MGASA-2020-0429 - Updated librepo packages fix a security vulnerability

Publication date: 21 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0429.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-14352

It was discovered that librepo was subject to a directory traversal vulnerability
where it failed to sanitize paths in remote repository metadata. An attacker
controlling a remote repository may be able to copy files outside of the
destination directory on the targeted system via path traversal. This flaw
could potentially result in system compromise via the overwriting of critical
system files (CVE-2020-14352).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27241
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/
- https://access.redhat.com/errata/RHSA-2020:5012
- https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14352

SRPMS:
- 7/core/librepo-1.10.3-1.1.mga7