Bug 34141 - augeas new security issue CVE-2025-2588
Summary: augeas new security issue CVE-2025-2588
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-28 14:30 CET by Nicolas Salguero
Modified: 2025-04-05 20:48 CEST (History)
3 users (show)

See Also:
Source RPM: augeas-1.12.0-4.mga9.src.rpm
CVE: CVE-2025-2588
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-03-28 14:31:03 CET

Source RPM: (none) => augeas-1.12.0-5.mga10.src.rpm, augeas-1.12.0-4.mga9.src.rpm
CVE: (none) => CVE-2025-2588
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-03-30 20:56:13 CEST 
 https://bugzilla.redhat.com/show_bug.cgi?id=2354446
shows that Fedora/RedHat have pushed a fix - but no sign of that!

No choice but to assign this globally;

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-04-03 09:18:01 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Hercules Augeas fa.c re_case_expand null pointer dereference. (CVE-2025-2588)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JLS6PXWXBARZ5FZS4C2ASIP6X56BMH24/
========================

Updated packages in core/updates_testing:
========================
augeas-1.12.0-4.1.mga9
augeas-lenses-1.12.0-4.1.mga9
lib(64)augeas0-1.12.0-4.1.mga9
lib(64)augeas-devel-1.12.0-4.1.mga9
lib(64)fa1-1.12.0-4.1.mga9

from SRPM:
augeas-1.12.0-4.1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: augeas-1.12.0-5.mga10.src.rpm, augeas-1.12.0-4.mga9.src.rpm => augeas-1.12.0-4.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-04-04 05:39:03 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-04-05 12:13:00 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 21549 for testing:
$ augtool
augtool> help

Admin commands:
  context    - change how relative paths are interpreted
  load       - (re)load files under /files
  save       - save all pending changes
  transform  - add a file transform
  load-file  - load a specific file
  retrieve   - transform tree into text
  store      - parse text into tree
  quit       - exit the program
and more...
augtool> print /files/etc
displays whole tree of /etc: some 1200+ lines
same with 
augtool> print /files/lib
Lists a few hundreds lines
augtool> quit
$ augparse --version 
augparse 1.12.0 <http://augeas.net/>
Copyright (C) 2007-2016 David Lutterkort
License LGPLv2+: GNU LGPL version 2.1 or later
                 <http://www.gnu.org/licenses/lgpl-2.1.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David Lutterkort

Did not venture into Len's testing, which he concluded "Having to give up on this one - been at it for hours.  Almost no progress."
And William OK'ed on clean install, so let go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2025-04-05 19:28:10 CEST 
Yeah, I saw that. I miss wilcal.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-04-05 20:48:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0128.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.