This is a tracking bug to make sure a CVE fix is pushed stable before F36 is released. The update is here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8 The problem is the same as in bug 2073312. The Bodhi description is not complete, the build also contains this patch: https://src.fedoraproject.org/rpms/xz/c/581455111c5c3f8812fb721ed41428b069fe55bd?branch=f36 R.W.M.Jones also confirmed that in bug 2073312 comment 4 and in https://pagure.io/fedora-qa/blocker-review/issue/777#comment-794054 . Proposing as a blocker or a freeze exception at least.
Matej or Richard, can you please edit https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8 and mark it as fixing this bug? Thanks!
https://fedoraproject.org/wiki/Fedora_36_Final_Release_Criteria#Security_bugs "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." https://access.redhat.com/security/cve/cve-2022-1271 Looks like impact is considered important, thus a clear blocker.
Discussed during the 2022-05-02 blocker review meeting: [0] The decision to classify this bug as a "RejectedBlocker (Final)" and an "AcceptedFreezeException (Final)" was made based off precedent set with the same bug in gzip (2073312) which was rejected as a blocker, this is rejected as it can be satisfactorily resolved with an update; the issue is not likely to be encountered during installation or typical use of a live image. [0] https://meetbot.fedoraproject.org/fedora-blocker-review/2022-05-02/f36-blocker-review.2022-05-02-16.00.txt
FEDORA-2022-07cd35f6b8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8
FEDORA-2022-07cd35f6b8 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.