Bug 29987 - rpm new security issue CVE-2021-3521
Summary: rpm new security issue CVE-2021-3521
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-02 18:44 CET by David Walser
Modified: 2022-09-10 22:27 CEST (History)
4 users (show)

See Also:
Source RPM: rpm-4.16.1.3-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-02-02 18:44:11 CET 
RedHat has issued an advisory on February 1:
https://access.redhat.com/errata/RHSA-2022:0368
Comment 1 Thierry Vignaud 2022-02-05 10:52:23 CET 
We need upstream to backport the fixes to the 4.16.x branch:
https://github.com/rpm-software-management/rpm/pull/1788#issuecomment-1030591355
Comment 2 David Walser 2022-02-05 16:07:04 CET 
RedHat has already done it in CentOS 9 Stream in this commit:
https://git.centos.org/rpms/rpm/c/3f3ddd0c8927e60ed546707bac1303a44035f0ec?branch=c9-beta

It's rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch

Status comment: (none) => Patch available from RedHat

Comment 3 Nicolas Lécureuil 2022-09-05 22:16:51 CEST 
upstream patch: 

https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8

CC: (none) => mageia

Comment 4 Nicolas Lécureuil 2022-09-05 22:23:21 CEST 
src:
    - rpm-4.16.1.3-1.2.mga8

Status comment: Patch available from RedHat => (none)
Assignee: thierry.vignaud => qa-bugs

Comment 5 David Walser 2022-09-05 22:38:13 CEST 
rpm-4.16.1.3-1.2.mga8
librpm9-4.16.1.3-1.2.mga8
rpm-build-4.16.1.3-1.2.mga8
python3-rpm-4.16.1.3-1.2.mga8
librpmbuild9-4.16.1.3-1.2.mga8
librpm-devel-4.16.1.3-1.2.mga8
librpmsign9-4.16.1.3-1.2.mga8
rpm-sign-4.16.1.3-1.2.mga8
rpm-plugin-systemd-inhibit-4.16.1.3-1.2.mga8
rpm-plugin-prioreset-4.16.1.3-1.2.mga8
rpm-plugin-audit-4.16.1.3-1.2.mga8
rpm-plugin-selinux-4.16.1.3-1.2.mga8
rpm-plugin-ima-4.16.1.3-1.2.mga8
rpm-plugin-syslog-4.16.1.3-1.2.mga8
rpm-cron-4.16.1.3-1.2.mga8
rpm-apidocs-4.16.1.3-1.2.mga8

from rpm-4.16.1.3-1.2.mga8.src.rpm
Comment 6 Thomas Andrews 2022-09-08 03:17:03 CEST 
Tested in VirtualBox.

No installation issues using qarepo. Tested by running rpmdrake and installing several games. No installation issues with the games, dependencies were identified and installed without incident. 

I ran each of the games, and each worked, except one, Bitfighter. That one had a popup that the version is old, and that's about it. (Filing a bug) I then used rpmdrake once more to remove the games, without incident.

Giving this an OK, and validating.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-08 18:41:21 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-09-10 22:27:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0321.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.