CVE-2018-10897

Debian Bug report logs - #921131
CVE-2018-10897

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-10897

Date: Sat, 02 Feb 2019 00:46:12 +0100

Package: yum-utils
Severity: grave
Tags: security

This was assigned CVE-2018-10897:
https://bugzilla.redhat.com/show_bug.cgi?id=1600221
https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c
https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c
https://github.com/rpm-software-management/yum-utils/pull/43

Cheers,
        Moritz
				

Message #20 received at 921131@bugs.debian.org (full text, mbox, reply):

From: Markus Frosch <lazyfrosch@debian.org>

To: 921131@bugs.debian.org

Cc: mtmiller@debian.org

Subject: Re: CVE-2018-10897

Date: Sun, 10 Feb 2019 11:15:35 +0100

[Message part 1 (text/plain, inline)]

On Sat, 02 Feb 2019 00:46:12 +0100 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Package: yum-utils
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2018-10897:
> https://bugzilla.redhat.com/show_bug.cgi?id=1600221
> https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c
> https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c
> https://github.com/rpm-software-management/yum-utils/pull/43

I'm not sure how active Mike is currently.

Since I'm using the package in a multi distro build system, I would
proceed with uploading a fix and join as co-maintainer.

I already created a salsa project:
https://salsa.debian.org/debian/yum-utils

@Mike: Can I get a short approval?

Also: Is the experimental upload ready for buster?

Cheers
Markus Frosch
-- 
markus@lazyfrosch.de / lazyfrosch@debian.org
https://lazyfrosch.de

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 921131-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 921131-close@bugs.debian.org

Subject: Bug#921131: fixed in yum-utils 1.1.31-2.1

Date: Sun, 10 Feb 2019 17:19:30 +0000

Source: yum-utils
Source-Version: 1.1.31-2.1

We believe that the bug you reported is fixed in the latest version of
yum-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated yum-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Feb 2019 18:05:09 +0100
Source: yum-utils
Architecture: source
Version: 1.1.31-2.1
Distribution: unstable
Urgency: medium
Maintainer: Mike Miller <mtmiller@ieee.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 921131
Changes:
 yum-utils (1.1.31-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply patch https://github.com/rpm-software-management/yum-utils/
     commit/a792d21b55337add2327d1c7d6d000862c717eef to check for .. in remote
     paths. Closes: #921131 / CVE-2018-10897
Checksums-Sha1:
 49a6c67d647c5688084d1cf74c0506de23032d51 1929 yum-utils_1.1.31-2.1.dsc
 178461a6b6bd4db6160e695d2b9155c57f23bd6b 18856 yum-utils_1.1.31-2.1.debian.tar.xz
 9bf668dd8e4838b70d296574a548b68900b99342 6295 yum-utils_1.1.31-2.1_source.buildinfo
Checksums-Sha256:
 18eb08d102532ea3ca193c348c5cc35e76a72c88b893fac4bd57a9e65f11fbaa 1929 yum-utils_1.1.31-2.1.dsc
 fbb3a69ec9b07d193755d79c545a86c4e1e405220944e30e9db6cfeef21ebef7 18856 yum-utils_1.1.31-2.1.debian.tar.xz
 58f9fc58ed5b3b5e977e5f05a30d556c5bb4eb0a056c4ea8ece02300483c5718 6295 yum-utils_1.1.31-2.1_source.buildinfo
Files:
 2b0afc6ceff56301afae4abcf91bfbe0 1929 admin extra yum-utils_1.1.31-2.1.dsc
 9088c04bfb4ab36d3a22bd530aaf952a 18856 admin extra yum-utils_1.1.31-2.1.debian.tar.xz
 26b568acc158cd3db93347263236cadf 6295 admin extra yum-utils_1.1.31-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAlxgWoEACgkQCRq4Vgaa
qhybGg/+NszqsFxgxQBC8B36UupANUBXjT80UyMPYReS49Yb+b6kTFvXpZAeZMWz
Berx5+sx2Y+y/ul2YV3zNGIVOuya1M9gXeEs4CwAOD4KZxeJptYlRs4XMuKQ/FXP
fxO2JaA6hrd8mdDBM/JbNWxI72EARWTqN1RSmZ73tT792OvkpP5KJe0EZDQSIBMX
SCH2Y0cKykcFus+klgw9WUzYwUU8NWz4CkVJ8LVc2G4YfkO30MCAYWYziea2rlSF
fkJIQOYRo14O1hzgv8a8VJ+BSGoAVKKdNPgXtRVHpwd+I5ag4UcyCyO3oIcLvgVK
ei1X8f2VJW2/vIHeDu1PK+oRhvW+VJBf1xABIbmNu5v54lMWHFLUOindXJoTvCjZ
FVYv0ez8HF5Eu6UPr7jCFNXSlrCcWD34RgdN3VBjMTaidK9ALzGys0vg8ubkW+4T
iADuFugs42g69en7Z+4RjipipuITcrFZlt2uGKVsRpLQmm8ldFXBY4Uhyxjbbv/o
8UdDFeOFvd5Om88ZqZfTS5LJzGQwq0UidqqACC5DRgwbethH8vjzlu0yBnysxPW4
eR28tZU/Hfj9dm5JprWO+KwQrUFVpUddRCrq+raRrKyEUYuaa4VUlVOpWP2kHlY0
2zIvna7Yn5qqKOAO+lcCjEKctIwwnWheOn6R8L4Obgb86budPCU=
=1/g6
-----END PGP SIGNATURE-----

