Debian-LTS has issued an advisory on January 31: https://www.debian.org/lts/security/2020/dla-2088 The issue is fixed upstream in 0.7.6.
Status comment: (none) => Fixed upstream in 0.7.6
A more useful reference of the actual problem and fix: https://bugzilla.redhat.com/show_bug.cgi?id=1797072
CVE: (none) => CVE-2019-20387
I've uploaded a fixed version to updates-testing for Mageia 7. This has been fixed in Cauldron for a while now, so there was nothing to do there... Suggested advisory: ======================== Updated libsolv packages fix security vulnerabilities: An out-of-bounds read was discovered in libsolv when the last schema has a length that is less than the length of the input schema. A remote attacker may abuse this flaw to crash an application that uses libsolv. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387 https://bugzilla.redhat.com/show_bug.cgi?id=1797072 https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da ======================== Updated packages in core/updates_testing: ======================== lib(64)solv1-0.7.4-1.1.mga7 lib(64)solv-devel-0.7.4-1.1.mga7 libsolv-doc-0.7.4-1.1.mga7 libsolv-tools-0.7.4-1.1.mga7 libsolv-demo-0.7.4-1.1.mga7 ruby-solv-0.7.4-1.1.mga7 python3-solv-0.7.4-1.1.mga7 perl-solv-0.7.4-1.1.mga7 libsolv-debugsource-0.7.4-1.1.mga7 libsolv-debuginfo-0.7.4-1.1.mga7 lib64solv1-debuginfo-0.7.4-1.1.mga7 libsolv-tools-debuginfo-0.7.4-1.1.mga7 libsolv-demo-debuginfo-0.7.4-1.1.mga7 ruby-solv-debuginfo-0.7.4-1.1.mga7 python3-solv-debuginfo-0.7.4-1.1.mga7 perl-solv-debuginfo-0.7.4-1.1.mga7 Source RPMs: libsolv-0.7.4-1.1.mga7.src.rpm
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 0.7.6 => (none)CC: (none) => ngompa13Assignee: ngompa13 => qa-bugs
mga7, x86_64 Could find no proofs of concept, so, straight to updates. Eight packages, discounting the debuginfo stuff. No problems with installation. There are three solv scripts, p5solv, pysolv and rbsolv in /usr/share/doc under the relevant directories for perl, python and ruby, e.g. .../perl-solv. $ man libsolv-bindings describes the API from the point-of-view of perl. libsolv itself is a package dependency solver library using a satisfiability algorithm according to the man pages. Ulrich pointed out in https://bugs.mageia.org/show_bug.cgi?id=24563 that dnf uses libsolv but I did not fully understand how the dnf upgrade from mga6 to mga7 tests the mga7 version of libsolver. The tests made in that previous bug no longer work. For instance: $ solv repos no installed package provides 'system-release', cannot determine $releasever Yet: $ dnf repolist Last metadata expiration check: 0:29:25 ago on Mon 24 Feb 2020 17:57:11 GMT. repo id repo name status mageia-x86_64 Mageia 7 - x86_64 29,882 updates-x86_64 Mageia 7 - x86_64 - Updates 5,776 $ solv list no installed package provides 'system-release', cannot determine $releasever $ solv info xbean-classloader.noarch no installed package provides 'system-release', cannot determine $releasever Have I missed something? Setting feedback in case anybody can enlighten me.
Keywords: (none) => feedbackCC: (none) => tarazed25
(In reply to Len Lawrence from comment #3) > mga7, x86_64 > > Could find no proofs of concept, so, straight to updates. > Eight packages, discounting the debuginfo stuff. No problems with > installation. > > There are three solv scripts, p5solv, pysolv and rbsolv in /usr/share/doc > under the relevant directories for perl, python and ruby, e.g. .../perl-solv. > $ man libsolv-bindings > describes the API from the point-of-view of perl. > > libsolv itself is a package dependency solver library using a satisfiability > algorithm according to the man pages. > > Ulrich pointed out in https://bugs.mageia.org/show_bug.cgi?id=24563 that dnf > uses libsolv but I did not fully understand how the dnf upgrade from mga6 to > mga7 tests the mga7 version of libsolver. > DNF uses libsolv to do dependency resolution. As far as I'm aware, I don't have a specific reproducer for this CVE, as it was detected by a fuzzer and fixed before it became a problem. It got a CVE designation after the fact. > The tests made in that previous bug no longer work. > For instance: > $ solv repos > no installed package provides 'system-release', cannot determine $releasever > That's very odd, as I'm pretty sure mageia-release-Default has the 'system-release' Provides. That said... > Yet: > $ dnf repolist > Last metadata expiration check: 0:29:25 ago on Mon 24 Feb 2020 17:57:11 GMT. > repo id repo name > status > mageia-x86_64 Mageia 7 - x86_64 > 29,882 > updates-x86_64 Mageia 7 - x86_64 - Updates > 5,776 > > $ solv list > no installed package provides 'system-release', cannot determine $releasever > $ solv info xbean-classloader.noarch > no installed package provides 'system-release', cannot determine $releasever > > Have I missed something? Setting feedback in case anybody can enlighten me. It looks like DNF is working, so something is probably independently broken in the demo "solv" program. Meh. If you can still install and upgrade with DNF, I'd say this would be working fine.
Keywords: feedback => (none)
Thanks for getting back to us on this Neal. We'll release it into the wild then.
Whiteboard: (none) => MGA7-64-OK
I hasten to add; `dnf install` and `dnf upgrade` worked fine. Nothing to do for stellarium and ruby and kstars downloaded and settled into place in a few seconds. Dependencies resolved OK.
Validated. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0117.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED