Bug 27953 - blosc new security issue CVE-2020-29367
Summary: blosc new security issue CVE-2020-29367
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-12-28 00:06 CET by David Walser
Modified: 2021-01-23 00:51 CET (History)
4 users (show)

See Also:
Source RPM: blosc-1.16.3-1.mga7.src.rpm
CVE: CVE-2020-29367
Status comment:


Description David Walser 2020-12-28 00:06:19 CET
openSUSE has issued an advisory on December 26:

The issue is fixed upstream in 1.20.1.
David Walser 2020-12-28 19:20:56 CET

Status comment: (none) => Fixed upstream in 1.20.1

Comment 1 David GEIGER 2021-01-06 08:24:38 CET
Done for mga7!
Comment 2 David Walser 2021-01-06 16:12:24 CET

Updated blosc packages fix security vulnerability:

A heap-based buffer overflow vulnerability was found in the blosc library.
Depending on how the library is used, if there is a lack of space to write
compressed data, an attacker might exploit this flaw to crash the program or
potentially execute arbitrary code (CVE-2020-29367).


Updated packages in core/updates_testing:

from blosc-1.20.1-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 1.20.1 => (none)

Comment 3 Len Lawrence 2021-01-12 22:21:41 CET
This could be a tricky one to test.  It centres on the storage of hierarchical data structures and seems to sit somewhere between our hdf5 libraries and python{2,3}-tables (PyTables?).  The CVE issue can be reproduced if you can get hold of a fuzzer compiled with asan support, which is probably a little outside QA's remit.

Shall try to find a way of connecting all of this but may have to adopt the fallback position.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-01-22 09:32:06 CET
Comment 3 was a little bit off target. 
See introduction at https://blosc.org/pages/blosc-in-depth/
and https://github.com/Blosc/python-blosc which says:
a Python wrapper for the extremely fast Blosc compression library.
It compresses binary data.

The two packages updated cleanly.  Hoping to be able to run an example session as portrayed on github - it involves python-numpy as well.
Comment 5 Len Lawrence 2021-01-22 10:00:09 CET
Did not get very far with the timing test.  Had to drop the %time macro.
The blosc module does not exist here either.

$ python
Python 2.7.18 (default, Nov 20 2020, 06:51:30) 
[GCC 8.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import numpy as np
>>> a = np.linspace( 0, 100, 1e7 )
>>> bytes_array = a.tostring( )
>>> import zlib
>>> %time zpacked = zlib.compress( bytes_array )
  File "<stdin>", line 1
    %time zpacked = zlib.compress( bytes_array )
SyntaxError: invalid syntax
>>> zpacked = zlib.compress( bytes_array )
>>> import blosc
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named blosc

$ pip install --user blosc
Collecting blosc
  Downloading https://files.pythonhosted.org/packages/16/9e/cd2256d981973b5c6d6c42f1fa8327afc1cb491359c4701d507b48acf708/blosc-1.10.2-cp37-cp37m-manylinux2010_x86_64.whl (2.3MB)
    100% |████████████████████████████████| 2.3MB 2.5MB/s 
Installing collected packages: blosc
Successfully installed blosc-1.10.2

>>> import blosc
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named blosc
>>> exit()

We might need a bundled version of python-blosc to get this demo to work.

Tried python3 but warnings indicated that the script is intended for python2.
So, this has to be passed on the basis of the clean upgrade.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2021-01-22 16:15:44 CET
Validating, thanks Len for your work.
Advisory in SVN.

CVE: (none) => CVE-2020-29367
Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2021-01-23 00:51:32 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.