Bug 29167 - libsolv new security issue CVE-2021-3200
Summary: libsolv new security issue CVE-2021-3200
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-06-24 04:24 CEST by David Walser
Modified: 2022-07-18 19:03 CEST (History)
4 users (show)

See Also:
Source RPM: libsolv-0.7.16-1.mga8.src.rpm
CVE: CVE-2021-3200
Status comment:

Attachments
libsolv mga7 update diff (3.02 KB, patch)
2021-07-02 14:23 CEST, Neal Gompa 		Details | Diff
dnf history of test (51.23 KB, text/plain)
2021-07-12 15:43 CEST, Ulrich Beckmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-06-24 04:24:59 CEST 
SUSE has issued an advisory today (June 23):
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009080.html

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-24 04:25:17 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
CC: (none) => ngompa13

Comment 1 Lewis Smith 2021-06-24 20:10:01 CEST 
libsolv is committed by various people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Neal Gompa 2021-06-28 16:23:23 CEST 
Working on it.

Status: NEW => ASSIGNED
Assignee: pkg-bugs => ngompa13

Comment 3 David Walser 2021-06-28 21:43:11 CEST 
Fixed upstream in 0.7.17, so Cauldron is not affected.

This would be the commit to backport for Mageia 7:
https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec

Neal built an update for Mageia 8:
libsolv1-0.7.19-1.mga8
perl-solv-0.7.19-1.mga8
python3-solv-0.7.19-1.mga8
libsolv-tools-0.7.19-1.mga8
ruby-solv-0.7.19-1.mga8
libsolv-devel-0.7.19-1.mga8
libsolv-demo-0.7.19-1.mga8
libsolv-doc-0.7.19-1.mga8

from libsolv-0.7.19-1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: (none) => Patch available from upstream

Comment 4 David Walser 2021-07-01 14:26:50 CEST 
Fix for Mageia 7 is in SVN.  Any chance a sysadmin could freeze push it?  (yes we know EOL just hit)

CC: (none) => sysadmin-bugs

Comment 5 Neal Gompa 2021-07-01 20:18:13 CEST 
(In reply to David Walser from comment #4)
> Fix for Mageia 7 is in SVN.  Any chance a sysadmin could freeze push it? 
> (yes we know EOL just hit)

It is not in SVN, I am unable to commit it.
Comment 6 David Walser 2021-07-01 20:25:43 CEST 
Weird, I can still commit to SVN.  You must be having a different issue.

I'll just assign this to QA then, maybe we can deal with mga7 if you get that sorted out.

Assignee: ngompa13 => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Patch available from upstream => (none)

Comment 7 Neal Gompa 2021-07-02 14:23:40 CEST 
Created attachment 12839 [details]
libsolv mga7 update diff

(In reply to David Walser from comment #6)
> Weird, I can still commit to SVN.  You must be having a different issue.
> 
> I'll just assign this to QA then, maybe we can deal with mga7 if you get
> that sorted out.

ngompa@localhost ~/m/7/libsolv> mgarepo ci -m "Backport fix for CVE-2021-3200"
svn: E170001: Commit failed (details follow):
svn: E170001: Authorization failed

If someone wants to, I've attached the diff, they can commit themselves and get it done for Mageia 7.
Comment 8 Ulrich Beckmann 2021-07-04 19:30:38 CEST 
Installed the package list in Mga 8.
I will do now some qa testing with  dnf.

Ulrich

CC: (none) => bequimao.de

Comment 9 Aurelien Oudelet 2021-07-10 20:55:52 CEST 
Advisory:
========================

Updated libsolv packages fix a security vulnerability:

Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service (CVE-2021-3200).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29167
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3200
 - https://lists.suse.com/pipermail/sle-security-updates/2021-June/009080.html
========================

Updated packages in core/updates_testing:
========================
lib(64)solv1-0.7.19-1.mga8
perl-solv-0.7.19-1.mga8
python3-solv-0.7.19-1.mga8
libsolv-tools-0.7.19-1.mga8
ruby-solv-0.7.19-1.mga8
lib(64)solv-devel-0.7.19-1.mga8
libsolv-demo-0.7.19-1.mga8
libsolv-doc-0.7.19-1.mga8

from libsolv-0.7.19-1.mga8.src.rpm

Source RPM: libsolv-0.7.19-1.mga9.src.rpm => libsolv-0.7.16-1.mga8.src.rpm
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-3200

Comment 10 Ulrich Beckmann 2021-07-12 15:43:46 CEST 
Created attachment 12858 [details]
dnf history of test

Installed the package list on MGA 8 64-bit and did some upgrades and qa-testing. Transaction numbers from 51 to 65.

No problems occured.

Ulrich
Comment 11 Aurelien Oudelet 2021-07-13 10:51:36 CEST 
MGA8-64 VM using dnf.

MGA8-64-OK.
Validating

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-13 22:16:50 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2021-07-14 01:45:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0351.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 13 David Walser 2022-03-01 17:12:55 CET 
This update also fixed CVE-2021-44569 and CVE-2021-4457[01345679]:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XVLRHB6CUX3SHYOIGVUQNWAOW5JYANWH/

It looks like those were fixed in 0.7.17.
Comment 14 David Walser 2022-07-18 19:03:51 CEST 
This update also fixed:
* libsolv: various flaws (CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938)
* libsolv: Heap overflow (CVE-2021-44568)

https://access.redhat.com/errata/RHSA-2022:5498
Note You need to log in before you can comment on or make changes to this bug.