openSUSE has issued an advisory on August 30: https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Packagers: Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => ngompa13Keywords: (none) => Triaged
RedHat has issued an advisory for this today (September 8): https://access.redhat.com/errata/RHSA-2020:3658
Fedora has issued an advisory for this today (October 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/ The issue is fixed upstream in 1.12.1. The RedHat bug links the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1866498
Severity: major => critical
RedHat has issued an advisory for this today (November 10): https://access.redhat.com/errata/RHSA-2020:5012
Upgraded cauldron to 1.12.1. Patched package uploaded for Mageia 7. Advisory: ======================== Updated librepo package fixes security vulnerability: It was discovered that librepo was subject to a directory traversal vulnerability where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files (CVE-2020-14352). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14352 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/ ======================== Updated packages in core/updates_testing: ======================== lib64repo0-1.10.3-1.1.mga7.x86_64.rpm lib64repo-devel-1.10.3-1.1.mga7.x86_64.rpm python3-librepo-1.10.3-1.1.mga7.x86_64.rpm from librepo-1.10.3-1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)CC: (none) => mramboAssignee: ngompa13 => qa-bugsVersion: Cauldron => 7Keywords: Triaged => (none)
MGA7-64 MATE on Peaq C1011 No installation issues. No previous updates on this, so starting wild hunt. # urpmq --whatrequires lib64repo0 lib64dnf2 lib64hif1 lib64repo0 python3-librepo python3-librepo Not promissing # urpmq --whatrequires-recursive lib64repo0 shows pages full. Tried some of the list, but many of them are either KDE- or Gnome-dependent, and i don't want those on this restricted notebook. Final test will be dnfdragora, reporting later
CC: (none) => herman.viaene
Installed dnfdragora and run # strace -o /home/tester7/Documents/librepo.txt dnfdragora Skipped exception: <[Errno 2] No such file or directory: './dnfdragora.yaml'> /usr/lib/python3.7/site-packages/dnfdragora/config.py:55: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. self._systemSettings = yaml.load(ymlfile) Skipped exception: <[Errno 2] No such file or directory: '/root/.config/dnfdragora.yaml'> <_M_> [ui] YUILoader.cc:50 loadUI(): DISPLAY: ":0" <_M_> [ui] YUILoader.cc:51 loadUI(): XDG_CURRENT_DESKTOP: "" <_M_> [ui] YUILoader.cc:52 loadUI(): YUI_PREFERED_BACKEND: "" and lots more ..... But it runs, and enabled the nonfree and tainted repos and the three update repos, and then installed one update. The trace file shows a call to /lib64/librepo.so.0 which is what I wanted to see. OK for me.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory pushed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0429.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED