30755 – canna new security issue CVE-2022-21950

Bug 30755 - canna new security issue CVE-2022-21950

Summary: canna new security issue CVE-2022-21950

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-08-17 19:02 CEST by David Walser
Modified:	2022-08-25 23:23 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	canna-3.7p3-25.mga8.src.rpm
CVE:	CVE-2022-21950
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-17 19:02:05 CEST

openSUSE has issued an advisory on August 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N6TC5ZCUI72X4R5D7ZDQYSKDW4VVCUOE/

Mageia 8 is also affected.

David Walser 2022-08-17 19:02:22 CEST

Status comment: (none) => Patch available from openSUSE
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-18 21:41:34 CEST

This package has no registered maintainer, and has almost never been touched (except an aborted 'drop-it' in 2013).

Necessarily assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-08-22 18:01:12 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Move UNIX socket dir from /tmp to /run to avoid local attackers being able to place bogus directories in its stead. (CVE-2022-21950)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21950
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N6TC5ZCUI72X4R5D7ZDQYSKDW4VVCUOE/
========================

Updated packages in core/updates_testing:
========================
canna-3.7p3-25.1.mga8
lib(64)canna1-3.7p3-25.1.mga8
lib(64)canna1-devel-3.7p3-25.1.mga8

from SRPM:
canna-3.7p3-25.1.mga8.src.rpm

Source RPM: canna-3.7p3-26.mga9.src.rpm => canna-3.7p3-25.mga8.src.rpm
Status comment: Patch available from openSUSE => (none)
CVE: (none) => CVE-2022-21950
Version: Cauldron => 8
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Thomas Andrews 2022-08-23 22:24:32 CEST

Installed canna, then updated, with no installation issues.

From the drakrpm description:

"Canna is a Japanese Kana-Kanji translation engine."

I do not speak Japanese, and considering Comment 1 I suspect finding a Japanese-speaking QA tester would be difficult at best. I did try to run some of the commands that had been put into /usr/bin, mostly returning some sort of syntax/user error.

For lack of a better procedure, I'm going to send this on on the basis of a clean install. 

Validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-24 23:27:11 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-08-25 23:23:17 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0306.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.