Bug 13514

Summary: [CVE 21] dmidecode 3.3 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-30630,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:18:56 MSK 
Please patch CVEs for package dmidecode version 3.3
  
INFO (CVEs are): dmidecode 3.3
 cves found
CVE-2023-30630
Desc: Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-30630
Severity: HIGH
Comment 1 ilfat 2023-09-08 14:46:18 MSK 
********** QA ADVISORY **********

CVE closed by project update:

Updated from 3.3 to 3.5 and added upstream fix

Changelog:

Version 3.5 (Tue Mar 14 2023)
  - Decode HPE OEM records 216, 224, 230, 238 and 242.
  - Fortify entry point length checks.
  - Add a --no-quirks option.
  - Drop the CPUID exception list.
  - Do not let --dump-bin overwrite an existing file.
  - Ensure /dev/mem is a character device file.
  - Bug fixes:
    Fix segmentation fault in HPE OEM record 240
  - Minor improvements:
    Typo fixes
    Write the whole dump file at once
    Fix a build warning when USE_MMAP isn't set

Version 3.4 (Mon Jun 27 2022)
  - Support for SMBIOS 3.4.0. This includes new memory device types, new
    processor upgrades, new slot types and characteristics, decoding of memory
    module extended speed, new system slot types, new processor characteristics
    and new format of Processor ID.
  - Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS
    characteristics, new slot characteristics, new on-board device types, new
    pointing device interface types, and a new record type (type 45 -
    Firmware Inventory Information).
  - Decode HPE OEM records 194, 199, 203, 236, 237, 238 and 240.
  - Bug fixes:
    Fix OEM vendor name matching
    Fix ASCII filtering of strings
    Fix crash with option -u
  - Minor improvements:
    Skip details of uninstalled memory modules
    Don't display the raw CPU ID in quiet mode
    Improve the formatting of the manual pages


https://abf.rosalinux.ru/build_lists/4681679 aarch64
https://abf.rosalinux.ru/build_lists/4681677 i686
https://abf.rosalinux.ru/build_lists/4681678 x86_64
https://abf.rosalinux.ru/build_lists/4681680 riscv64
https://abf.rosalinux.ru/build_lists/4681681 e2kv4
Comment 2 Dmitry Postnikov 2023-09-08 15:26:18 MSK 
****************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-12 08:28:23 MSK 
dmidecode-3.5-2
https://abf.rosalinux.ru/build_lists/4681679 aarch64
https://abf.rosalinux.ru/build_lists/4681677 i686
https://abf.rosalinux.ru/build_lists/4681678 x86_64
https://abf.rosalinux.ru/build_lists/4681680 riscv64
https://abf.rosalinux.ru/build_lists/4681681 e2kv4
*************************** Advisory **************************
CVE closed by project update:

Updated from 3.3 to 3.5 and added upstream fix
****************************************************************
QA Verified
Comment 4 Yury 2023-10-19 11:13:03 MSK 
secteam_verified