Bug 29493 - libss7 new security issue rhbz#1932066
Summary: libss7 new security issue rhbz#1932066
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-09-26 19:08 CEST by David Walser
Modified: 2021-10-06 21:43 CEST (History)
7 users (show)

See Also:
Source RPM: libss7-2.0.0-4.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-09-26 19:08:30 CEST 
Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/

The issue is fixed upstream in 2.0.1.

Mageia 8 is also affected.
David Walser 2021-09-26 19:08:46 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.0.1

Comment 1 Marja Van Waes 2021-09-26 22:23:07 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing ovitters, because he's the only one, apart from umeabot, who touched this package in the last five years.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, olav

Comment 2 Nicolas Salguero 2021-09-27 10:10:55 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unsafe use of strncpy. (rhbz#1932066)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/
========================

Updated packages in core/updates_testing:
========================
lib(64)ss7_2-2.0.1-1.mga8
lib(64)ss7-devel-2.0.1-1.mga8

from SRPM:
libss7-2.0.1-1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2.0.1 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-10-05 13:48:20 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
No previous updates, googling for an example draws a zero, and at CLI:
]# urpmq --whatrequires lib64ss7_2
lib64ss7-devel
lib64ss7_2
# urpmq --whatrequires-recursive lib64ss7_2
lib64ss7-devel
lib64ss7_2
OK'ing on clean install, unless someone's gor a better idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-10-05 17:02:37 CEST 
I did the same yesterday. I did find a description of ss7 at https://en.wikipedia.org/wiki/Signalling_System_No._7 but have no idea if it is applicable. Too complicated to expect QA to master sufficiently to test, anyway.

Clean install it is. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Herman Viaene 2021-10-05 17:19:38 CEST 
I should have known. As telephony is switching over to VOIP, I doubt there is still much use for ss7. In Belgium in analogue times (but computer controlled), ss7 was used to transfer info on call-setup and -duration from the switching exchange to a "Taxation Center" which calculated the cost of calls to be billed to the call-originator.
Dave Hodgins 2021-10-06 20:00:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-10-06 21:43:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0465.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.