Bug 31706 - xapian new security issue bdo#1032398
Summary: xapian new security issue bdo#1032398
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-20 18:25 CET by David Walser
Modified: 2023-03-31 02:15 CEST (History)
5 users (show)

See Also:
Source RPM: xapian-1.4.17-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-20 18:25:54 CET 
Debian-LTS has issued an advisory on March 18:
https://www.debian.org/lts/security/2023/dla-3355

The issue is fixed upstream in 1.4.22.

Mageia 8 is also affected.
David Walser 2023-03-20 18:26:10 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.4.22

Comment 1 Lewis Smith 2023-03-20 21:45:03 CET 
Assigning this globally as 'xapian' has no current maintainer.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-03-22 14:57:26 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Xapian database corruption on disk full is possible.  It doesn't happen in every case as ENOSPC needs to happen on a particular operation during the commit but then not happen on a repeat attempt at that operation. (bdo#1032398)

References:
https://www.debian.org/lts/security/2023/dla-3355
========================

Updated packages in core/updates_testing:
========================
lib(64)xapian30-1.4.17-1.1.mga8
lib(64)xapian-devel-1.4.17-1.1.mga8
xapian-1.4.17-1.1.mga8

from SRPM:
xapian-1.4.17-1.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Source RPM: xapian-1.4.20-1.mga9.src.rpm => xapian-1.4.17-1.mga8.src.rpm
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.4.22 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2023-03-27 16:20:24 CEST 
MGA8-64 MATE On Acer Aspire 5253
No installation issues.
From MCC "Xapian is an Open Source Search Engine Library, released under the GPL. It's written in C++, with bindings to allow use from Perl, Python, PHP, Java, Tcl, C#, and Ruby (so far!)"
Found 
# urpmq --whatrequires xapian
python3-xapian-bindings
recoll
xapian
xapian-bindings-java
xapian-bindings-lua
xapian-bindings-mono
xapian-bindings-ruby
xapian-bindings-tcl

Installed recoll and run it under strace and found reference to xapian, while the recoll did its indexing and querying OK.
Good enough for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-03-28 00:04:48 CEST 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-29 15:43:01 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-03-31 02:15:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0121.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.