Bug 30742 - squirrel new security issue CVE-2021-41556
Summary: squirrel new security issue CVE-2021-41556
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-08-12 18:59 CEST by David Walser
Modified: 2023-04-24 02:21 CEST (History)
9 users (show)

See Also:
Source RPM: squirrel-3.1-2.mga8.src.rpm
Status comment:


Description David Walser 2022-08-12 18:59:56 CEST
Fedora has issued an advisory on August 10:

We fixed the second issue listed in Bug 30430.  We should make sure this one doesn't also affect supertux.
David Walser 2022-08-12 19:00:14 CEST

Status comment: (none) => Patches available from upstream and Fedora

Comment 1 Marja Van Waes 2022-08-12 22:56:30 CEST
Assigning to the registered maintainer, but CC'ing neoclust (who fixed the previous CVE for this package) and all packagers collectively, because pasmatt is likely unavailable

CC: (none) => mageia, marja11, pkg-bugs
Assignee: bugsquad => matteo.pasotti

Comment 2 Jean-Pierre Aubin 2022-08-15 14:04:58 CEST
Seems good.

Squirrel version is 3-1-2 (Fedora 2-2-5). 

The only CVE for this version is CVE-2022-30292.

It's already fix by neoclust on Mga8 and Cauldron.

CC: (none) => jean-pierre

Comment 3 David Walser 2022-08-15 14:11:58 CEST
As I said, we already fixed CVE-2022-30292, but we missed this one.
Comment 4 Jean-Pierre Aubin 2022-08-15 16:57:29 CEST
My bad, 3.1.2 and 3.2.1 are too close for my eyes ;)

I will patch squirrel on Mga8 and control supertux.
Comment 5 Jean-Pierre Aubin 2022-08-16 17:31:49 CEST
Squirrel v3.2.1 is submit on Mga8 Update Testing : 
- update from 3.1.2 but no bound with another package
- native correction for CVE-2021-41556
- patch for CVE-2022-30292

supertux v0.6.2 is coming 
- same version which include squirrel's source code
- already patched for CVE-2022-30292
- new patch for CVE-2021-41556
Comment 6 David Walser 2022-08-16 22:56:05 CEST
What about building supertux against the system squirrel as we discussed, instead of using the bundled one?
Comment 7 Jean-Pierre Aubin 2022-08-17 06:26:15 CEST

It's the editor choice "If you got this version of Supertux from a tarball (.tar), squirrel and tinygettext are already in the tarball."
Comment 8 David Walser 2022-08-17 14:25:19 CEST
Just because it's in the tarball doesn't mean we can't build against the system squirrel.
Comment 9 Jean-Pierre Aubin 2022-08-17 14:43:35 CEST
Off course not :)

The problem is the version of squirrel :
- squirrel version inside supertux : 3.1.1
- squirrel version for Mga8 : 3.1.2 (before patch) -> 3.2.1 (after patch)

So build supertux with the squirrel of Mga may have consequences.
Comment 10 David Walser 2022-08-17 17:21:36 CEST
I don't know much about squirrel, but hopefully being 3.x is enough.  Things don't always exactly match bundled versions, but as long as they're close it usually works.
Comment 11 David Walser 2023-03-28 16:51:55 CEST
openSUSE has issued an advisory for this on March 23:
Comment 12 David GEIGER 2023-03-29 13:26:54 CEST
So to clarify the situation right now:

On Cauldron:

- squirrel-3.2-3.mga9 -> fixes the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.3-4.mga9 -> unbundled squirrel to use system patched one

So for Cauldron all is fine and fixed!

For mga8 in Core/Updates_testing:

- squirrel-3.2-1.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292

- supertux-0.6.2-4.2.mga8 -> fixes also the two security issue CVE-2021-41556 and CVE-2022-30292

I can if needed to unbundled squirrel also for mga8 but for this we have to update to latest 0.6.3 upstream release.

CC: (none) => geiger.david68210

Comment 13 David Walser 2023-03-29 14:52:05 CEST
Has squirrel/supertux been pushed to the build system for mga8?  I don't see it on pkgsubmit.
Comment 14 David GEIGER 2023-03-29 17:18:21 CEST
Yes some times ago:

:v supertux
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, x86_64)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, armv7hl)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, i586)
0.6.2-4.2.mga8 // core-updates_testing (Mga, 8, aarch64)

:v squirrel
3.2-1.mga8 // core-updates_testing (Mga, 8, x86_64)
3.2-1.mga8 // core-updates_testing (Mga, 8, armv7hl)
3.2-1.mga8 // core-updates_testing (Mga, 8, i586)
3.2-1.mga8 // core-updates_testing (Mga, 8, aarch64)
Comment 15 David Walser 2023-03-30 01:20:34 CEST

from SRPMS:

CC: pkg-bugs => matteo.pasotti
Status comment: Patches available from upstream and Fedora => (none)
Assignee: matteo.pasotti => qa-bugs

Comment 16 Herman Viaene 2023-04-14 17:03:22 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Got the supertux penguin ot move, jump on whatever those snowballs are, collect coins for some time.
Seems to work OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2023-04-16 03:05:20 CEST

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-04-23 23:33:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2023-04-24 02:21:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.