Bug 29723 - gmp new security issue CVE-2021-43618
Summary: gmp new security issue CVE-2021-43618
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-12-03 22:08 CET by David Walser
Modified: 2021-12-08 21:05 CET (History)
5 users (show)

See Also:
Source RPM: gmp-6.2.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-12-03 22:08:29 CET
Debian-LTS has issued an advisory on December 2:
https://www.debian.org/lts/security/2021/dla-2837

Mageia 8 is also affected.
David Walser 2021-12-03 22:08:53 CET

Status comment: (none) => Patch available from Debian and upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-12-03 22:54:14 CET
fixed in mga 8/9:


src:
    - gmp-6.2.1-1.1.mga8

CC: (none) => mageia
Status comment: Patch available from Debian and upstream => (none)
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 2 David Walser 2021-12-03 23:00:57 CET
libgmp10-6.2.1-1.1.mga8
libgmpxx-devel-6.2.1-1.1.mga8
libgmpxx4-6.2.1-1.1.mga8
libgmp-devel-6.2.1-1.1.mga8

from gmp-6.2.1-1.1.mga8.src.rpm
Comment 3 Herman Viaene 2021-12-06 12:05:45 CET
MGA8-64 Plasma on Lenovo B50
No installation issues.
No wiki or previous updates.
# urpmq --whatrequires lib64gmp10
returned a long list with many things that point me to developer's tools, but picked another one.
$ strace -o ~/Documenten/gmp.txt genius
Genius 1.0.25
Copyright (C) 1997-2020 Jiří (George) Lebl
This is free software with ABSOLUTELY NO WARRANTY.
For license details type `warranty'.
For help type `manual' or `help'.

genius> 2+2
= 4
genius> help

Voor een handleiding voor Genius en de GEL-taal typ:
  handleiding

Voor hulp over een specifiek functietype, typ:
  hulp FunctieNaam

Opdrachten:
help                 - Hulp tonen (of de hulp bij een functie/opdracht)
load                 - Load a file into the interpreter
cd                   - Van map veranderen
pwd                  - Huidige map tonen
ls                   - Bestanden in de huidige map tonen
plugin               - Een plugin laden

Eenvoudig:
AskButtons           - Ask a question and present a list of buttons.  Returns the 1-based index of the button pressed (or null on failure).
AskString            - Ask a question and return a string.  Optionally pass in a default.
and that goes on forever.
But the trace shows a call to libgmp.
BTW: the list of dependencies shows also coreutils, but a trace on a mkdir command gave no result, so I abandoned the idea of trying these basic commands. But notice that the normal operation of the machine is not disturbed, so it should be OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-12-07 14:04:21 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-08 01:25:41 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-12-08 21:05:35 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0544.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.