Bug 29382 - hivex new security issue CVE-2021-3622
Summary: hivex new security issue CVE-2021-3622
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-18 16:36 CEST by David Walser
Modified: 2021-12-02 17:50 CET (History)
6 users (show)

See Also:
Source RPM: hivex-1.3.20-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-18 16:36:21 CEST 
Fedora has issued an advisory today (August 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/USD4OEV6L3RPHE32V2MJ4JPFBODINWSU/

The issue is fixed upstream in 1.3.21.

Thierry already knew this and forgot to file a bug again, and updated it in Cauldron but it failed to build.

Mageia 8 is also affected.
David Walser 2021-08-18 16:36:37 CEST

Status comment: (none) => Fixed upstream in 1.3.21
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-10-13 15:02:21 CEST 
hivex-1.3.21-2.mga9 uploaded for Cauldron by Thierry.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Nicolas Lécureuil 2021-11-25 22:54:01 CET 
fixed in mga8:


src:
    - hivex-1.3.20-1.1.mga8

Assignee: thierry.vignaud => qa-bugs
Status comment: Fixed upstream in 1.3.21 => (none)
CC: (none) => mageia, thierry.vignaud

Comment 3 David Walser 2021-11-26 01:26:41 CET 
hivex-1.3.20-1.1.mga8
perl-hivex-1.3.20-1.1.mga8
ruby-hivex-1.3.20-1.1.mga8
ocaml-hivex-devel-1.3.20-1.1.mga8
libhivex0-1.3.20-1.1.mga8
ocaml-hivex-1.3.20-1.1.mga8
libhivex-devel-1.3.20-1.1.mga8
python3-hivex-1.3.20-1.1.mga8

from hivex-1.3.20-1.1.mga8.src.rpm
Comment 4 Herman Viaene 2021-11-27 20:34:31 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 28925 for testing at CLI:
$ hivexsh SOFTWARE 

Welkom bij hivexsh, de hivex interactieve shell voor het bekijken van
Windows Registry binaire hive bestanden.

Type: 'help' voor een hulp samenvatting
      'quit' om de shell te verlaten

SOFTWARE\> help
Navigeer door de sleutels van hive met het 'cd' commando, alsof het
een bestandssysteem bevat, en gebruik 'ls' om de sub-sleutels van de huidige
sleutel te tonen. Volledige documentatie is in de hivexsh(1) manual pagina.
SOFTWARE\> ls
AMD
ATI
ATI Technologies
Classes
etc ....
SOFTWARE\> cd LibreOffice
SOFTWARE\LibreOffice> ls
Layers
LibreOffice
UNO
SOFTWARE\LibreOffice> cd LibreOffice
SOFTWARE\LibreOffice\LibreOffice> ls
7.2
SOFTWARE\LibreOffice\LibreOffice> cd 7.2

So seems to work OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-11-28 15:50:24 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-01 22:40:36 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-12-02 17:50:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0528.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.