Bug 30076 - sphinx new security issue CVE-2020-29050
Summary: sphinx new security issue CVE-2020-29050
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-02-21 23:53 CET by David Walser
Modified: 2022-03-23 09:37 CET (History)
6 users (show)

See Also:
Source RPM: sphinx-2.3.2-0.beta.3.mga8.src.rpm
Status comment:


Description David Walser 2022-02-21 23:53:29 CET
Debian has issued an advisory on January 6:

I didn't realize it was for the same package.

openSUSE has issued an advisory for this today (February 21):

Mageia 8 is also affected.
David Walser 2022-02-21 23:53:44 CET

Whiteboard: (none) => MGA8TOO

David Walser 2022-02-21 23:55:05 CET

CC: (none) => java, zen25000

Comment 1 Barry Jackson 2022-02-22 12:35:57 CET
Thanks David,
I am not sure what to do with this.
Version 2.3.2 is the latest version for which Sphinx have released sources, I have been waiting for this to change, but they are now talking about version 4.x.x and have still not made any 3.x.x sources available, only pre-packaged binaries as far as I can see.
I suspect that the fix applies binary patches, which if made for 3.x.x will be useless for 2.3.2. 
I think that other distros somehow use the upstream binary repository in order to provide the latest package.
Comment 2 David Walser 2022-02-22 15:12:54 CET
It looks like Debian and openSUSE have backported patches.  It sounds like the package should probably be dropped in Cauldron.
Comment 3 Lewis Smith 2022-02-22 19:50:41 CET
Glad Barry picked this up; changing you from CC to assignee.

Assignee: bugsquad => zen25000
CC: zen25000 => (none)

Comment 4 Barry Jackson 2022-02-23 19:06:18 CET
I have requested access to current sources upstream.
Comment 5 Nicolas Lécureuil 2022-02-24 22:18:05 CET
here is the debian patch :


CC: (none) => mageia

Comment 6 Barry Jackson 2022-03-09 00:36:40 CET
sphinx-2.3.2-0.beta.3.1.mga8 has been submitted to core/updates_testing.

Security issue CVE-2020-29050
It was found that sphinx could allow arbitrary files to be read by abusing a configuration option.
This has been fixed in this patched update.





RPMs affected


I have not come across a test for this issue, so I will leave it to QA to decide whether simply checking install is adequate.
There is a quick start guide on usage in /usr/share/doc/sphinx/sphinx.html which is installed by the sphinx base package.

Assignee: zen25000 => qa-bugs

Thomas Backlund 2022-03-09 17:19:00 CET

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 7 Thomas Andrews 2022-03-18 16:28:58 CET
Installed all except debug packages from core into a Vbox guest, then used qarepo to get the updates. No installation issues.

This sort of thing is WAY out of my experience, so I am very limited when it comes to testing. I consulted previous updates, and found Bug 10382. That one involved starting the service, which I was able to do successfully:

● sphinx-searchd.service - Sphinx - SQL Full Text Search Engine
     Loaded: loaded (/usr/lib/systemd/system/sphinx-searchd.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-03-18 09:48:09 EDT; 35s ago
    Process: 50601 ExecStart=/usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf (code=exited, status=0/SUCCESS)
   Main PID: 50604 (sphinx-searchd)
      Tasks: 8 (limit: 4695)
     Memory: 5.0M
        CPU: 92ms
     CGroup: /system.slice/sphinx-searchd.service
             ├─50603 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf
             └─50604 /usr/sbin/sphinx-searchd --config /etc/sphinx/sphinx.conf

Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1': prealloc: failed to open /var/lib/sphinx/test1.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'test1stemmed'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: index 'test1stemmed': prealloc: failed to open /var/lib/sphinx/test1stemmed.sph: No such file or directory; NOT SERVING
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: WARNING: multiple addresses found for 'localhost', using the first one (ip=
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50604]: precaching index 'rt'
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Sphinx 2.3.2-id64-beta (???)
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2001-2016, Andrew Aksyonoff
Mar 18 09:48:09 localhost.localdomain sphinx-searchd[50601]: Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Mar 18 09:48:09 localhost.localdomain systemd[1]: sphinx-searchd.service: Supervising process 50604 which is not our child. We'll most likely not notice when it exits.
Mar 18 09:48:09 localhost.localdomain systemd[1]: Started Sphinx - SQL Full Text Search Engine.

Bug 25946 was another. The test from that one was more involved, considerably beyond my capabilities. I tried following the quick start guide, but failed at around the second step because I have no clue about what I am trying to do.

So, if a clean install and being able to start the service are sufficient, then this is OK.

CC: (none) => andrewsfarm

Comment 8 Herman Viaene 2022-03-21 15:53:54 CET
MGA8-64 Plasmaon Lenovo B50 in Dutch.
No installation issues.
I wanted to repeat the tests from bug 25946, but therefore I want to use phpmyadmin.
The repo has now two versions of this: 5.0.4 and 5.1.2, but both draw in php 8.1.0. In view of the prolems this causes whenn testing further updates of php-8.0.X, I stop here.
I will not object TJ to OK this update.

CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2022-03-22 20:16:21 CET
Thank you, Herman. Going for it.

Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-03-23 00:34:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2022-03-23 09:37:30 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.