Bug 15308

Summary:	cpio new security issue CVE-2015-1197
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, rverschelde, sysadmin-bugs
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/633542/
Whiteboard:	has_procedure MGA4-32-OK MGA4-64-OK advisory
Source RPM:	cpio-2.11-6.2.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2015-02-17 16:17:45 CET

Gentoo has issued an advisory on February 15:
http://www.gentoo.org/security/en/glsa/glsa-201502-11.xml

We fixed CVE-2014-9112 in Bug 14765.

Looking at the patch that Gentoo added for this update:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/cpio/files/cpio-2.11-security.patch?revision=1.1&view=markup

They fixed that CVE as well as some additional issues that we found in the process of fixing that one, but they didn't actually fix CVE-2015-1197, as their advisory claims.  This is assuming that CVE does actually correspond to this issue:
https://marc.info/?l=oss-security&m=142289947619786&w=2

as Debian said here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669#29

I never saw the CVE-2015-1197 assignment happen on the list.

I can confirm that that issue is *not* fixed by the patches I had added in the previous update, which is the same as what Gentoo added in theirs.

I have actually added the SuSE patch that was mentioned in the oss-security post and Debian bug above, and can confirm that the issue is fixed, via the PoC here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669#15

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated cpio package fixes security vulnerability:

In GNU Cpio 2.11, the --no-absolute-filenames option limits extracting
contents of an archive to be strictly inside a current directory. However,
it can be bypassed with symlinks. While extracting an archive, it will
extract symlinks and then follow them if they are referenced in further
entries. This can be exploited by a rogue archive to write files outside
the current directory (CVE-2015-1197).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
========================

Updated packages in core/updates_testing:
========================
cpio-2.11-6.3.mga4

from cpio-2.11-6.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2015-02-17 16:17:54 CET

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 1 Herman Viaene 2015-02-18 11:35:17 CET

MGA4-64 on HP Probook 6555b KDE
No installation issues.
Following PoC as above I get at the CLI:
[xxx@yyy ~]$ ln -s /tmp dir
[xxx@yyy ~]$ touch /tmp/file
[xxx@yyyy ~]$ echo 'dir
> dir/file' | cpio -ov > test.cpio
dir
dir/file
1 blok
[xxx@yyy ~]$ rm dir /tmp/file
rm: remove symbolic link âdirâ? y
rm: remove regular empty file â/tmp/fileâ? y
[xxx@yyy ~]$ cpio --no-absolute-filenames -iv < test.cpio
dir
cpio: Can't write over symlinks: dir/file

CC: (none) => herman.viaene
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 2 Rémi Verschelde 2015-02-19 12:28:04 CET

Advisory uploaded.

CC: (none) => remi
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory

Comment 3 claire robinson 2015-02-19 13:45:32 CET

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-02-19 15:43:58 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0080.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED