Bug 30187 - pesign new DoS security issue fixed upstream in 115 (rhbz#2065771)
Summary: pesign new DoS security issue fixed upstream in 115 (rhbz#2065771)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-03-18 03:47 CET by David Walser
Modified: 2022-03-29 01:17 CEST (History)
4 users (show)

See Also:
Source RPM: pesign-0.112-9.mga8.src.rpm
Status comment:


Description David Walser 2022-03-18 03:47:35 CET
Fedora has issued an advisory today (March 17):

The issue is fixed upstream in 115.

Mageia 8 is also affected.
David Walser 2022-03-18 03:47:50 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 115

Comment 1 Lewis Smith 2022-03-18 08:39:04 CET
This pkg is scarcely touched, so need to assign this update also globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-03-18 15:19:45 CET

For Mageia 8, pesign-0.112-9.1.mga8 solves the issue.

For Cauldron, I tried to update to pesign-115 but the build fails because it requires the mandoc command which is not available in Mageia.  Is there an alternative to mandoc, available in Mageia, which is able to convert .mdoc files into man pages or do we need to import the mandoc package?

Best regards,


CC: (none) => nicolas.salguero

Comment 3 David Walser 2022-03-18 22:56:08 CET
Does "groff -mdoc" do what you need?
Comment 4 Nicolas Salguero 2022-03-21 11:57:17 CET
(In reply to David Walser from comment #3)
> Does "groff -mdoc" do what you need?

It was almost that.  The good command was "groff -Tascii -man".

Now, I face another problem: a GCC bug which cause the build to fail with "-fcf-protection is not compatible with this target".  That bug was not present last Friday.  I will retry when the latest snapshot (gcc-12.0.1-0.20220320.1.mga9) is uploaded to see if the bug is solved.
Comment 5 David Walser 2022-03-21 14:53:00 CET
pesign fixed in Cauldron by Thierry.  Mageia 8 update built by Nicolas in Comment 2 (advisory pending).

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 115 => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 6 Thomas Andrews 2022-03-23 21:11:32 CET
MGA8-64 Plasma Vbox guest. Installed pesign, then updated using qarepo. No installation issues.

From drakrpm: "This package contains the pesign utility for signing UEFI binaries as well as other associated tools." Sure sounds like developer stuff to me.

$ pesign --help
Usage: pesign [OPTION...]
  -i, --in=<infile>                              specify input file
  -o, --out=<outfile>                            specify output file
  -c, --certficate=<certificate nickname>        specify certificate nickname
  -n, --certdir=<certificate directory path>     specify nss certificate database directory (default: "/etc/pki/pesign")
  -f, --force                                    force overwriting of output file
  -s, --sign                                     create a new signature
  -h, --hash                                     hash binary
  -d, --digest_type=STRING                       digest type to use for pe hash (default: "sha256")
  -u, --signature-number=<sig-number>            specify which signature to operate on
  -t, --nss-token=STRING                         NSS token holding signing key (default: "NSS Certificate DB")
  -S, --show-signature                           show signature
  -r, --remove-signature                         remove signature
  -K, --export-pubkey=<outkey>                   export pubkey to file
  -C, --export-cert=<outcert>                    export signing cert to file
  -a, --ascii-armor                              use ascii armoring
  -D, --daemonize                                run as a daemon process
  -N, --nofork                                   don't fork when daemonizing
  -v, --verbose                                  be very verbose
  -P, --padding                                  pad data section

Options implemented via popt alias/exec:

Help options:
  -?, --help                                     Show this help message
      --usage                                    Display brief usage message

That's as far as I'm going to try to go with it. Giving it an OK on the basis of a clean install.


Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-24 00:52:55 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-03-24 10:04:08 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 8 David Walser 2022-03-29 01:17:23 CEST
Updated Fedora advisory with an actual RHBZ bug reference:

Summary: pesign new DoS security issue fixed upstream in 115 => pesign new DoS security issue fixed upstream in 115 (rhbz#2065771)

Note You need to log in before you can comment on or make changes to this bug.