Bug 2080938

Summary: CVE-2022-1271
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: xzAssignee: Matej Mužila <mmuzila>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: bugzilla, gmarr, jnovy, mmuzila, odubaj, panovotn, pkubat, praiskup, rjones, robatino
Target Milestone: ---Flags: mmuzila: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: xz-5.2.5-9.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-02 19:43:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953786    

Description Kamil Páral 2022-05-02 12:03:51 UTC 
This is a tracking bug to make sure a CVE fix is pushed stable before F36 is released. The update is here:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8

The problem is the same as in bug 2073312.

The Bodhi description is not complete, the build also contains this patch:
https://src.fedoraproject.org/rpms/xz/c/581455111c5c3f8812fb721ed41428b069fe55bd?branch=f36

R.W.M.Jones also confirmed that in bug 2073312 comment 4 and in https://pagure.io/fedora-qa/blocker-review/issue/777#comment-794054 .

Proposing as a blocker or a freeze exception at least.
Comment 1 Kamil Páral 2022-05-02 12:05:06 UTC 
Matej or Richard, can you please edit https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8 and mark it as fixing this bug? Thanks!
Comment 2 Chris Murphy 2022-05-02 12:45:26 UTC 
https://fedoraproject.org/wiki/Fedora_36_Final_Release_Criteria#Security_bugs
"The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)."

https://access.redhat.com/security/cve/cve-2022-1271

Looks like impact is considered important, thus a clear blocker.
Comment 3 Geoffrey Marr 2022-05-02 18:32:54 UTC 
Discussed during the 2022-05-02 blocker review meeting: [0]

The decision to classify this bug as a "RejectedBlocker (Final)" and an "AcceptedFreezeException (Final)" was made based off precedent set with the same bug in gzip (2073312) which was rejected as a blocker, this is rejected as it can be satisfactorily resolved with an update; the issue is not likely to be encountered during installation or typical use of a live image.

[0] https://meetbot.fedoraproject.org/fedora-blocker-review/2022-05-02/f36-blocker-review.2022-05-02-16.00.txt
Comment 4 Fedora Update System 2022-05-02 19:22:21 UTC 
FEDORA-2022-07cd35f6b8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-07cd35f6b8
Comment 5 Fedora Update System 2022-05-02 19:43:12 UTC 
FEDORA-2022-07cd35f6b8 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.