Bug 32272 - erofs-utils new security issues CVE-2023-3355[12]
Summary: erofs-utils new security issues CVE-2023-3355[12]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-11 14:09 CEST by Nicolas Salguero
Modified: 2024-06-28 04:42 CEST (History)
6 users (show)

See Also:
Source RPM: erofs-utils-1.5-1.mga9.src.rpm
CVE: CVE-2023-33551, CVE-2023-33552
Status comment: Fixed in v1.6.3

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-11 14:09:05 CEST 
Fedora has issued an advisory on September 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHOIRL6XH5NYR3LYI3KP5DE4SDSQWR7W/

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-09-11 14:09:38 CEST

Source RPM: (none) => erofs-utils-1.5-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2023-09-12 21:13:18 CEST 
Version : 1.6.3 "- Backport patches for CVE-2023-33551 and CVE-2023-33552."

Thierry is the clear committer for this pkg, so assigning to you.

Status comment: (none) => Fixed in v1.6.3
Assignee: bugsquad => thierry.vignaud

Comment 2 David GEIGER 2024-06-15 11:02:46 CEST 
Removing Mageia 8 from whiteboard due to EOL!

Whiteboard: MGA9TOO, MGA8TOO => MGA9TOO
CC: (none) => geiger.david68210

Comment 3 David GEIGER 2024-06-15 12:12:24 CEST 
Done for both mga9 and Cauldron!

Packages in9/Core/Updates_testing:
======================
erofs-fuse-1.7.1-1.mga9
erofs-utils-1.7.1-1.mga9

From SRPMS:
erofs-utils-1.7.1-1.mga9.src.rpm

Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-06-15 19:47:15 CEST

CVE: (none) => CVE-2023-33551, CVE-2023-33552

katnatek 2024-06-15 19:52:26 CEST

Keywords: (none) => advisory

Comment 4 Tony Blackwell 2024-06-15 22:59:29 CEST 
M9: I'm only seeing v 1.5.
What repository is it in?

CC: (none) => tablackwell

Comment 5 Tony Blackwell 2024-06-15 23:00:41 CEST 
NOt appeared in core updates testing yet?
Comment 6 Tony Blackwell 2024-06-15 23:13:12 CEST 
changed my mirror to Princeton.  Installed 1.7.1 

erofsfuse runs, but I don't have a Huawei phone or other erofs filesystem to test it on
Comment 7 Herman Viaene 2024-06-16 11:34:42 CEST 
From googling I get the idea that you don't need a phone to run the commands, but I cann't get my head around what the commands expact as source or destination. I find no simple example to follow.

CC: (none) => herman.viaene

Comment 8 katnatek 2024-06-26 21:00:15 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi erofs-fuse erofs-utils

    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/erofs-utils-1.5-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/erofs-fuse-1.5-1.mga9.x86_64.rpm               
installing erofs-utils-1.5-1.mga9.x86_64.rpm erofs-fuse-1.5-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms                            
Preparing...                     ##################################################################################################
      1/2: erofs-fuse            ##################################################################################################
      2/2: erofs-utils           ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing erofs-fuse-1.7.1-1.mga9.x86_64.rpm erofs-utils-1.7.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: erofs-utils           ##################################################################################################
      2/2: erofs-fuse            ##################################################################################################
      1/2: removing erofs-utils-1.5-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing erofs-fuse-1.5-1.mga9.x86_64
                                 ##################################################################################################

Give OK in base a clean install

LC_ALL=C urpme erofs-fuse erofs-utils
removing erofs-fuse-1.7.1-1.mga9.x86_64 erofs-utils-1.7.1-1.mga9.x86_64
removing package erofs-fuse-1.7.1-1.mga9.x86_64
      1/2: removing erofs-fuse-1.7.1-1.mga9.x86_64
                                 ##################################################################################################
removing package erofs-utils-1.7.1-1.mga9.x86_64
      2/2: removing erofs-utils-1.7.1-1.mga9.x86_64
                                 ##################################################################################################

And uninstall

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2024-06-28 03:49:23 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2024-06-28 04:42:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0241.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.