Bug 23370 - yum-utils new security issue CVE-2018-10897
Summary: yum-utils new security issue CVE-2018-10897
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Neal Gompa
QA Contact: Sec team
Depends on:
Reported: 2018-07-30 16:29 CEST by David Walser
Modified: 2019-03-12 15:15 CET (History)
7 users (show)

See Also:
Source RPM: yum-utils-1.1.31-5.mga6.src.rpm
Status comment:


Description David Walser 2018-07-30 16:29:59 CEST
RedHat has issued an advisory today (July 30):

The RedHat bug has links to the commits that fixed the issue:

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-30 16:30:24 CEST

Whiteboard: (none) => MGA6TOO
CC: (none) => ngompa13

Comment 1 Bruno Cornec 2018-07-30 17:46:39 CEST
Mageia Cauldron updated with the proposed patch into rev 1.1.31-6
rebuild in progress.


Comment 2 Bruno Cornec 2018-07-30 17:52:25 CEST
Update also submitted for mga6 (1.1.31-5.1)
Comment 3 David Walser 2018-07-30 19:08:33 CEST

Updated yum-utils packages fix security vulnerability:

A directory traversal issue was found in reposync, a part of yum-utils, where
reposync fails to sanitize paths in remote repository configuration files. If an
attacker controls a repository, they may be able to copy files outside of the
destination directory on the targeted system via path traversal. If reposync is
running with heightened privileges on a targeted system, this flaw could
potentially result in system compromise via the overwriting of critical system
files (CVE-2018-10897).


Updated packages in core/updates_testing:

from yum-utils-1.1.31-5.1.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => bruno
Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-08-01 16:32:09 CEST
MGA6-32 MATE on IBM Thinkpad R5oe
Installation draws in a lot of other stuff and that results in error:
2 installation-transactions failed

Er is een fout opgetreden tijdens de installatie:

file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch

createrepo is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-local-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum-updatesd is needed by yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch

yum >= 3.0 is needed by yum-plugin-protectbase-1.1.31-5.1.mga6.noarch

yum >= 3.2.22 is needed by yum-plugin-fs-snapshot-1.1.31-5.1.mga6.noarch

yum >= 3.2.17 is needed by yum-NetworkManager-dispatcher-1.1.31-5.1.mga6.noarch

yum >= 3.0.5 is needed by yum-plugin-list-data-1.1.31-5.1.mga6.noarch

yum >= 3.2.27 is needed by yum-plugin-ps-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-rpm-warm-cache-1.1.31-5.1.mga6.noarch

yum >= 3.2.19 is needed by yum-plugin-auto-update-debug-info-1.1.31-5.1.mga6.noarch

yum >= 3.2.23 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

yum-utils-translations = 1.1.31-5.1.mga6 is needed by yum-plugin-aliases-1.1.31-5.1.mga6.noarch

Does this mean the updates cannot run on an installation which did not have yum before??
How would this affect a user which would try to install yum when those packages would be included in the normal repos???

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-08-01 17:18:28 CEST
@Herman, re comment 4:
Don't know how to answer your specific queries but I tried this installation on x86_64.

I took the precaution of installing yum first then the packages named in the update list.  There was a single conflict - lost the reference - but the rest succeeded.

Enabled updates testing and ran MageiaUpdate.  All the packages installed cleanly.
That is far as I have got.  Busy just now.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-08-01 17:26:55 CEST
re comment 5;
I take your point about yum not being pulled in by yum-utils.  Looks like it is a missing dependency.  Feedback?
Len Lawrence 2018-08-03 08:33:25 CEST

Keywords: (none) => feedback

Comment 7 Bruno Cornec 2018-08-14 09:39:05 CEST
Yes I'll fix that ASAP
Comment 8 Len Lawrence 2018-09-26 20:02:14 CEST
Mageia 6.1 new installation, x86_64

Before updating created a manifest from the listed packages and installed against that to create a yum system.  This pulled in yum automatically so if we follow the correct procedure for QA testing, updating from a preinstalled system, then there is no problem.

Since there is no explicit procedure posted for reproducing CVE-2018-10897 shall skip straight to updating.