Message #30 received at 921131@bugs.debian.org (full text, mbox, reply):

From: Mike Miller <mtmiller@debian.org>

To: Markus Frosch <lazyfrosch@debian.org>

Cc: 921131@bugs.debian.org

Subject: Re: CVE-2018-10897

Date: Sun, 10 Feb 2019 13:22:14 -0800

[Message part 1 (text/plain, inline)]

Hi Markus!

On Sun, Feb 10, 2019 at 11:15:35 +0100, Markus Frosch wrote:
> I'm not sure how active Mike is currently.

I'm quite active, but I have not touched the rpm/yum related packages in
years since they haven't seen much upstream activity. I'm also honestly
not very interested in rpm/yum currently. I should have given these
packages up for adoption by now, better late than never.

> Since I'm using the package in a multi distro build system, I would
> proceed with uploading a fix and join as co-maintainer.
> 
> I already created a salsa project:
> https://salsa.debian.org/debian/yum-utils
> 
> @Mike: Can I get a short approval?

There is an RPM packaging team that this package should be maintained
with

  * https://salsa.debian.org/pkg-rpm-team
  * https://tracker.debian.org/teams/pkg-rpm/
  * https://wiki.debian.org/Teams/pkg-rpm

Can you move your imported repository to the team group on salsa?

There used to be a mailing list on lists.alioth.d.o, I don't think there
is a replacement team list.

> Also: Is the experimental upload ready for buster?

I think so, I think it was only experimental because of a freeze.

I suggest I file an RFA for yum-utils and Cc you, we can discuss further
there, ok? Do you have any interest in the related packages createrepo,
deltarpm, and yum-metadata-parser?

Also thank you Holger for the nmu and fixing this bug so quickly.

-- 
mike

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 921131-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 921131-close@bugs.debian.org

