Bug 1287946

Summary: ioprocess-0.15.0 tarball md5sum changed between -3 and -4
Product: [Fedora] Fedora Reporter: Sandro Bonazzola <sbonazzo>
Component: ioprocessAssignee: Nir Soffer <nsoffer>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 24CC: amureini, bronhaim, dougsland, ebenahar, nsoffer, oourfali, sbonazzo, security-response-team, smizrahi, ybronhei
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ioprocess-0.15.1-1.fc24 ioprocess-0.15.1-1.fc22 ioprocess-0.15.1-1.fc23 ioprocess-0.15.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1333964 (view as bug list) Environment:
Last Closed: 2016-05-12 01:29:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1333964    

Description Sandro Bonazzola 2015-12-03 05:50:09 UTC
Description of problem:
http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
introduced a new upstream tarball with different md5sum stating fixes in changelog.
The spec file doesn't explain how the tarball has been generated.
Being 0.15.0 released lot of time ago (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't be changed.

Marking this as security violation.

Comment 1 Nir Soffer 2016-01-02 16:15:25 UTC
(In reply to Sandro Bonazzola from comment #0)
> Description of problem:
> http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/

Which commit?

> introduced a new upstream tarball with different md5sum stating fixes in
> changelog.
> The spec file doesn't explain how the tarball has been generated.

How the spec file can explain the generation of the tarball?

> Being 0.15.0 released lot of time ago
> (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> be changed.

Can you explain the issue with the md5? Obviously every release must have
unique md5sum?

> Marking this as security violation.

How is this security violation?

The attached patch looks like a mix of unrelated changes.

Comment 2 Sandro Bonazzola 2016-01-19 16:09:02 UTC
(In reply to Nir Soffer from comment #1)
> (In reply to Sandro Bonazzola from comment #0)
> > Description of problem:
> > http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
> 
> Which commit?

Sorry, http://pkgs.fedoraproject.org/cgit/rpms/ioprocess.git/commit/?id=56373a4a8827019505695e45d5f6208d2634ac4b


> 
> > introduced a new upstream tarball with different md5sum stating fixes in
> > changelog.
> > The spec file doesn't explain how the tarball has been generated.
> 
> How the spec file can explain the generation of the tarball?

Please read https://fedoraproject.org/wiki/Packaging:SourceURL


> 
> > Being 0.15.0 released lot of time ago
> > (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> > be changed.
> 
> Can you explain the issue with the md5? Obviously every release must have
> unique md5sum?

it's supposed that an upstream tarball once release doesn't change it's mdt5sum.
if it's changed it may have been compromised by someone introducing malicious code.


> > Marking this as security violation.
> 
> How is this security violation?

Please read https://docs.engineering.redhat.com/display/HTD/rpmdiff-upstream


> 
> The attached patch looks like a mix of unrelated changes.

Attached patch was what was required in order to bump version and make the spec file compliant.

Now, need to release the new version upstream and get the package rebuild in koji.

Yaniv, do you need assistance releasing upstream and building in koji?

Comment 3 Yaniv Bronhaim 2016-02-08 15:06:15 UTC
nsoffer is responsible for this package since last month

Comment 4 Allon Mureinik 2016-02-11 14:14:56 UTC
Patch seems to be merged.
Do we need anything else there?

Comment 5 Nir Soffer 2016-02-20 19:51:40 UTC
Sandro, do we need to do anything else to close this bug?

Comment 6 Jan Kurik 2016-02-24 15:29:34 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 7 Sandro Bonazzola 2016-02-26 06:57:34 UTC
(In reply to Nir Soffer from comment #5)
> Sandro, do we need to do anything else to close this bug?

Tag ioprocess 0.15.1, release it and build from 0.15.1 tarball.

Comment 8 Mike McCune 2016-03-28 23:14:23 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 9 Fedora Update System 2016-05-06 19:41:22 UTC
ioprocess-0.15.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc

Comment 10 Fedora Update System 2016-05-06 20:21:34 UTC
ioprocess-0.15.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-609627f8f5

Comment 11 Fedora Update System 2016-05-06 21:06:44 UTC
ioprocess-0.15.1-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d049ad1118

Comment 12 Fedora Update System 2016-05-06 21:14:04 UTC
ioprocess-0.15.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-68a9b02b43

Comment 13 Fedora Update System 2016-05-07 16:21:43 UTC
ioprocess-0.15.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-68a9b02b43

Comment 14 Fedora Update System 2016-05-07 16:51:20 UTC
ioprocess-0.15.1-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d049ad1118

Comment 15 Fedora Update System 2016-05-07 16:55:23 UTC
ioprocess-0.15.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-609627f8f5

Comment 16 Fedora Update System 2016-05-07 17:26:35 UTC
ioprocess-0.15.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc

Comment 17 Fedora Update System 2016-05-12 01:29:21 UTC
ioprocess-0.15.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-05-16 22:23:38 UTC
ioprocess-0.15.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-05-16 22:26:37 UTC
ioprocess-0.15.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2016-05-23 14:17:10 UTC
ioprocess-0.15.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Elad 2016-07-14 11:48:15 UTC
Hi Nir, can you please elaborate on verification flow here? Thanks

Comment 22 Nir Soffer 2016-07-14 14:40:57 UTC
(In reply to Elad from comment #21)
> Hi Nir, can you please elaborate on verification flow here? Thanks

I don't think any verification is needed.

Sandro, can you explain how to verify this change?

Comment 23 Sandro Bonazzola 2016-07-19 09:00:55 UTC
(In reply to Nir Soffer from comment #22)
> (In reply to Elad from comment #21)
> > Hi Nir, can you please elaborate on verification flow here? Thanks
> 
> I don't think any verification is needed.
> 
> Sandro, can you explain how to verify this change?

0.15.1 has been released so nothing to check here.