Advisory: ========== This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM package manager, including several security issues: - Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421) - Fix signature check bypass with corrupted package (CVE-2021-20271) - Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266) - Fix missing sanity checks on header entry count and region data overlap - Fix access past end of header if the last entry is string type - Fix unsafe headerCopyLoad() still used in codebase See https://rpm.org/wiki/Releases/4.16.1.3 for the full details List of generated packages: ============================= i586: librpm9-4.16.1.3-1.mga8.i586.rpm librpmbuild9-4.16.1.3-1.mga8.i586.rpm librpm-devel-4.16.1.3-1.mga8.i586.rpm librpmsign9-4.16.1.3-1.mga8.i586.rpm python3-rpm-4.16.1.3-1.mga8.i586.rpm rpm-4.16.1.3-1.mga8.i586.rpm rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm rpm-build-4.16.1.3-1.mga8.i586.rpm rpm-cron-4.16.1.3-1.mga8.noarch.rpm rpm-debugsource-4.16.1.3-1.mga8.i586.rpm rpm-plugin-audit-4.16.1.3-1.mga8.i586.rpm rpm-plugin-ima-4.16.1.3-1.mga8.i586.rpm rpm-plugin-prioreset-4.16.1.3-1.mga8.i586.rpm rpm-plugin-selinux-4.16.1.3-1.mga8.i586.rpm rpm-plugin-syslog-4.16.1.3-1.mga8.i586.rpm rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.i586.rpm rpm-sign-4.16.1.3-1.mga8.i586.rpm x86_64: lib64rpm9-4.16.1.3-1.mga8.x86_64.rpm lib64rpmbuild9-4.16.1.3-1.mga8.x86_64.rpm lib64rpm-devel-4.16.1.3-1.mga8.x86_64.rpm lib64rpmsign9-4.16.1.3-1.mga8.x86_64.rpm python3-rpm-4.16.1.3-1.mga8.x86_64.rpm rpm-4.16.1.3-1.mga8.x86_64.rpm rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm rpm-build-4.16.1.3-1.mga8.x86_64.rpm rpm-cron-4.16.1.3-1.mga8.noarch.rpm rpm-debugsource-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-audit-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-ima-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-prioreset-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-selinux-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-syslog-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.x86_64.rpm rpm-sign-4.16.1.3-1.mga8.x86_64.rpm Debuginfo packages: librpm9-debuginfo-4.16.1.3-1.mga8.i586.rpm librpmbuild9-debuginfo-4.16.1.3-1.mga8.i586.rpm librpmsign9-debuginfo-4.16.1.3-1.mga8.i586.rpm python3-rpm-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-build-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-audit-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-ima-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-prioreset-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-selinux-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-syslog-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-plugin-systemd-inhibit-debuginfo-4.16.1.3-1.mga8.i586.rpm rpm-sign-debuginfo-4.16.1.3-1.mga8.i586.rpm lib64rpm9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm lib64rpmbuild9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm lib64rpmsign9-debuginfo-4.16.1.3-1.mga8.x86_64.rpm python3-rpm-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-build-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-audit-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-ima-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-prioreset-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-selinux-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-syslog-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-systemd-inhibit-debuginfo-4.16.1.3-1.mga8.x86_64.rpm rpm-sign-debuginfo-4.16.1.3-1.mga8.x86_64.rpm
Keywords: (none) => SecurityCC: (none) => luigiwalser
CVE: (none) => CVE-2021-3421, CVE-2021-20271, CVE-2021-20266Component: RPM Packages => SecurityQA Contact: (none) => securityKeywords: Security => (none)CC: (none) => ouaurelien
MGA8 x86_64 Plasma updating is OK. Installation of new RPM is OK Removing RPM is OK. No useful PoC upstream. Needs examples ill-crafted RPM. Therefore, as this needs untrusted RPM, this is mitigated. This should be approved.
Whiteboard: (none) => MGA8-64-OK
Validated. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
dropping validation for now to get some more testers as this is a basesystem package that is very important to not screw up
Keywords: validated_update => (none)
and it should be tested on i586 too
Mga8 64-bit Plasma on an HP Probook 6550b. Installed using qarepo, after removing the "debugsource" package from the list in Comment 0. (qarepo said that one wasn't in updates_testing.) No installation issues. Clicked on a downloaded third-party rpm to install it, then removed it using urpme, asked MCC to check for updates(There were none). No issues noted. Looks OK here. Will check on my i586 laptop later today.
