Ubuntu has issued an advisory on March 22: https://usn.ubuntu.com/3916-1/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing the two last submitters.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, ngompa13
The version of libsolv in Cauldron already contains the changes made by all of these patches and is thus not vulnerable. Patched package uploaded for Mageia 6. Advisory: ======================== Updated libsolv package fixes security vulnerability: It was discovered that libsolv incorrectly handled certain malformed input. If a user or automated system were tricked into opening a specially crafted file, applications that rely on libsolv could be made to crash, resulting in a denial of service (CVE-2018-2053[2-4]). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20532 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20534 https://usn.ubuntu.com/3916-1/ ======================== Updated packages in core/updates_testing: ======================== lib64solv0-0.6.30-1.1.mga7.x86_64.rpm lib64solv-devel-0.6.30-1.1.mga7.x86_64.rpm libsolv-demo-0.6.30-1.1.mga7.x86_64.rpm libsolv-doc-0.6.30-1.1.mga7.x86_64.rpm libsolv-tools-0.6.30-1.1.mga7.x86_64.rpm perl-solv-0.6.30-1.1.mga7.x86_64.rpm python3-solv-0.6.30-1.1.mga7.x86_64.rpm ruby-solv-0.6.30-1.1.mga7.x86_64.rpm from libsolv-0.6.30-1.1.mga7.src.rpm
CC: (none) => mramboVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => bequimao.de
Created attachment 10961 [details] Package list: installed and available Why is it that part of the list is already available in updates? Ulrich
Sorry, I did not see the version no 1.1. Dnf metadata is not up to date! Ulrich
Updates testing contains lib64solv0-0.6.30-1.1.mga6.x86_64 etc. Should we assume that the mga7 references in comment 2 are misprints? Have gone ahead and started testing the mga6 packages.
CC: (none) => tarazed25
mga6, x86_64 Installed missing packages before the update. This appears to be a package dependency "solver" which does not use a database. POC are aimed at testing within the asan framework. ----------------------------------------------------- CVE-2018-20532 https://bugzilla.redhat.com/show_bug.cgi?id=1652605 null pointer dereference: $ testsolv POC2 testcase_read: cannot parse command 'LL[t' testcase_read: cannot parse command 'negtjob' testcase_read: genid: unknown command 'doo' test 1: Transaction summary: testcase_read: cannot parse command 'gb' testcase_read: cannot parse command '' testcase_read: cannot parse command 're�' [...] testcase_read: cannot parse command 'E' testcase_read: cannot parse command 'reid' testcase_read: cannot parse command 'result' Segmentation fault (core dumped) ----------------------------------------------------- CVE-2018-20533 https://bugzilla.redhat.com/show_bug.cgi?id=1652599 $ testsolv POC0 [...] testcase_read: cannot parse command '<>geng2' testcase_read: cannot parse command 'n#>g#>#>g-1' testcase_read: cannot parse command 'nexgenid' Segmentation fault (core dumped) ----------------------------------------------------- CVE-2018-20534 https://bugzilla.redhat.com/show_bug.cgi?id=1652604 Illegal address access $ testsolv POC1 [...] testcase_read: cannot parse command 'inline>' testcase_read: cannot parse command '@>gefnh��' testcase_read: cannot parse command 'nzxtjob' Segmentation fault (core dumped) ----------------------------------------------------- Updated the packages and ran the POC tests. All three generated errors and empty transaction summaries but no segfaults which would indicate that the vunerabilities had been detected at least and handled well enough to avoid crashes. $ urpmq --whatrequires lib64solv0 | sort -u lib64dnf1 lib64hawkey2 lib64solv0 lib64solv-devel libsolv-demo libsolv-tools perl-solv python2-hawkey python3-hawkey python3-solv ruby-solv libsolv-demo supplies the command solv. $ solv repos 1: mageia-x86_64 Mageia 6 - x86_64 (prio 99) 2: updates-x86_64 Mageia 6 - x86_64 - Updates (prio 99) $ solv list Lists all the packages waiting in updates including any testing repositories enabled. $ solv info xbean-classloader.noarch rpm database: cached rpmmd repo 'mageia-x86_64':[using mirror http://www.mirrorservice.org] cached rpmmd repo 'updates-x86_64':[using mirror http://www.mirrorservice.org] cached Name: xbean-classloader-4.5-1.mga6.noarch Repo: mageia-x86_64 Summary: A flexibie multi-parent classloader Url: http://geronimo.apache.org/xbean/ License: ASL 2.0 Description: This package provides A flexibie multi-parent classloader. $ solv verify x2goclient-mozilla-plugin.x86_64 rpm database: cached rpmmd repo 'mageia-x86_64':[using mirror ftp://www.mirrorservice.org] cached rpmmd repo 'updates-x86_64':[using mirror http://www.mirrorservice.org] cached Nothing to do. This all looks fine but shall leave it just now to check if there is anything else we can do to test the libraries and utilities.
