Bug 6525 - sos new security issue CVE-2012-2664
Summary: sos new security issue CVE-2012-2664
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Low minor
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-20 21:09 CEST by David Walser
Modified: 2012-11-11 04:55 CET (History)
4 users (show)

See Also:
Source RPM: sos-2.2-2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-06-20 21:09:40 CEST 
RedHat has issued an advisory today (June 20):
https://rhn.redhat.com/errata/RHSA-2012-0958.html

Mageia 1 and Mageia 2 are also affected.
David Walser 2012-06-20 21:10:00 CEST

CC: (none) => doktor5000
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 Florian Hubold 2012-07-02 18:36:08 CEST 
They didn't do a new release, but added 60 patches :/
http://pkgs.fedoraproject.org/gitweb/?p=sos.git;a=commitdiff;h=13178ca5faa95adb05ac3c93a5c99ea0c7db6d4a#patch63

Assigning to current maintainer.

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2012-09-09 12:44:05 CEST 
As the real security issue is linked to anaconda that Mageia doesn't use, I don't think we have anything forcing us to take these 60 patches in account atm. Once they release a new version, we'll update to it.

Does that sound ok ?

Priority: Normal => Low
Severity: normal => minor

Comment 3 David Walser 2012-09-09 13:59:49 CEST 
In theory, sure.  It's just weird that they didn't already do a new version.  Are they the upstream maintainers, or is there someone else?  Is it maintained at all?
David Walser 2012-10-10 00:47:57 CEST

CC: (none) => oe

Comment 4 Florian Hubold 2012-10-10 20:58:20 CEST 
Project moved a while ago from https://fedorahosted.org/sos/ to https://github.com/sosreport/sosreport FWIW ...
Comment 5 Remco Rijnders 2012-10-12 14:24:53 CEST 
See https://github.com/gkotton/sosreport/commit/a4a7942531a2034b2408422f10587190e2e9bdc1 for (what I believe to be) the fix to this problem

CC: (none) => remco

Comment 6 Remco Rijnders 2012-10-13 07:42:10 CEST 
So, seeing how Mageia does not ship anaconda, I think this does not apply to us.

@luigi: Are you ok with removing this as a security bug?

@bruno: I guess that only leaves to change the URL for the source in the package then to the new project home, right?

URL: http://lwn.net/Vulnerabilities/502714/ => (none)
Component: Security => RPM Packages
Whiteboard: MGA2TOO, MGA1TOO => (none)

Comment 7 David Walser 2012-10-13 15:53:38 CEST 
If this doesn't impact us, you can mark the bug as WONTFIX.
Comment 8 claire robinson 2012-10-13 18:45:59 CEST 
If we're not vulnerable, what about having a statement of such on the wiki update pages so it doesn't appear we have just not looked in to it. The MGASA ones.

CC: (none) => tmb

Comment 9 Remco Rijnders 2012-11-11 04:55:19 CET 
@MrsB: I don't think one can search our pages by CVE, and I don't think we should issue a MGASA when there is no advisory. Hopefully people searching for this CVE for Mageia will end up on this bugreport instead and see we are not affected by this.

Closing as INVALID for now as this issue does not affect Mageia.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.