No regressions noticed here with x86_64 and aarch64 (rpi4).
CC: (none) => davidwhodgins
Tested on a Dell Inspiron 5100, 32-bit P4, 32-bit Xfce system. No installation issues. After update, used it with qarepo and MCC to get and test some potential updates, with no issues noted. Giving this a 32-bit OK.
Whiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OK
MGA 8 XFCE, Update with QA repo and : lib64rpm9-4.16.1.3-1.mga8.x86_64.rpm lib64rpmbuild9-4.16.1.3-1.mga8.x86_64.rpm lib64rpm-devel-4.16.1.3-1.mga8.x86_64.rpm lib64rpmsign9-4.16.1.3-1.mga8.x86_64.rpm python3-rpm-4.16.1.3-1.mga8.x86_64.rpm rpm-4.16.1.3-1.mga8.x86_64.rpm rpm-apidocs-4.16.1.3-1.mga8.noarch.rpm rpm-build-4.16.1.3-1.mga8.x86_64.rpm rpm-cron-4.16.1.3-1.mga8.noarch.rpm rpm-plugin-audit-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-ima-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-prioreset-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-selinux-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-syslog-4.16.1.3-1.mga8.x86_64.rpm rpm-plugin-systemd-inhibit-4.16.1.3-1.mga8.x86_64.rpm rpm-sign-4.16.1.3-1.mga8.x86_64.rpm No issues at installation. Installation and uninstallation of some software ok
CC: (none) => guillaume.royer
mga8, x64 Installed the update packages, which pulled in lua5 and selinux-policy as well. $ sudo rpm -qilp mplayer-skins-1.9-1.nodist.rf.noarch.rpmName : mplayer-skins Version : 1.9 Release : 1.nodist.rf Architecture: noarch Install Date: (not installed) Group : Applications/Multimedia Size : 17542283 License : GPL Signature : DSA/SHA1, Wed 20 Mar 2013 15:59:28 GMT, Key ID a20e52146b8d79e6 Source RPM : mplayer-skins-1.9-1.nodist.rf.src.rpm Build Date : Wed 20 Mar 2013 14:11:50 GMT Build Host : lisse.hasselt.wieers.com Packager : Dag Wieers <dag@wieers.com> Vendor : Dag Apt Repository, http://dag.wieers.com/apt/ URL : http://mplayerhq.hu/ Summary : Collection of skins for MPlayer Description : This package contains a collection of additional skins for the GUI version of MPlayer, the movie player for Linux. Install this package if you wish to change the appeareance of MPlayer. /usr/share/mplayer/skins/Abyss ........................ $ sudo rpm -i mplayer-skins-1.9-1.nodist.rf.noarch.rpm warning: mplayer-skins-1.9-1.nodist.rf.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY ls /usr/share/mplayer/skins Abyss/ CornerMP-aqua/ iTunes-mini/ Orange/ softgrip/ ................................ $ sudo rpm -e mplayer-skins $ ls /usr/share/mplayer/skins $ That's all I know.
CC: (none) => tarazed25
Edit: $ sudo rpm -qilp mplayer-skins-1.9-1.nodist.rf.noarch.rpm Name : mplayer-skins ............
I have run this for testing updates for several days now, on several sets of hardware, and in both 32 and 64 bit systems, with zero problems. Restoring the validation.
Keywords: (none) => validated_update
ACK. thanks for the extra testing
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0167.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 28926 has been marked as a duplicate of this bug. ***
Source RPM: rpm-4.16.1.3-1.mga8 => rpm-4.16.1.2-1.mga8
Source RPM: rpm-4.16.1.2-1.mga8 => rpm-4.16.1.3-1.mga8
Sorry Thierry, the SRC field in Bugzilla must refer to the SRPM that contains the issues/vulnerabilities. So, in this case David Walser is true doing this. Thanks.
Oups sorry, I though this was an error
Blocks: (none) => 32594