Bug 29659 - botan2 new security issue CVE-2021-40529
Summary: botan2 new security issue CVE-2021-40529
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-12 22:16 CET by David Walser
Modified: 2021-12-19 13:27 CET (History)
5 users (show)

See Also:
Source RPM: botan2-2.17.3-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-11-12 22:16:51 CET 
Fedora has issued an advisory today (November 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UPHGYWNJQKWLTUWBNSFB4F66MQDIL3IB/

The issue is fixed upstream in 2.18.2.
David Walser 2021-11-12 22:17:11 CET

Status comment: (none) => Fixed upstream in 2.18.2

Comment 1 Nicolas Lécureuil 2021-12-14 22:40:10 CET 
Patch added in mga8:


src:
    - botan2-2.17.3-2.1.mga8

Status comment: Fixed upstream in 2.18.2 => (none)
CC: (none) => mageia, smelror
Assignee: smelror => qa-bugs

Comment 2 David Walser 2021-12-14 22:56:13 CET 
Build failed:
http://pkgsubmit.mageia.org/uploads/failure/8/core/updates_testing/20211214213810.neoclust.duvel.3026676/log/botan2-2.17.3-2.1.mga8/build.aarch64.0.20211214213850.log

Assignee: qa-bugs => mageia
Status comment: (none) => Fixed upstream in 2.18.2

Comment 3 Nicolas Lécureuil 2021-12-14 23:08:03 CET 
build OK

Status comment: Fixed upstream in 2.18.2 => (none)
Assignee: mageia => qa-bugs

Comment 4 David Walser 2021-12-14 23:09:14 CET 
libbotan2_17-2.17.3-2.1.mga8
libbotan2-devel-2.17.3-2.1.mga8
botan2-2.17.3-2.1.mga8
python3-botan2-2.17.3-2.1.mga8
botan2-doc-2.17.3-2.1.mga8

from botan2-2.17.3-2.1.mga8.src.rpm
Comment 5 Herman Viaene 2021-12-16 16:34:13 CET 
MGA7-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Test along bug 26955 Comment 6
$ botan --help
Usage: botan <cmd> <cmd-options>
All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed=

Available commands:

Encoders/Decoders:
   asn1print          Decode and print file with ASN.1 Basic Encoding Rules (BER)
and a lot more.....
$ echo "Test File" > testbotan.txt
$  botan base64_enc testbotan.txt > testbotancrypt.txt
$ cat testbotancrypt.txt
VGVzdCBGaWxlCg==
$ botan base64_dec testbotancrypt.txtstbotancrypt.txt
Test File
$ python3
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import botan2
>>> tester = botan2.RandomNumberGenerator()
>>> tested = tester.get(10)
>>> print ("Random number is {}".format(tested))
Random number is b'\xfb\x11\x91\xa4\xa0\x03uWe\xf1'
>>> quit()
$ lynx /usr/share/doc/botan-2.17.3/handbook/index.html


Looks OK, note that the file has changed name since bug 26955.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2021-12-16 17:19:31 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-12-19 12:14:57 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-12-19 13:27:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0563.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.