That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/03/27/5 The issue is fixed upstream in 2.40 or with the following commit: https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253 Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 2.40 and patch available from upsteamCVE: (none) => CVE-2024-28085Whiteboard: (none) => MGA9TOOSource RPM: (none) => util-linux-2.39.3-1.mga10.src.rpm
Various people update util-linux, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory on March 27: https://ubuntu.com/security/notices/USN-6719-1
Suggested advisory: ======================== The updated packages fix a security vulnerability: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. (CVE-2024-28085) References: https://www.openwall.com/lists/oss-security/2024/03/27/5 https://ubuntu.com/security/notices/USN-6719-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)blkid1-2.38.1-1.1.mga9 lib(64)blkid-devel-2.38.1-1.1.mga9 lib(64)fdisk1-2.38.1-1.1.mga9 lib(64)fdisk-devel-2.38.1-1.1.mga9 lib(64)mount1-2.38.1-1.1.mga9 lib(64)mount-devel-2.38.1-1.1.mga9 lib(64)smartcols1-2.38.1-1.1.mga9 lib(64)smartcols-devel-2.38.1-1.1.mga9 lib(64)uuid1-2.38.1-1.1.mga9 lib(64)uuid-devel-2.38.1-1.1.mga9 python3-libmount-2.38.1-1.1.mga9 util-linux-2.38.1-1.1.mga9 uuidd-2.38.1-1.1.mga9 from SRPM: util-linux-2.38.1-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: util-linux-2.39.3-1.mga10.src.rpm => util-linux-2.38.1-1.mga9.src.rpmVersion: Cauldron => 9Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.40 and patch available from upsteam => (none)
Keywords: (none) => advisory
CC: (none) => mageia
RH mageia 9 x86_64 Updated without issues installing //home/katnatek/qa-testing/x86_64/lib64smartcols1-2.38.1-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/util-linux-2.38.1-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64blkid1-2.38.1-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64fdisk1-2.38.1-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64mount1-2.38.1-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/lib64uuid1-2.38.1-1.1.mga9.x86_64.rpm
Same system that comment#4, reboot just to be sure, make some light test blkid /dev/sdb1: BLOCK_SIZE="512" UUID="7C2994FF5018E542" TYPE="ntfs" PARTUUID="2ab92ab8-01" /dev/sda5: UUID="ac50cb2a-7731-479b-94f1-e90cc4f90106" TYPE="swap" PARTUUID="0ffc0ffb-05" /dev/sda1: UUID="a0cc43c0-b94e-44c7-8ca9-0a69cb6f7053" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="0ffc0ffb-01" /dev/sda6: UUID="9f2e3e7b-9302-4fb1-9297-2faef39a6b6b" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="0ffc0ffb-06" mount my ntfs partition and look good for now lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 1 298.1G 0 disk ├─sda1 8:1 1 50.3G 0 part / ├─sda2 8:2 1 1K 0 part ├─sda5 8:5 1 4G 0 part [SWAP] └─sda6 8:6 1 243.8G 0 part /home sdb 8:16 1 465.8G 0 disk └─sdb1 8:17 1 465.8G 0 part /mnt/windows sr0 11:0 1 1024M 0 rom LC_ALL=C lsmem RANGE SIZE STATE REMOVABLE BLOCK 0x0000000000000000-0x00000000cfffffff 3.3G online yes 0-25 0x0000000100000000-0x00000001afffffff 2.8G online yes 32-53 Memory block size: 128M Total online memory: 6G Total offline memory: 0B Looks good for me, but I'll give a day or two
CC: (none) => andrewsfarm
Some days with the update and not have side effects
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0112.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED