Bug 28884 - gnome-autoar new security issue CVE-2021-28650
Summary: gnome-autoar new security issue CVE-2021-28650
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-06 15:56 CEST by Nicolas Salguero
Modified: 2021-06-17 08:53 CEST (History)
5 users (show)

See Also:
Source RPM: gnome-autoar-0.2.4-2.1.mga8.src.rpm
CVE: CVE-2021-28650
Status comment:


Attachments

Description Nicolas Salguero 2021-05-06 15:56:29 CEST
Ubuntu has issued an advisory on May 6:
https://ubuntu.com/security/notices/USN-4937-1

Mageia 7 is also affected.
Nicolas Salguero 2021-05-06 15:57:08 CEST

Whiteboard: (none) => MGA7TOO
Source RPM: (none) => gnome-autoar-0.2.4-2.1.mga8.src.rpm

Comment 1 Aurelien Oudelet 2021-05-06 15:59:47 CEST
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => pkg-bugs
CVE: (none) => CVE-2021-28650
CC: (none) => geiger.david68210, olav, ouaurelien

Olav Vitters 2021-05-06 19:12:29 CEST

Assignee: pkg-bugs => gnome

Comment 2 David Walser 2021-05-28 01:27:15 CEST
Also the previous update (Bug 28454) introduced a regression, fixed here:
https://ubuntu.com/security/notices/USN-4733-2
Comment 3 David Walser 2021-05-29 19:30:43 CEST
Fedora has issued an advisory for this on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2T2WNK5MCCXX7Y5LGNP6SJYIBL7ADKHD/

The issue is fixed upstream in 0.3.1.

Status comment: (none) => Fixed upstream in 0.3.1

Comment 4 David GEIGER 2021-06-07 12:27:43 CEST
Done for mga8 and mga7!
Comment 5 David Walser 2021-06-09 01:55:22 CEST
RPMS:
libgnome-autoar0_0-0.3.1-1.mga7
libgnome-autoar-gir0.1-0.3.1-1.mga7
libgnome-autoar-devel-0.3.1-1.mga7
libgnome-autoar0_0-0.3.1-1.mga8
libgnome-autoar-gir0.1-0.3.1-1.mga8
libgnome-autoar-devel-0.3.1-1.mga8

from SRPMS:
gnome-autoar-0.3.1-1.mga7.src.rpm
gnome-autoar-0.3.1-1.mga8.src.rpm

Assignee: gnome => qa-bugs
Status comment: Fixed upstream in 0.3.1 => (none)

Comment 6 Herman Viaene 2021-06-16 15:15:17 CEST
MGA7-64 Plasma on Lenovo B50
An installation snag: wwhen in MCC first selecting libgnome-autoar-gir0.1-0.3.1-1.mga7, MCC complains on missing libgnome-autoar0_0-0.3.1-1.mga7.
First selectng the latter, then the former, all is OK. Is this a dependency missing???
# urpmq --whatrequires lib64gnome-autoar0_0
evolution
gnome-recipes
and some more, installed gnome-recipes and run it as
$ strace -o lib64gnomeautoar.txt gnome-recipes 
Look at one recipe, open the dialogue for a new recipe, close .
Checked the trace, find reference to te library, so seems to work OK.
I leave it to the higher powers whether this update can go, or the dependency needs mending. I will not object the OK.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2021-06-16 21:28:12 CEST
@Herman with regard to comment 6.
I installed the three packages manually (one was already installed) without any problem so I think you can give this the OK - installed serially with libgnome-autoar0_0 first.  (I have not tried updating yet)
Treading on your toes to have a look at the PoC.

mga7, x64

CVE-2020-36241
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
CVE-2021-28650
If I understand this correctly the issue was not fully fixed by the first patch and needed further treatment.
Downloaded the linktotmp.tar file.
Ran nautilus to extract the contents of the tar file.  gtar reported an error, no such file /tmp/foo, but a symbolic link was created pointing to /tmp.

$ unlink tmplink
Updated packages.
Ran the extraction test on the poc file, which did exactly as before and created the tmplink symbolic link to /tmp and no /tmp/foo file.  This may be the required behaviour - I have not quite worked it out yet.  If it is then the issue is fixed.

Anyway you should go ahead and OK the update Herman.

CC: (none) => tarazed25

Herman Viaene 2021-06-17 08:53:48 CEST

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK


Note You need to log in before you can comment on or make changes to this bug.