Security fix for CVE-2021-30473 Security fix for CVE-2021-30475

This update's test gating status has been changed to 'waiting'.

4 months ago

This update has been submitted for testing by bodhi.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon rdieter commented & provided feedback 4 months ago

Can you either add those dependant pkgs to f33-override too, or remove the aom override? Otherwise, some koji has a broken dependency currently building f33 targets: gstreamer: DEBUG util.py:444: - nothing provides libaom.so.2()(64bit) needed by gstreamer1-plugins-bad-free-1.18.2-1.fc33.x86_64

User Icon rdieter commented & provided feedback 4 months ago

I expired the override causing broken deps, https://bodhi.fedoraproject.org/overrides/aom-3.1.1-1.fc33

User Icon ppisar commented & provided feedback 4 months ago
karma

This breaks ABI. libaom.so.2()(64bit) disappeared. It breaks third-party software.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 months ago
User Icon leigh123linux commented & provided feedback 4 months ago
karma
BZ#1954337 aom-3.1.1 is available
BZ#1961375 CVE-2021-30473 libaom: aom_image.c in libaom frees memory that is not located on the heap
BZ#1961376 CVE-2021-30473 aom: libaom: aom_image.c in libaom frees memory that is not located on the heap [fedora-all]
BZ#1968017 CVE-2021-30475 libaom: Buffer overflow in aom_dsp/noise_model.c
BZ#1968018 CVE-2021-30475 aom: libaom: Buffer overflow in aom_dsp/noise_model.c [fedora-all]
User Icon adamwill commented & provided feedback 4 months ago

Even if packages in some third party repos are rebuilt, that doesn't really make it not a problem. You are not supposed to bump sonames in stable release updates unless it's unavoidable. Security fixes should be backported. This is in the updates policy : "ABI changes in general are very strongly discouraged, they force larger update sets on users and they make life difficult for third-party packagers."..."Package maintainers MUST: Avoid Major version updates, AI breakage, or API changes if at all possible".

User Icon adamwill commented & provided feedback 4 months ago

Also, this introduces the problem from https://pagure.io/releng/failed-composes/issue/2568#comment-737981 to stable releases; by adding a dependency on jpegxl it ultimately causes the default desktop package sets to pull in gimp, which pulls in Python 2 and GTK+ 2. That's not good. This ship has already sailed for F34 and Rawhide, but I will edit this update to include a jpegxl build with the offending Recommends: removed to avoid it happening to F33 as well.

adamwill edited this update.

New build(s):

  • jpegxl-0.3.7-3.fc33

Karma has been reset.

4 months ago
User Icon eclipseo commented & provided feedback 4 months ago

Security fixes should be backported.

The code has changed over two major versions, backporting it was not trivial, One of the security issue being considered high made me choose this way.

User Icon sergiomb commented & provided feedback 4 months ago

Now that we rebuilt all, please go forward and push it

User Icon leigh123linux commented & provided feedback 4 months ago

@sergiomb It's been unpushed at rpmfusion, I now consider f33 as EOL and wont be doing the overrides and rebuilds again.


Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 months ago
modified
4 months ago
BZ#1954337 aom-3.1.1 is available
0
0
BZ#1961375 CVE-2021-30473 libaom: aom_image.c in libaom frees memory that is not located on the heap
0
0
BZ#1961376 CVE-2021-30473 aom: libaom: aom_image.c in libaom frees memory that is not located on the heap [fedora-all]
0
0
BZ#1968017 CVE-2021-30475 libaom: Buffer overflow in aom_dsp/noise_model.c
0
0
BZ#1968018 CVE-2021-30475 aom: libaom: Buffer overflow in aom_dsp/noise_model.c [fedora-all]
0
0

Automated Test Results