OESA-2021-1055

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1055

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2021-1055.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2021-1055

Upstream

CVE-2020-14352

Published

2021-03-05T11:02:39Z

Modified

2025-09-03T06:16:59.066211Z

Summary

librepo security update

Details

A library providing C and Python (libcURL like) API to downloading repository metadata.

Security Fix(es):

A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.(CVE-2020-14352)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS / librepo

Package

Name: librepo
Purl: pkg:rpm/openEuler/librepo&distro=openEuler-20.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-2.oe1

Ecosystem specific

{
    "aarch64": [
        "librepo-debugsource-1.12.0-2.oe1.aarch64.rpm",
        "python2-librepo-1.12.0-2.oe1.aarch64.rpm",
        "python3-librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-devel-1.12.0-2.oe1.aarch64.rpm",
        "librepo-debugsource-1.12.0-2.oe1.aarch64.rpm",
        "python2-librepo-1.12.0-2.oe1.aarch64.rpm",
        "python3-librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-devel-1.12.0-2.oe1.aarch64.rpm"
    ],
    "src": [
        "librepo-1.12.0-2.oe1.src.rpm",
        "librepo-1.12.0-2.oe1.src.rpm"
    ],
    "x86_64": [
        "python2-librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debugsource-1.12.0-2.oe1.x86_64.rpm",
        "librepo-devel-1.12.0-2.oe1.x86_64.rpm",
        "python3-librepo-1.12.0-2.oe1.x86_64.rpm",
        "python2-librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debugsource-1.12.0-2.oe1.x86_64.rpm",
        "librepo-devel-1.12.0-2.oe1.x86_64.rpm",
        "python3-librepo-1.12.0-2.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP1 / librepo

Package

Name: librepo
Purl: pkg:rpm/openEuler/librepo&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-2.oe1

Ecosystem specific

{
    "aarch64": [
        "librepo-debugsource-1.12.0-2.oe1.aarch64.rpm",
        "python2-librepo-1.12.0-2.oe1.aarch64.rpm",
        "python3-librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.aarch64.rpm",
        "librepo-devel-1.12.0-2.oe1.aarch64.rpm"
    ],
    "src": [
        "librepo-1.12.0-2.oe1.src.rpm"
    ],
    "x86_64": [
        "python2-librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debuginfo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-1.12.0-2.oe1.x86_64.rpm",
        "librepo-debugsource-1.12.0-2.oe1.x86_64.rpm",
        "librepo-devel-1.12.0-2.oe1.x86_64.rpm",
        "python3-librepo-1.12.0-2.oe1.x86_64.rpm"
    ]
}