Bug 30819 - ostree new security issue CVE-2014-9862
Summary: ostree new security issue CVE-2014-9862
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-06 15:11 CEST by David Walser
Modified: 2022-09-16 21:41 CEST (History)
6 users (show)

See Also:
Source RPM: ostree-2020.8-2.mga8.src.rpm
CVE: CVE-2014-9862
Status comment:


Attachments

Description David Walser 2022-09-06 15:11:47 CEST
SUSE has issued an advisory today (September 6):
https://lists.suse.com/pipermail/sle-security-updates/2022-September/012105.html

Mageia 8 is also affected.
Comment 1 David Walser 2022-09-06 15:13:32 CEST
Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6PYJHVWMVWO63ECJ37DXSJEJXCZBKW5W/

Whiteboard: (none) => MGA8TOO

Comment 2 Marja Van Waes 2022-09-06 18:48:26 CEST
No registered maintainer, so assigning to all packagers collectively.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Nicolas Salguero 2022-09-07 10:13:04 CEST
Hi,

In fact, version 2022.5 already contains the correction for that CVE so only Mga8 is affected.

Best regards,

Whiteboard: MGA8TOO => (none)
Source RPM: ostree-2022.5-1.mga9.src.rpm => ostree-2020.8-2.mga8.src.rpm
Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2014-9862

Comment 4 Nicolas Salguero 2022-09-07 10:17:01 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A memory corruption issue that could be triggered when diffing binary files. (CVE-2014-9862)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
https://lists.suse.com/pipermail/sle-security-updates/2022-September/012105.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6PYJHVWMVWO63ECJ37DXSJEJXCZBKW5W/
========================

Updated packages in core/updates_testing:
========================
lib(64)ostree1-2020.8-2.1.mga8
lib(64)ostree-gir1.0-2020.8-2.1.mga8
lib(64)ostree-devel-2020.8-2.1.mga8
ostree-2020.8-2.1.mga8
ostree-grub2-2020.8-2.1.mga8
ostree-tests-2020.8-2.1.mga8

from SRPM:
ostree-2020.8-2.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 5 Herman Viaene 2022-09-15 14:49:46 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
No previous updates, googled and found https://ostree.readthedocs.io/en/stable/manual/introduction/
$ mkdir osrep
$ cd osrep/
$ ostree --repo=repo init
$ mkdir tree
$ echo "Hello world!" > tree/hello.txt
$ ostree --repo=repo commit --branch=foo tree/
ed3c4ecfdef03dcf6165248a636298f0d5cd1d6790a0d9fc2fe1aba75775ad0f
$ ostree --repo=repo refs
foo
$ ostree --repo=repo ls foo
d00755 1000 1000      0 /
-00644 1000 1000     13 /hello.txt
$ ostree --repo=repo checkout foo tree-checkout/
$ cat tree-checkout/hello.txt
Hello world!
Looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2022-09-16 02:47:06 CEST
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-16 19:54:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-09-16 21:41:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0334.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.