Bug 29565 - util-linux new security issues CVE-2021-37600, CVE-2021-399[56], CVE-2022-0563
Summary: util-linux new security issues CVE-2021-37600, CVE-2021-399[56], CVE-2022-0563
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-19 16:02 CEST by David Walser
Modified: 2022-02-22 21:16 CET (History)
7 users (show)

See Also:
Source RPM: util-linux-2.36.1-5.mga8.src.rpm
CVE:
Status comment: Patches available from upstream


Attachments

Description David Walser 2021-10-19 16:02:35 CEST
SUSE has issued an advisory today (October 19):
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009610.html

The issue is fixed upstream in 2.37.2.
David Walser 2021-10-19 16:02:47 CEST

Status comment: (none) => Patch available from upstream

Marja Van Waes 2021-10-19 22:01:04 CEST

CC: (none) => marja11
Assignee: bugsquad => basesystem

Comment 1 David Walser 2022-01-24 15:57:58 CET
Security issues fixed upstream in util-linux have been announced today (January 24):
https://www.openwall.com/lists/oss-security/2022/01/24/2

The upstream commits that fixed the issues are linked in the message above.

The fixes are included in 2.37.3 (pushed in Cauldron).

Summary: util-linux new security issue CVE-2021-37600 => util-linux new security issues CVE-2021-37600 and CVE-2021-399[56]

Comment 2 David Walser 2022-01-24 16:03:55 CET
Build failed in Cauldron, said it can't find linux/raw.h even though kernel-userspace-headers is in the buildroot.

http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220124145600.luigiwalser.duvel.855318/log/util-linux-2.37.3-1.mga9/build.x86_64.0.20220124145605.log

CC: (none) => tmb
Version: 8 => Cauldron
Status comment: Patch available from upstream => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 5 Thomas Backlund 2022-01-24 17:17:17 CET
or just drop "--enable-raw"
Comment 6 David Walser 2022-01-24 20:18:39 CET
Thanks (raw dropped by Thomas, 2.37.3 successfully built).

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2022-01-25 23:25:07 CET
Debian has issued an advisory for two of these CVEs on January 24:
https://www.debian.org/security/2022/dsa-5055
Comment 8 David Walser 2022-02-05 18:13:17 CET
(In reply to David Walser from comment #7)
> Debian has issued an advisory for two of these CVEs on January 24:
> https://www.debian.org/security/2022/dsa-5055

Fedora advisory from February 4 for the same CVEs:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SW73IARDAP7WWQ6ETYQB2OS2SLW4XTT3/
Comment 9 David Walser 2022-02-09 16:01:36 CET
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #7)
> > Debian has issued an advisory for two of these CVEs on January 24:
> > https://www.debian.org/security/2022/dsa-5055
> 
> Fedora advisory from February 4 for the same CVEs:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/SW73IARDAP7WWQ6ETYQB2OS2SLW4XTT3/

Ubuntu advisory from today (February 9) for those two CVEs:
https://ubuntu.com/security/notices/USN-5279-1
Comment 10 David Walser 2022-02-16 22:48:31 CET
Fedora has issued an advisory today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YUFRTN7YYS4ESW372SWK2PURGSGVDL4/

The issue is fixed upstream in 2.37.4.

Summary: util-linux new security issues CVE-2021-37600 and CVE-2021-399[56] => util-linux new security issues CVE-2021-37600, CVE-2021-399[56], CVE-2022-0563

Comment 11 David Walser 2022-02-18 18:45:30 CET
More details on CVE-2021-399[56] in this advisory:
https://www.openwall.com/lists/oss-security/2022/02/17/2
Comment 12 Thomas Backlund 2022-02-18 20:26:41 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37600
- disputed with comment:
  NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

but as the fix is non-invasive I've added it anyway.

