Bug 30481 - dpkg new security issue CVE-2022-1664
Summary: dpkg new security issue CVE-2022-1664
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-26 17:50 CEST by David Walser
Modified: 2022-09-16 21:41 CEST (History)
6 users (show)

See Also:
Source RPM: dpkg-1.20.9-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-26 17:50:36 CEST
Debian has issued an advisory on May 25:
https://www.debian.org/security/2022/dsa-5147

The issue is fixed upstream in 1.20.10.

Mageia 8 is also affected.
David Walser 2022-05-26 17:50:46 CEST

Status comment: (none) => Fixed upstream in 1.20.10
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-26 17:54:16 CEST
Ubuntu has issued an advisory for this today (May 26):
https://ubuntu.com/security/notices/USN-5446-1

Severity: normal => major

Comment 2 Lewis Smith 2022-05-26 20:16:00 CEST
This looks good to assign to its registered maintainer, bcornec.

Assignee: bugsquad => bruno

Comment 3 Bruno Cornec 2022-05-27 01:07:11 CEST
1.12.8 pushed to cauldron
1.20.10 not available upstream yet :-(

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 4 Bruno Cornec 2022-05-27 01:07:31 CEST
(In reply to Bruno Cornec from comment #3)
> 1.12.8 pushed to cauldron

I meant 1.21.8
Comment 5 David Walser 2022-05-27 06:32:26 CEST
Debian bullseye already updated to 1.20.10, so you should be able to get a tarball from them.
Comment 6 Bruno Cornec 2022-06-06 18:25:06 CEST
1.20.10 (now available upstream) has been pushed to mga8 updates_testing

CC: (none) => bruno
Assignee: bruno => qa-bugs

Comment 7 David Walser 2022-06-06 18:50:51 CEST
dpkg-dev-1.20.10-1.mga8
dselect-1.20.10-1.mga8
dpkg-devel-1.20.10-1.mga8
perl-Dpkg-1.20.10-1.mga8
dpkg-1.20.10-1.mga8

from dpkg-1.20.10-1.mga8.src.rpm

Status comment: Fixed upstream in 1.20.10 => (none)

Comment 8 David Walser 2022-06-08 00:22:48 CEST
This was silently rebuilt.  Package list is now:
dpkg-dev-1.20.10-2.mga8
dselect-1.20.10-2.mga8
perl-Dpkg-1.20.10-2.mga8
dpkg-devel-1.20.10-2.mga8
dpkg-1.20.10-2.mga8

from dpkg-1.20.10-2.mga8.src.rpm
Comment 9 Len Lawrence 2022-06-08 09:58:23 CEST
mga8, x64

Attempt at updating after qarepo downloads:

The following package has to be removed for others to be upgraded:
dpkg-dev-1.20.5-4.mga8.noarch
 (due to unsatisfied dpkg-perl == 1.20.5-4.mga8)

yes

Sorry, the following package cannot be selected:

- dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1(LIBSELINUX_1.0))

Proceeded without dpkg-dev.
Tried a manual update:
$ sudo urpmi *.rpm
Packages perl-Dpkg-1.20.10-2.mga8.noarch, dpkg-1.20.10-2.mga8.x86_64, dselect-1.20.10-2.mga8.x86_64, dpkg-devel-1.20.10-2.mga8.x86_64 are already installed
A requested package cannot be installed:
dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1)
Continue installation anyway? (Y/n) 
Marking dpkg as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
While some packages may have been installed, there were failures.
A requested package cannot be installed:
dpkg-dev-1.20.10-2.mga8.noarch (due to unsatisfied libselinux.so.1)
Continue installation anyway?

$ rpm -qa | grep -i dpkg
dpkg-devel-1.20.10-2.mga8
perl-Dpkg-1.20.10-2.mga8
dpkg-1.20.10-2.mga8
$ rpm -qa | grep dselect
dselect-1.20.10-2.mga8
$ rpm -q dpkg-dev
package dpkg-dev is not installed

$ rpm -q libselinux
libselinux-3.2-0.rc1.4.mga8

What to do now?

Keywords: (none) => feedback
CC: (none) => tarazed25

Comment 10 David Walser 2022-08-06 15:31:37 CEST
SUSE has issued an advisory for this on August 5:
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011813.html

Bruno, Len's issue in Comment 9 is because dpkg-dev is a noarch package linked to an arch'd library.  Looks like either it should not be noarch, or it contains an arch'd file that should be in a different subpackage.

Keywords: feedback => (none)
Assignee: qa-bugs => bruno

Comment 11 Bruno Cornec 2022-08-08 16:01:43 CEST
Thx David for the warning.

i've now uploaded the following:
dpkg-dev-1.20.10-3.mga8
dselect-1.20.10-3.mga8
perl-Dpkg-1.20.10-3.mga8
dpkg-devel-1.20.10-3.mga8
dpkg-1.20.10-3.mga8

from dpkg-1.20.10-3.mga8.src.rpm

It is fixing the reported issue by Len on my system.
Comment 12 David Walser 2022-08-08 16:10:24 CEST
Thanks.

Assignee: bruno => qa-bugs

Comment 13 Herman Viaene 2022-08-19 10:43:54 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Ref bug 23411 for testing.
# dpkg --version
Debian 'dpkg' package management program version 1.20.10 (amd64).
This is free software; see the GNU General Public License version 2 or
later for copying conditions. There is NO warranty.
# dpkg --print-architecture
amd64
Downloaded stable debian package for bash, then
# dpkg -c  bash_5.1-2+deb11u1_amd64.deb 
drwxr-xr-x root/root         0 2022-03-27 20:40 ./
drwxr-xr-x root/root         0 2022-03-27 20:40 ./bin/
-rwxr-xr-x root/root   1234376 2022-03-27 20:40 ./bin/bash
drwxr-xr-x root/root         0 2022-03-27 20:40 ./etc/
-rw-r--r-- root/root      1994 2022-03-27 20:40 ./etc/bash.bashrc
drwxr-xr-x root/root         0 2022-03-27 20:40 ./etc/skel/
-rw-r--r-- root/root       220 2022-03-27 20:40 ./etc/skel/.bash_logout
-rw-r--r-- root/root      3526 2022-03-27 20:40 ./etc/skel/.bashrc
-rw-r--r-- root/root       807 2022-03-27 20:40 ./etc/skel/.profile
drwxr-xr-x root/root         0 2022-03-27 20:40 ./usr/
drwxr-xr-x root/root         0 2022-03-27 20:40 ./usr/bin/
-rwxr-xr-x root/root      6759 2022-03-27 20:40 ./usr/bin/bashbug
-rwxr-xr-x root/root     14648 2022-03-27 20:40 ./usr/bin/clear_console
and a load more....
dpkg -x  bash_5.1-2+deb11u1_amd64.deb  /home/tester8/tmp/
checked that above files have been created in the correct folders under /home/tester8/tmp/: all OK.
I couldn't get my headaround Len's test with coapp, so leaving it.
I will not object someone else OK'ing this.

CC: (none) => herman.viaene

Comment 14 Thomas Andrews 2022-09-10 13:51:14 CEST
As no objections have been forthcoming, I'm giving this an OK based on the test in Comment 13. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 19:54:29 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 15 Mageia Robot 2022-09-16 21:41:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0327.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.