Ah, the list attached shows mga6 packages.
Hi Len, Thank you for work! As far as I understand, we have to test dnf, see https://wiki.mageia.org/en/Feature:Add_DNF_as_Alternate_Repository_Manager "DNF is powered by libsolv through hawkey for dependency resolution and uses libcomps and librepo for processing metadata." I am working on it, but I still don't understand my dnf metadata issue. Ulrich
OK Ulrich. Standing by for your input. Looks like solv is using a subset of dnf commands.
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref to Comment 6 at CLI: $ solv repos 1: mageia-i586 Mageia 6 - i586 (prio 99) 2: updates-i586 Mageia 6 - i586 - Updates (prio 99) OK $ solv list rpm database: reading [created /home/tester6/.solvcache] rpmmd repo 'mageia-i586':[using mirror ftp://ftp.belnet.be] fetching rpmmd repo 'updates-i586':[using mirror ftp://ftp.belnet.be] fetching no package matched That's not the same as Len's , but to me it is OK, as I use the QArepo tool and all updates I had listed there have been installed. $ solv info xbean-classloader.noarch rpm database: cached repo 'mageia-i586': cached repo 'updates-i586': cached Name: xbean-classloader-4.5-1.mga6.noarch Repo: mageia-i586 Summary: A flexibie multi-parent classloader Url: http://geronimo.apache.org/xbean/ License: ASL 2.0 Description: This package provides A flexibie multi-parent classloader. OK $ solv verify x2goclient-mozilla-plugin.x86_64 rpm database: cached repo 'mageia-i586': cached repo 'updates-i586': cached nothing matches 'x2goclient-mozilla-plugin.x86_64' Of course not since I am on the i586 route, but it doesn't garble anything up. $ solv verify x2goclient-mozilla-plugin.i586 rpm database: cached repo 'mageia-i586': cached repo 'updates-i586': cached Nothing to do. Here the mirrors are not given, but I could do with that as they are listed in the "solve list" output and the repo is said as "cached" OK for me. Now installing dnfdragora and see whether I can trace solv running it.
CC: (none) => herman.viaene
running dnfdragora under trace gave a ref to libsolvext.so.0, provided by libsolv0 OK for me.
Whiteboard: (none) => MGA6-32-OK
Created attachment 10975 [details] Excerpt from /var/log/dnf.log Installed packages: lib64solv0-0.6.30-1.1.mga6 libsolv-tools-0.6.30-1.1.mga6 I could now upgrade to the version from updates_testing in all my instances. I tested now the most complex task for a dependency solver, i.e. a system-upgrade from Mga6 to Cauldron. First: # dnf system-upgrade download --releasever=7 Then # dnf system-upgrade download --releasever=7 --allowerasing Everything went fine and the upgraded installation works now. Ulrich
Attachment 10961 is obsolete: 0 => 1
Setting MGA6-64-OK base on Len's and my tests.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Thanks for confirming our tests Ulrich and particularly for that neat procedure. I shall try that myself when time permits.
Looks good, guys. Validating. Suggested advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0154.html
Status: NEW => RESOLVEDResolution: (none) => FIXED