I also updated to 2.36.2 maintenance release:
https://cdn.kernel.org/pub/linux/utils/util-linux/v2.36/v2.36.2-ReleaseNotes

so all CVE fixes added on topof 2.36.2 and is now building as util-linux-2.36.2-1.mga8
Comment 13 Thomas Backlund 2022-02-18 20:33:44 CET
SRPM:
util-linux-2.36.2-1.mga8.src.rpm


i586:
libblkid1-2.36.2-1.mga8.i586.rpm
libblkid-devel-2.36.2-1.mga8.i586.rpm
libfdisk1-2.36.2-1.mga8.i586.rpm
libfdisk-devel-2.36.2-1.mga8.i586.rpm
libmount1-2.36.2-1.mga8.i586.rpm
libmount-devel-2.36.2-1.mga8.i586.rpm
libsmartcols1-2.36.2-1.mga8.i586.rpm
libsmartcols-devel-2.36.2-1.mga8.i586.rpm
libuuid1-2.36.2-1.mga8.i586.rpm
libuuid-devel-2.36.2-1.mga8.i586.rpm
python3-libmount-2.36.2-1.mga8.i586.rpm
util-linux-2.36.2-1.mga8.i586.rpm
uuidd-2.36.2-1.mga8.i586.rpm


x86_64:
lib64blkid1-2.36.2-1.mga8.x86_64.rpm
lib64blkid-devel-2.36.2-1.mga8.x86_64.rpm
lib64fdisk1-2.36.2-1.mga8.x86_64.rpm
lib64fdisk-devel-2.36.2-1.mga8.x86_64.rpm
lib64mount1-2.36.2-1.mga8.x86_64.rpm
lib64mount-devel-2.36.2-1.mga8.x86_64.rpm
lib64smartcols1-2.36.2-1.mga8.x86_64.rpm
lib64smartcols-devel-2.36.2-1.mga8.x86_64.rpm
lib64uuid1-2.36.2-1.mga8.x86_64.rpm
lib64uuid-devel-2.36.2-1.mga8.x86_64.rpm
python3-libmount-2.36.2-1.mga8.x86_64.rpm
util-linux-2.36.2-1.mga8.x86_64.rpm
uuidd-2.36.2-1.mga8.x86_64.rpm

Assignee: basesystem => qa-bugs

Comment 14 Len Lawrence 2022-02-19 19:24:34 CET
mga8, x86_64

Updated packages without issues.
util-linux contains basic utilities which should be exercised during booting I think and definitely for logging in.  So, logout and reboot.  Kept an eye on the  log - no problems flagged.  login as normal.  Everything mounted as expected.
Ran GSmartControl to see if any disks supported SMART.
# gsmartcontrol
The terminal log posted many errors and warnings of this sort:
<warn>  [hz] Warning: exit: Device open failed, or device did not return an IDENTIFY DEVICE structure.
<error> [gtk] setenv()/putenv() are not thread-safe and should not be used after threads are created
<error> [gtk] setenv()/putenv() are not thread-safe and should not be used after threads are created
<warn>  [app] SmartctlParser::parse_section_info_property(): Unknown property "TRIM Command"

The gui appeared, displaying six disks - 2 plugged in USB drives, an optical drive, an HDD with SMART enabled, an unknown model (the NVME system disk) without SMART support and the optical drive.
SMART was already enabled for one of the USB drives; the other one does not support SMART.  The three SMART devices passed the health check.

It looks good so far.  Leaving this in case somebody knows of any detailed tests we should run.

CC: (none) => tarazed25

Comment 15 Len Lawrence 2022-02-20 17:03:32 CET
OK, lets send this out.

Whiteboard: (none) => MGA8-64-OK

Comment 16 Morgan Leijström 2022-02-21 19:29:28 CET
mga8-64 OK on my workstation: i7, plasma, nvidia-current, LUKS, LVM, ext4
Installed, rebooted, in use during the day, no issues noted.

CC: (none) => fri

Comment 17 Thomas Andrews 2022-02-22 04:18:24 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-22 20:16:21 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2022-02-22 21:16:15 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0076.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.