27752 – db48 new security issue CVE-2019-2708

Bug 27752 - db48 new security issue CVE-2019-2708

Summary: db48 new security issue CVE-2019-2708

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Thierry Vignaud
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:	27960
Blocks:
	Show dependency tree / graph

Reported:	2020-12-05 18:11 CET by David Walser
Modified:	2021-07-01 18:25 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	db48-4.8.30-24.mga7.src.rpm
CVE:
Status comment:	db48 needs patch to be backported

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-05 18:11:06 CET

Thierry fixed this issue in Cauldron:
https://bugzilla.redhat.com/show_bug.cgi?id=1853242

I don't know if we have other db versions that are affected too.

Comment 1 David Walser 2020-12-05 18:18:09 CET

db1 and db48 are probably also affected.

Version: 7 => Cauldron
Source RPM: db53-5.3.28-17.mga7.src.rpm => db1-1.85-29.mga7.src.rpm, db48-4.8.30-24.mga7.src.rpm, db53-5.3.28-17.mga7.src.rpm
Whiteboard: (none) => MGA7TOO

David Walser 2020-12-05 18:18:22 CET

CC: (none) => thierry.vignaud

Comment 2 Aurelien Oudelet 2020-12-07 10:29:18 CET

Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => thierry.vignaud
CC: (none) => ouaurelien, shlomif

Comment 3 Thierry Vignaud 2020-12-07 14:33:26 CET

I've backported it & submited it for mga7:  db53-5.3.28-17.1.mga7

Comment 4 David Walser 2020-12-07 14:44:29 CET

Thanks, what about db1 and db48?

Comment 5 David Walser 2020-12-07 15:59:58 CET

Packages list for db53 update:
libdb5.3-5.3.28-17.1.mga7
libdbcxx5.3-5.3.28-17.1.mga7
libdbsql5.3-5.3.28-17.1.mga7
libdbjava5.3-5.3.28-17.1.mga7
libdbtcl5.3-5.3.28-17.1.mga7
db53-utils-5.3.28-17.1.mga7
db53_recover-5.3.28-17.1.mga7
libdb5.3-devel-5.3.28-17.1.mga7
libdb5.3-static-devel-5.3.28-17.1.mga7

from db53-5.3.28-17.1.mga7.src.rpm

Comment 6 Thierry Vignaud 2020-12-07 18:04:30 CET

(In reply to David Walser from comment #4)
> Thanks, what about db1 and db48?

For db1, the code is vastly different.
It looks like nothing more depends on db1, so we could actually drop it from the distro (woot!)

Comment 7 David Walser 2020-12-16 15:46:17 CET

Fedora has issued an advisory for this today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQFKX6NKU2DCW5CTCHQSOJJDFVRVTPO6/

David Walser 2020-12-27 21:44:34 CET

Status comment: (none) => db1 needs to be dropped, db48 needs to be patched

Comment 8 Nicolas Lécureuil 2020-12-27 23:03:42 CET

db1 dropped

CC: (none) => mageia

Nicolas Lécureuil 2020-12-27 23:03:49 CET

Status comment: db1 needs to be dropped, db48 needs to be patched => db48 needs to be patched

Comment 9 Nicolas Lécureuil 2020-12-27 23:20:04 CET

db1 support removed from db48.

Comment 10 Nicolas Lécureuil 2020-12-27 23:36:18 CET

thierry, do you think you can patch db48 for this ?

David Walser 2020-12-28 15:32:19 CET

Depends on: (none) => 27960

Comment 11 David Walser 2020-12-28 15:33:23 CET

db53 updated moved to Bug 27960.

Status comment: db48 needs to be patched => db48 needs patch to be backported
Source RPM: db1-1.85-29.mga7.src.rpm, db48-4.8.30-24.mga7.src.rpm, db53-5.3.28-17.mga7.src.rpm => db48-4.8.30-24.mga7.src.rpm
Summary: db53 new security issue CVE-2019-2708 => db48 new security issue CVE-2019-2708

Comment 12 Nicolas Lécureuil 2021-01-01 23:55:27 CET

db48 is removed from cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 13 David Walser 2021-01-01 23:59:50 CET

Nice.  It might make sense to obsolete db48-utils in db53-utils, but I wouldn't obsolete the libs, I'd just delete them as you did.

Comment 14 David Walser 2021-07-01 18:25:32 CEST

https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD

Note You need to log in before you can comment on or make changes to this bug.