Wrong about that.  There is a problem still. as Herman reported.
installing lib64gamin1_0-0.1.10-17.mga6.x86_64.rpm python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Installation failed:	file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch
Looks like this is basically dnf.

$ yum check
$ yum check-update
Mageia 6 - x86_64                               2.0 MB/s |  33 MB     00:16    
Mageia 6 - x86_64 - Updates                     4.7 MB/s |  33 MB     00:07    
Last metadata expiration check: 0:00:09 ago on Wed 26 Sep 2018 18:50:58 BST.
$ yum deplist vlc
Last metadata expiration check: 0:02:47 ago on Wed 26 Sep 2018 18:53:55 BST.
package: vlc-3.0.0-0.git.19.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
  dependency: libc.so.6(GLIBC_2.14)(64bit)
   provider: glibc-6:2.22-29.mga6.x86_64
   provider: lib64vlc5-3.0.2-0.1.mga6.x86_64
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64

package: vlc-3.0.2-0.1.mga6.x86_64
  dependency: /bin/sh
   provider: bash-4.3-48.3.mga6.x86_64
  dependency: fonts-ttf-vera
   provider: fonts-ttf-bitstream-vera-1.10-16.mga6.noarch
  dependency: vlc-plugin-common
   provider: vlc-plugin-common-3.0.2-0.1.mga6.x86_64
$ sudo yum reinstall celestia
Last metadata expiration check: 0:08:20 ago on Wed 26 Sep 2018 18:50:58 BST.
Dependencies resolved.
 Package         Arch          Version               Repository            Size
 celestia        x86_64        1.6.1-18.mga6         mageia-x86_64         33 M
Transaction Summary
Total download size: 33 M
Is this ok [y/N]: y
Downloading Packages:
celestia-1.6.1-18.mga6.x86_64.rpm               2.1 MB/s |  33 MB     00:15    
Total                                           2.0 MB/s |  33 MB     00:16     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Reinstalling     : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Erasing          : celestia-1.6.1-18.mga6.x86_64                          2/2 
  Running scriptlet: celestia-1.6.1-18.mga6.x86_64                          2/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          1/2 
  Verifying        : celestia-1.6.1-18.mga6.x86_64                          2/2 
  celestia.x86_64 1.6.1-18.mga6                                                 

It looks OK so far.
Comment 9 Len Lawrence 2018-09-26 20:07:18 CEST
The man pages show this for yum-utils:
debuginfo-install - install debuginfo packages and their dependencies
package-cleanup - manage package cleanup, duplicates, orphaned packages and outstanding dependency problems
repo-graph - outputs a full package dependency list in dot format
repo-rss - generates an RSS feed from one or more repositories
repoclosure - reads metadata of repositories, checks dependencies and displays list of unresolved dependencies
repodiff - takes two or more repositories, returns a list of added, removed or changed packages
repomanage - manages a directory of rpm packages, returns a list of newest or oldest packages in a directory
repoquery - query yum repositories and get additional information on the them
reposync - synchronize a remote yum repository to a local directory using yum to retrieve packages
repotrack - track packages and its dependencies and downloads them
yum-builddep - installs missing dependencies to build a specified package
yum-complete-transaction - finds incomplete or aborted yum transactions and attempts to complete them
yum-installed - print a compact package list making use of comps groups
yumdownloader - downloads packages from yum repositories including source RPMs

Comment 10 Len Lawrence 2018-09-26 21:57:57 CEST
$ cd /bin
$ ls -1 repo*
$ ls -1 yum*

So most utilities are deprecated and others are missing.
Better leave this at that point.
Comment 11 Marja Van Waes 2018-10-03 08:41:12 CEST
On IRC in QA chan, Neal mantioned last night that he couldn't comment in bug 23370 (this bug) since he couldn't remember his password

He then mentioned that the 


command is what should be tested for this.
And that in Mageia, /usr/bin/reposync is normally provided by dnf-utils rather than yum-utils.

CC: (none) => marja11
Keywords: feedback => (none)

Comment 12 Marja Van Waes 2018-10-03 08:43:25 CEST
Oops, the feedback keyword was set for something else, sorry, setting it again.

Keywords: (none) => feedback

Comment 13 David Walser 2018-10-15 23:21:38 CEST
Fedora has issued an advisory for this on September 27:
Comment 14 Herman Viaene 2018-10-31 16:47:34 CET
Still on 32-bit
Update now draws in yum, but then:
file /usr/sbin/yum-updatesd conflicts between attempted installs of yum-updatesd-0.9-1.mga6.noarch and yum-3.4.3-19.mga6.noarch
Comment 15 Len Lawrence 2018-12-19 11:35:57 CET
Back to the start on a system without yum.
Installed yum and all the listed files.

Used dnf to find out how repositories are named.
$ dnf repolist
Last metadata expiration check: 0:21:37 ago on Wed 19 Dec 2018 09:35:09 GMT.
repo id                       repo name                                   status
mageia-x86_64                 Mageia 6 - x86_64                           28,136
updates-x86_64                Mageia 6 - x86_64 - Updates                  9,600

Enabled updates-testing and tried this:
# reposync-deprecated updates-testing-x86_64
Yum-utils package has been deprecated, use dnf instead.
See 'man yum2dnf' for more information.

Traceback (most recent call last):
  File "/bin/reposync-deprecated", line 334, in <module>
  File "/bin/reposync-deprecated", line 139, in main
    my.doConfigSetup(fn=opts.config, init_plugins=opts.plugins)
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 299, in doConfigSetup
    return self.conf
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1099, in <lambda>
    conf = property(fget=lambda self: self._getConfig(),
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 350, in _getConfig
    startupconf = config.readStartupConfig(fn, root, releasever)
  File "/usr/lib/python2.7/site-packages/yum/config.py", line 1073, in readStartupConfig
    confpp_obj = ConfigPreProcessor(configfile)
  File "/usr/lib/python2.7/site-packages/yum/parser.py", line 94, in __init__
    fo = self._pushfile( url )
  File "/usr/lib/python2.7/site-packages/yum/parser.py", line 207, in _pushfile
    'Error accessing file for config %s' % (absurl)
yum.Errors.ConfigError: Error accessing file for config file:///etc/yum.conf

which probably indicates that something has not been run properly.
Don't know what it is supposed to do.  Does it download and install all the packages in the repository or just the hdlists?  'help' would indicate the former.

There is no yum.conf file in /etc.

# yum --repo updates-testing-x86-64
usage: dnf [options] COMMAND

# dnf check
finds no problems with the package database but
# yum check
is not recognized.
Comment 16 Len Lawrence 2018-12-19 17:21:41 CET
Noticed that yum-plugin-refresh-updatesd had not been installed.
# urpmi yum-plugin-refresh-updatesd
  python-gamin                   0.1.10       17.mga6       x86_64  
  yum-updatesd                   0.9          1.mga6        noarch  
(medium "Core Updates Testing")
  yum-plugin-refresh-updatesd    1.1.31       5.1.mga6      noarch  
installing python-gamin-0.1.10-17.mga6.x86_64.rpm yum-plugin-refresh-updatesd-1.1.31-5.1.mga6.noarch.rpm yum-updatesd-0.9-1.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Installation failed:	file /usr/sbin/yum-updatesd from install of yum-updatesd-0.9-1.mga6.noarch conflicts with file from package yum-3.4.3-19.mga6.noarch

Something to be sorted out there?
Comment 17 Ulrich Beckmann 2019-01-10 23:29:31 CET
Isn't yum obsolete, and it's successor dnf is supported since Mageia 6?

I personally purged everything related to yum from my installs and use dnf exclusively. So I am certainly not willing to test yum-utils.

Ulrich Beckmann

CC: (none) => bequimao.de

Comment 18 Neal Gompa 2019-01-11 15:16:39 CET
We keep around yum and yum-utils primarily so that people can use mock to build CentOS/RHEL packages.
Comment 19 David Walser 2019-01-13 19:41:25 CET
Neal, can you please fix the packaging conflict between yum and yum-updatesd?

Keywords: feedback => (none)
CC: (none) => qa-bugs
Assignee: qa-bugs => ngompa13

David Walser 2019-03-12 15:15:36 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=24494

Note You need to log in before you can comment on or make changes to this bug.