On IRC in QA chan, Neal mantioned last night that he couldn't comment in bug 23370 (this bug) since he couldn't remember his password He then mentioned that the reposync-deprecated command is what should be tested for this. And that in Mageia, /usr/bin/reposync is normally provided by dnf-utils rather than yum-utils.
Keywords: feedback => (none)CC: (none) => marja11
Oops, the feedback keyword was set for something else, sorry, setting it again.
Fedora has issued an advisory for this on September 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YI7EHWQR75S5AV7RAV4VGWO535PTZAO/
Still on 32-bit Update now draws in yum, but then: file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch
Back to the start on a system without yum. Installed yum and all the listed files. Used dnf to find out how repositories are named. $ dnf repolist Last metadata expiration check: 0:21:37 ago on Wed 19 Dec 2018 09:35:09 GMT. repo id repo name status mageia-x86_64 Mageia 6 - x86_64 28,136 updates-x86_64 Mageia 6 - x86_64 - Updates 9,600 Enabled updates-testing and tried this: # reposync-deprecated updates-testing-x86_64 Yum-utils package has been deprecated, use dnf instead. See 'man yum2dnf' for more information. Traceback (most recent call last): File "/bin/reposync-deprecated", line 334, in <module> main() File "/bin/reposync-deprecated", line 139, in main my.doConfigSetup(fn=opts.config, init_plugins=opts.plugins) File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 299, in doConfigSetup return self.conf File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1099, in <lambda> conf = property(fget=lambda self: self._getConfig(), File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 350, in _getConfig startupconf = config.readStartupConfig(fn, root, releasever) File "/usr/lib/python2.7/site-packages/yum/config.py", line 1073, in readStartupConfig confpp_obj = ConfigPreProcessor(configfile) File "/usr/lib/python2.7/site-packages/yum/parser.py", line 94, in __init__ fo = self._pushfile( url ) File "/usr/lib/python2.7/site-packages/yum/parser.py", line 207, in _pushfile 'Error accessing file for config %s' % (absurl) yum.Errors.ConfigError: Error accessing file for config file:///etc/yum.conf which probably indicates that something has not been run properly. Don't know what it is supposed to do. Does it download and install all the packages in the repository or just the hdlists? 'help' would indicate the former. There is no yum.conf file in /etc. # yum --repo updates-testing-x86-64 usage: dnf [options] COMMAND ..... # dnf check finds no problems with the package database but # yum check is not recognized.
Noticed that yum-plugin-refresh-updatesd had not been installed. # urpmi yum-plugin-refresh-updatesd offered: python-gamin 0.1.10 17.mga6 x86_64 yum-updatesd 0.9 1.mga6 noarch (medium "Core Updates Testing") yum-plugin-refresh-updatesd 1.1.31 5.1.mga6 noarch [...] installing python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# Installation failed: file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch Something to be sorted out there?
Isn't yum obsolete, and it's successor dnf is supported since Mageia 6? I personally purged everything related to yum from my installs and use dnf exclusively. So I am certainly not willing to test yum-utils. Ulrich Beckmann
CC: (none) => bequimao.de
We keep around yum and yum-utils primarily so that people can use mock to build CentOS/RHEL packages.
Neal, can you please fix the packaging conflict between yum and yum-updatesd?
Assignee: qa-bugs => ngompa13Keywords: feedback => (none)CC: (none) => qa-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=24494
Mageia 6 is EOL.
Status: ASSIGNED => RESOLVEDResolution: (none) => OLDCC: (none) => mrambo