Subject: Bug#921131: fixed in yum-utils 1.1.31-2.2

Date: Fri, 15 Feb 2019 20:44:43 +0000

Source: yum-utils
Source-Version: 1.1.31-2.2

We believe that the bug you reported is fixed in the latest version of
yum-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated yum-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Feb 2019 21:04:20 +0100
Source: yum-utils
Architecture: source
Version: 1.1.31-2.2
Distribution: unstable
Urgency: medium
Maintainer: Mike Miller <mtmiller@ieee.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 921131
Changes:
 yum-utils (1.1.31-2.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add patch based on 7554c0133eb830a71dc01846037cc047d0acbc2c.
     Closes: #921131 / CVE-2018-10897
Checksums-Sha1:
 8a697eea5f210563935f676f4a781d687ce9782e 1929 yum-utils_1.1.31-2.2.dsc
 98d73ec36670ffef19b22b381749458a0e097a67 19300 yum-utils_1.1.31-2.2.debian.tar.xz
 bc9c0ec1f4ac7aec523e2301b553046fb6ccc4f0 6275 yum-utils_1.1.31-2.2_source.buildinfo
Checksums-Sha256:
 55ae360164264f3cdbb6112615fb375c0b64e29eb37625a9d1bbdc142e3d3a5f 1929 yum-utils_1.1.31-2.2.dsc
 49ac28ce485752dbb985f935a4fa7d83018c29f00fe2775599a58bf32def0a36 19300 yum-utils_1.1.31-2.2.debian.tar.xz
 798240ab2b63e90b22135116904061bff21458e3e30620ff959bb8aaf20b37b9 6275 yum-utils_1.1.31-2.2_source.buildinfo
Files:
 a088a9f17edc1e9200548dedfed52834 1929 admin extra yum-utils_1.1.31-2.2.dsc
 25ee708b5d6d9a3cfe1ee102ced611b2 19300 admin extra yum-utils_1.1.31-2.2.debian.tar.xz
 3692d3cac19e8d1a6a0a84d654e50a4c 6275 admin extra yum-utils_1.1.31-2.2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAlxnG+cACgkQCRq4Vgaa
qhzDCxAAmySI19mzCVpojOlqEMdwlyFTqWyz+YO4oVzNEn9tweGLnEMYunKRDfNB
ItpHJUycs/eLK5IYu/hdmBZXKwTnbPZG3xiCrX5kch4QB9Qx6uob9l6CX9D3IASt
FLNbyRzFfKNG/BTZgYTnouPg/Ncnd46HWIbOJGwBaRL6/HmVPgZYRsuWBBWZZ8j0
3FSMXFr6gWk3Xhp4Y+XipQPsd32Uu0//51qxVZXQiQlN8arFsydIQZJpsKnwLI3s
1UnksYtZeC6d953fgYR+ChMQRrqnAOHulzvIER52JCxnWmbXAsLkMP+LzA8KpD68
Doj4FcArE09ZwcpnetSeHUwHuDP4yoqprw8Qyb1qEJxRvtQZ7cqNIGv01IgrkbYK
WDSVBPlWnwAa0jb+m3kFjLn4+rD3oDVhvgsHf8Ujd6WoBFGn8xdUi0ddPF4mVdtX
usutdCNWeCMSSmq5ioA2DmjZU+xvKxibGx7ustTiiI1mCfaAxjmniOp7HdolsI+f
Bs16ww+RsONRkvF4DDZJQ6eZl87xICZqEaOkLzIziJ61J66TYySuziA7+a9F2+RA
YZmx9PY7IaIa2ZPVQOZAtYQ3hl40HYCd50tSzEv2UFD25M4h+O6z4km6Ep/Js1I0
8OOgLisqsJFfU07MZ+ni+S1PR2xjhgHeZa6FlVZ2Ky+qMkX7ZaE=
=IAHf
-----END PGP SIGNATURE-----

Message #42 received at 921131@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: lazyfrosch@debian.org, 921131@bugs.debian.org

Subject: taking over yum-utils

Date: Fri, 22 Feb 2019 09:26:01 +0000

[Message part 1 (text/plain, inline)]

hi Markus,

please adopt yum-utils and get the changes from experiemental into
sid/buster before the freeze is fully in effect. You still have almost a
week to do that! ;)

Also if you do that, please dont forget to include the changes from my
NMU.

If you need any help or advice, please shout!


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 921131@bugs.debian.org (full text, mbox, reply):

From: Markus Frosch <lazyfrosch@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 921131@bugs.debian.org

Subject: Re: taking over yum-utils

Date: Thu, 28 Feb 2019 20:27:11 +0100

[Message part 1 (text/plain, inline)]

Am 22.02.19 um 10:26 schrieb Holger Levsen:
> please adopt yum-utils and get the changes from experiemental into
> sid/buster before the freeze is fully in effect. You still have almost a
> week to do that! ;)
> 
> Also if you do that, please dont forget to include the changes from my
> NMU.
> 
> If you need any help or advice, please shout!

Hey Holger,
thanks I just did so, and uploaded a new version.

During testing I noticed the "refactoring" patch actually broke logging,
and therefor reposync working.

I fixed it with an additional patch:
https://salsa.debian.org/pkg-rpm-team/yum-utils/commit/0c946a3b072b921a96d1b47a9653367db74d5cf0

Upstream has applied more refactoring, I will rebase our patches at a
later point, for now it should work.

Cheers
Markus Frosch
-- 
markus@lazyfrosch.de / lazyfrosch@debian.org
https://lazyfrosch.de

[signature.asc (application/pgp-signature, attachment)]

Message #52 received at 921131@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Markus Frosch <lazyfrosch@debian.org>

Cc: 921131@bugs.debian.org

Subject: Re: taking over yum-utils

Date: Thu, 28 Feb 2019 19:28:29 +0000

[Message part 1 (text/plain, inline)]

Hi Markus!

On Thu, Feb 28, 2019 at 08:27:11PM +0100, Markus Frosch wrote:
> thanks I just did so, and uploaded a new version.

yay, very cool!

> During testing I noticed the "refactoring" patch actually broke logging,
> and therefor reposync working.

ouch, sorry.

> I fixed it with an additional patch:
> https://salsa.debian.org/pkg-rpm-team/yum-utils/commit/0c946a3b072b921a96d1b47a9653367db74d5cf0

thanks!

> Upstream has applied more refactoring, I will rebase our patches at a
> later point, for now it should work.

*nods*


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.