SUSE has issued an advisory today (June 23): https://lists.suse.com/pipermail/sle-security-updates/2021-June/009080.html Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => ngompa13
libsolv is committed by various people, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
Working on it.
Status: NEW => ASSIGNEDAssignee: pkg-bugs => ngompa13
Fixed upstream in 0.7.17, so Cauldron is not affected. This would be the commit to backport for Mageia 7: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec Neal built an update for Mageia 8: libsolv1-0.7.19-1.mga8 perl-solv-0.7.19-1.mga8 python3-solv-0.7.19-1.mga8 libsolv-tools-0.7.19-1.mga8 ruby-solv-0.7.19-1.mga8 libsolv-devel-0.7.19-1.mga8 libsolv-demo-0.7.19-1.mga8 libsolv-doc-0.7.19-1.mga8 from libsolv-0.7.19-1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8Status comment: (none) => Patch available from upstream
Fix for Mageia 7 is in SVN. Any chance a sysadmin could freeze push it? (yes we know EOL just hit)
CC: (none) => sysadmin-bugs
(In reply to David Walser from comment #4) > Fix for Mageia 7 is in SVN. Any chance a sysadmin could freeze push it? > (yes we know EOL just hit) It is not in SVN, I am unable to commit it.
Weird, I can still commit to SVN. You must be having a different issue. I'll just assign this to QA then, maybe we can deal with mga7 if you get that sorted out.
Assignee: ngompa13 => qa-bugsWhiteboard: MGA7TOO => (none)Status comment: Patch available from upstream => (none)
Created attachment 12839 [details] libsolv mga7 update diff (In reply to David Walser from comment #6) > Weird, I can still commit to SVN. You must be having a different issue. > > I'll just assign this to QA then, maybe we can deal with mga7 if you get > that sorted out. ngompa@localhost ~/m/7/libsolv> mgarepo ci -m "Backport fix for CVE-2021-3200" svn: E170001: Commit failed (details follow): svn: E170001: Authorization failed If someone wants to, I've attached the diff, they can commit themselves and get it done for Mageia 7.
Installed the package list in Mga 8. I will do now some qa testing with dnf. Ulrich
CC: (none) => bequimao.de
Advisory: ======================== Updated libsolv packages fix a security vulnerability: Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service (CVE-2021-3200). References: - https://bugs.mageia.org/show_bug.cgi?id=29167 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3200 - https://lists.suse.com/pipermail/sle-security-updates/2021-June/009080.html ======================== Updated packages in core/updates_testing: ======================== lib(64)solv1-0.7.19-1.mga8 perl-solv-0.7.19-1.mga8 python3-solv-0.7.19-1.mga8 libsolv-tools-0.7.19-1.mga8 ruby-solv-0.7.19-1.mga8 lib(64)solv-devel-0.7.19-1.mga8 libsolv-demo-0.7.19-1.mga8 libsolv-doc-0.7.19-1.mga8 from libsolv-0.7.19-1.mga8.src.rpm
Source RPM: libsolv-0.7.19-1.mga9.src.rpm => libsolv-0.7.16-1.mga8.src.rpmCC: (none) => ouaurelienCVE: (none) => CVE-2021-3200
Created attachment 12858 [details] dnf history of test Installed the package list on MGA 8 64-bit and did some upgrades and qa-testing. Transaction numbers from 51 to 65. No problems occured. Ulrich
MGA8-64 VM using dnf. MGA8-64-OK. Validating
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0351.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2021-44569 and CVE-2021-4457[01345679]: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XVLRHB6CUX3SHYOIGVUQNWAOW5JYANWH/ It looks like those were fixed in 0.7.17.
This update also fixed: * libsolv: various flaws (CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938) * libsolv: Heap overflow (CVE-2021-44568) https://access.redhat.com/errata/RHSA-2022:5498