AIX Open Source

 View Only
  • 1.  Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Thu April 25, 2024 05:53 AM

    Hi friends of DNF - today IBM published:

    Software: Security Bulletin: AIX is vulnerable to arbitrary code execution due to RPM (CVE-2023-7104)

    I updated my first Testmachines running on 7200-05-07-2346 - as suggested to:

     rpm.rte                4.15.1.1013

    Unfortunately it left dnf spoilt behind. The library /opt/freeware/lib/libbz2.a - had a link to /usr/opt/rpm/lib/libbz2.a - but using this library caused:

    ImportError:    0509-130 Symbol resolution failed for /opt/freeware/lib/libsolv.a(libsolv.so.1) because:

            0509-136   Symbol _GLOBAL__AIXI_libbz2_so (number 62) is not exported from

                       dependent module /usr/opt/rpm/lib/libbz2.a(libbz2.so.1).

    After unlinking and restoring the original libbz2.a - I was back in business .. but on my second test LPAR it appeared even worse ..

    /opt/freeware/lib had links to sqlite*so to /usr/opt/rpm/lib .. - dnf failed, again ..  - I stopped updating rpm so far.

    After unlinking the libsql* libraries and restoring the old ones from backup dnf worked .. rpm is functional too,

    but I fear this cant be the solution - because it will just leave a totally messy library environment behind. 

    Is it just my environment which behaves that strange?

    (Btw the same update of rpm (different fileset) on aix 7.3 machines caused no single problem) everything running solid and stable.

    Any suggestions or ideas how to avoid this update issue?

    Regards Stefan



    ------------------------------
    Stefan Lehmann
    ------------------------------


  • 2.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Thu April 25, 2024 01:08 PM

    Hi Stefan,

    Can you provide a output of "rpm -qa" of both the server ?

    In first case bzip2 rpm should have been installed as it is a dependency for libsolv.

    # rpm -e bzip2
    error: Failed dependencies:
            bzip2 >= 1.0.8 is needed by (installed) python3.9-3.9.18-1.ppc
            bzip2 >= 1.0.8 is needed by (installed) libsolv-0.7.9-64_52.ppc

    In the second case also sqlite3 rpm should have been installed. 



    ------------------------------
    SANGAMESH
    ------------------------------



  • 3.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Fri April 26, 2024 02:16 AM

    Good morning Sangamesh,

    of course - I'll attach the output files. 

    bzip2 Machine: 

    root@bzip2fail:/root: rpm -e bzip2
    error: Failed dependencies:
            bzip2 >= 1.0.8 is needed by (installed) pcre-8.44-2.ppc
            bzip2 >= 1.0.8 is needed by (installed) libsolv-0.7.9-32_53.ppc
            bzip2 >= 1.0.8 is needed by (installed) gnupg2-2.4.3-1.ppc
            bzip2 >= 1.0.8 is needed by (installed) python3.9-3.9.19-1.ppc

    root@sqlite-additional-problem:/root: rpm -e bzip2
    error: Failed dependencies:
            bzip2 >= 1.0.8 is needed by (installed) pcre-8.44-2.ppc
            bzip2 >= 1.0.8 is needed by (installed) libsolv-0.7.9-32_53.ppc
            bzip2 >= 1.0.8 is needed by (installed) python-2.7.18-4.ppc
            bzip2 >= 1.0.8 is needed by (installed) gnupg2-2.4.3-1.ppc
            bzip2 >= 1.0.8 is needed by (installed) python3.9-3.9.19-1.ppc

    dnf list installed sqlite
    Installed Packages
    sqlite.ppc                                                                                                    3.41.2-1

    Once  I removed ALL rpm packages on those machines during dnf configuration, to start with a clean install. There shouldnt be any

    leftovers .. (I used classic rpm -e for removal)

    Regards Stefan 



    ------------------------------
    Stefan Lehmann
    ------------------------------

    Attachment(s)

    txt
    bzip2-issue-only.txt   2 KB 1 version
    txt
    sqllite-issue.txt   2 KB 1 version


  • 4.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Mon April 29, 2024 08:05 AM

    Where did you get rpm.rte  4.15.1.1013 ?

    Download from
    https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=rpm
    is broken :
    clicking on download links leads only to empty webpage.
    [ download of openssl and openssh works, so it's no client issue...]

    https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/INSTALLP/ppc/ 
    isn't updated any more...



    ------------------------------
    Dieter Mosbach
    ------------------------------



  • 5.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Mon April 29, 2024 08:57 AM

    Hi Dieter,

    I followed the link in IBMs link Security Bulletin: AIX is vulnerable to arbitrary code execution due to RPM (CVE-2023-7104) (ibm.com) - MRS (ibm.com) - chose rpm and then you have to decided which package you need - depending on your OS 7.2 or 7.3

    Regards

    Stefan



    ------------------------------
    Stefan Lehmann
    ------------------------------



  • 6.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Thu May 02, 2024 10:04 AM

    Hi Stefan,

    Sorry for the delay.

    If we have rpm packages installed then the libraries in  /opt/freeware/lib/ are actually from rpm packages.

    I didn't see the similar error you have after i update to  to 4.15.1.1013.

    May be these errors were already their before update to 4.15.1.1013 ?

    Because i don't see this rpm.rte modifies the links if rpm packages and it's link are correct.



    ------------------------------
    SANGAMESH
    ------------------------------



  • 7.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..

    Posted Sun May 05, 2024 06:31 AM

    I manage several servers with AIX 7200-05-04-2220.
    About a year ago I implemented the use of dnf on them. Now I was updating some RPMs and got into a similar error:

    Traceback (most recent call last):
      File "/opt/freeware/bin/dnf", line 57, in <module>
        from dnf.cli import main
      File "/opt/freeware/lib/python3.9/site-packages/dnf/__init__.py", line 32, in <module>
        import dnf.base
      File "/opt/freeware/lib/python3.9/site-packages/dnf/base.py", line 29, in <module>
        import libdnf.transaction
      File "/opt/freeware/lib/python3.9/site-packages/libdnf/__init__.py", line 3, in <module>
        from . import common_types
      File "/opt/freeware/lib/python3.9/site-packages/libdnf/common_types.py", line 13, in <module>
        from . import _common_types
    ImportError: Symbol resolution failed for /opt/freeware/lib/libsolv.a(libsolv.so.1) because:
            Symbol _GLOBAL__AIXI_libbz2_so (number 62) is not exported from dependent
              module /opt/freeware/lib/libbz2.a(libbz2.so.1).
            Symbol _GLOBAL__AIXD_libbz2_so (number 63) is not exported from dependent
              module /opt/freeware/lib/libbz2.a(libbz2.so.1).

    I checked bzip2-1.0.8-2.ppc on servers where I had unmodified RPMs and I found  on some servers I have:

    #  rpm -qa | grep bzip2
    bzip2-1.0.8-2.ppc
    # ls -l /opt/freeware/lib/libbz2.a
    -rwxr-xr-x    1 root     system       201115 26 úno 2018  /opt/freeware/lib/libbz2.a
    #  ar tv /opt/freeware/lib/libbz2.a
    rwxr-xr-x   204/1      94133  2 led 10:02 2018 libbz2.so.1

    and on other servers I have

    #  rpm -qa | grep bzip2
    bzip2-1.0.8-2.ppc

    # ls -l /opt/freeware/lib/libbz2.a
    -rw-r--r--    1 root     system       187977 29 lis 2019  /opt/freeware/lib/libbz2.a

    #  ar tv /opt/freeware/lib/libbz2.a
    rwxr-xr-x   205/1      86294 29 lis 05:57 2019 libbz2.so.1

    I don't know how this could happen :-(.
    I thought I had installed from the same source.
    I tried reinstalling -> rpm --force -U  bzip2-1.0.8-2.aix6.1.ppc.rpm
    ls -l  bzip2-1.0.8-2.aix6.1.ppc.rpm
    -rw-r--r-- 1 root system 243981 21 Sep 2023 bzip2-1.0.8-2.aix6.1.ppc.rpm
     
    and the dnf can then be run.



    ------------------------------
    Antonin Rozehnal
    ------------------------------



  • 8.  RE: Stable DNF Installation fails after last AIX 7.2 rpm security fix ..