31740 – zstd new security issue CVE-2022-4899

Bug 31740 - zstd new security issue CVE-2022-4899

Summary: zstd new security issue CVE-2022-4899

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-03-30 23:12 CEST by David Walser
Modified:	2023-04-06 23:21 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	zstd-1.4.8-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-30 23:12:18 CEST

SUSE has issued an advisory on March 29:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014246.html

Mageia 8 is also affected.

David Walser 2023-03-30 23:12:37 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-03-30 23:37:08 CEST

Fedora has issued an advisory for this today (March 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HPJ26L3GAUDVNKJFCJNA2GLTI6EUJXO/

Comment 2 David GEIGER 2023-03-31 08:17:36 CEST

From fedora:

Update Information:

Update to zstd-1.5.4, fixes CVE-2022.4899.

So it is fixed for Cauldron.

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2023-03-31 09:02:11 CEST

Done for mga8 adding upstream patches!

Comment 4 David Walser 2023-03-31 14:38:29 CEST

zstd-1.4.8-1.2.mga8
libzstd1-1.4.8-1.2.mga8
libzstd-devel-1.4.8-1.2.mga8

from zstd-1.4.8-1.2.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Source RPM: zstd-1.5.4-2.mga9.src.rpm => zstd-1.4.8-1.1.mga8.src.rpm
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 5 Herman Viaene 2023-04-01 15:57:25 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed examples (more or less) from bug 25375 Comment 3
cd tmp
$ zstd --train ~/Pictures/*
Trying 5 different sets of parameters                                          
k=50                                                                           
d=8
f=20
steps=4
split=75
accel=1
Save dictionary of size 10149 into file dictionary 
File is there of indicated size, but not human readable, so accepting as it is.
Created test directory under tmp and went on after copying all files from ~/Pictures/.
$ cd  zstdtest/   
$ zstd -z *
40 files compressed : 39.77%  (404504369 => 160862163 bytes)  
Copied compressed files to new folder zstddecomp 
$ cd ../zstddecomp/
$ zstd -d *.zst
zstd: test.tiff.xz already exists; overwrite (y/n) ? y                         
zstd: yann2 already exists; overwrite (y/n) ? y                                
37 files decompressed : 358153709 bytes total
There were files which were remnants from other tests (tar e.a.) and zstd excluded those, fair enough.
All decompressed files look OK.
Good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2023-04-02 22:08:39 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-06 20:58:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-04-06 23:21:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0128.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.