Bug 29429 - squashfs-tools new security issues CVE-2021-40153 and CVE-2021-41072
Summary: squashfs-tools new security issues CVE-2021-40153 and CVE-2021-41072
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-31 19:44 CEST by David Walser
Modified: 2021-11-26 01:23 CET (History)
1 user (show)

See Also:
Source RPM: squashfs-tools-4.4-3.git1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-08-31 19:44:29 CEST
Ubuntu has issued an advisory today (August 31):
https://ubuntu.com/security/notices/USN-5057-1

Mageia 8 is also affected.
David Walser 2021-08-31 19:44:44 CEST

Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-31 19:51:05 CEST
Fedora has issued an advisory for this on August 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
Comment 2 Lewis Smith 2021-08-31 20:06:27 CEST
A coincidence: another update for a parentless SRPM which you tv have largely maintained.

Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2021-09-07 19:48:16 CEST
Debian has issued an advisory for this on September 4:
https://www.debian.org/security/2021/dsa-4967
Comment 4 David Walser 2021-09-15 16:04:31 CEST
Ubuntu has issued an advisory today (September 15):
https://ubuntu.com/security/notices/USN-5078-1

Mageia 8 is also affected.

Summary: squashfs-tools new security issue CVE-2021-40153 => squashfs-tools new security issues CVE-2021-40153 and CVE-2021-41072
Status comment: Patch available from Ubuntu => Patches available from Ubuntu

Comment 5 Nicolas Lécureuil 2021-09-23 23:06:49 CEST
fixed in mga9

CC: (none) => mageia
Status comment: Patches available from Ubuntu => (none)
Version: Cauldron => 8

Comment 6 Nicolas Lécureuil 2021-09-23 23:14:14 CEST
fixed in mga8:

src:
    - squashfs-tools-4.4-3.git1.1.mga8

Assignee: thierry.vignaud => qa-bugs

David Walser 2021-09-23 23:21:35 CEST

Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2021-09-26 19:38:21 CEST
Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/

They fixed an additional security issue.

Version: 8 => Cauldron
Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Cauldron

David Walser 2021-09-26 19:53:33 CEST

Status comment: Patch available from Cauldron => Patch available from Fedora

Comment 8 David Walser 2021-10-15 20:55:21 CEST
Debian has issued an advisory for the newer issue today (October 15):
https://www.debian.org/security/2021/dsa-4987
Comment 9 David Walser 2021-10-15 20:56:06 CEST
Ubuntu has issued an advisory for the newer issue on October 13:
https://ubuntu.com/security/notices/USN-5078-3
Comment 10 Nicolas Lécureuil 2021-11-25 22:45:34 CET
(In reply to David Walser from comment #7)
> Fedora has issued an advisory on September 24:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
> 
> They fixed an additional security issue.

this is not the same version ( 4.4 VS 4.5 )

i think we need to validate this and then see with our squashfs-tools maintainer to have his agreement for an update to version 4.5.

Assignee: mageia => qa-bugs
Status comment: Patch available from Fedora => (none)

Comment 11 David Walser 2021-11-26 01:23:53 CET
(In reply to Nicolas Lécureuil from comment #10)
> (In reply to David Walser from comment #7)
> > Fedora has issued an advisory on September 24:
> > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
> > 
> > They fixed an additional security issue.
> 
> this is not the same version ( 4.4 VS 4.5 )
> 
> i think we need to validate this and then see with our squashfs-tools
> maintainer to have his agreement for an update to version 4.5.

Then you need to make a new bug for it and not just pretend it never happened.

Note You need to log in before you can comment on or make changes to this bug.