Bug 10782

Summary: file-roller new security issue CVE-2013-4668
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olav, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/559049/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: file-roller-3.6.3-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-16 22:35:10 CEST 
Fedora has issued an advisory on June 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111666.html

The issue is fixed in 3.8.3 and 3.6.4 upstream.

The issue was caused by the addition of libarchive support in 3.5.x, so Mageia 2 (3.4.x) is not affected.

We already have 3.8.3 in Cauldron, so it's already fixed there.

Olav, I have added the upstream commit for 3.6.x to Mageia 3 SVN, but not pushed to the build system yet.  If you would prefer to update to 3.6.4, please go ahead and push that.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-22 20:44:52 CEST 
I checked the diff between 3.6.3 and 3.6.4.  The only other changes are translation updates and adding support for CAB files.  Updating to 3.6.4.

Advisory:
========================

Updated file-roller package fixes security vulnerability:

Directory traversal vulnerability in File Roller 3.6.x before 3.6.4 when
libarchive is used, allows remote attackers to create arbitrary files via a
crafted archive that is not properly handled in a "Keep directory structure"
action, related to fr-archive-libarchive.c and fr-window.c (CVE-2013-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4668
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111666.html
========================

Updated packages in core/updates_testing:
========================
file-roller-3.6.4-1.mga3

from file-roller-3.6.4-1.mga3.src.rpm

CC: (none) => olav
Assignee: olav => qa-bugs

Comment 2 claire robinson 2013-07-23 10:16:49 CEST 
No PoC or really much detail to go on to reproduce this so just testing fileroller can open various archives OK.

When either current or testing version is installed or uninstalled it gives a warning. It doesn't seem to affect operation so I'll create a new bug for this.

# urpmi file-roller
installing file-roller-3.6.4-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                   
Preparing...                     ##########################
      1/1: file-roller           ##########################
      1/1: removing file-roller-3.6.3-2.mga3.x86_64
                                 ##########################
warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>

# urpme file-roller
removing file-roller-3.6.4-1.mga3.x86_64
removing package file-roller-3.6.4-1.mga3.x86_64
      1/1: removing file-roller-3.6.4-1.mga3.x86_64
                                 ##########################
warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>

# urpmi file-roller
installing file-roller-3.6.4-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                   
Preparing...                     ##########################
      1/1: file-roller           ##########################
warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>
Comment 3 claire robinson 2013-07-23 10:18:28 CEST 
Testing complete mga3 64

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 4 claire robinson 2013-07-23 10:21:53 CEST 
Bug 10822 created for the warnings
Comment 5 claire robinson 2013-07-23 10:28:24 CEST 
Testing complete mga3 32. Seems to affect x86_64 only.

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2013-07-23 10:33:48 CEST 
Validating. Advisory from comment 1 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-07-26 13:43:22 CEST 

Update pushed:
http://advisories.mageia.org/MGASA-2013-0232.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED