Bug 15318

Summary: cabextract new directory traversal issue (CVE-2015-2060)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/634992/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: cabextract-1.5-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-18 17:53:46 CET 
Another directory traversal issue in cabxtract has been fixed upstream:
http://openwall.com/lists/oss-security/2015/02/18/3

The above message contains a CVE request, PoC, and link to the upstream fix, and mentions that a new cabextract release with the fix is expected soon.  Despite the URL, it looks like the fix is in cabextract itself, rather than libmspack.

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-18 17:53:53 CET

Whiteboard: (none) => MGA4TOO

Sander Lepik 2015-02-21 18:48:05 CET

CC: (none) => mageia
Assignee: bugsquad => shlomif

Comment 1 Shlomi Fish 2015-02-21 19:49:37 CET 
This should be fixed in Cauldron with cabextract-1.5-3.mga5 , but when trying to build in Mageia 4 for updates_testing, I am getting:

D: [iurt_root_command] chroot examining synthesis file [/var/lib/urpmi/core_release/synthesis.hdlist.cz] examining synthesis file [/var/lib/urpmi/core_updates/synthesis.hdlist.cz] examining synthesis file [/var/lib/urpmi/core_updates_testing/synthesis.hdlist.cz] A requested package cannot be installed: cabextract-1.5-1.1.mga4.src (due to unsatisfied pkgconfig(libmspack)) While some packages may have been installed, there were failures. A requested package cannot be installed: cabextract-1.5-1.1.mga4.src (due to unsatisfied pkgconfig(libmspack)) I: [iurt_root_command] ERROR: chroot 

Should we package libmspack for Mageia 4?

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 2 David Walser 2015-02-21 19:51:40 CET 
No, we shouldn't be backporting the change to use the system libmspack to Mageia 4.
Comment 3 David Walser 2015-02-21 21:28:28 CET 
Fixed in SVN.
Comment 4 Shlomi Fish 2015-02-22 16:34:40 CET 
(In reply to David Walser from comment #3)
> Fixed in SVN.

Thanks! I submitted the package.

Here is the suggested update advisory:

Suggested advisory:
========================

Updated cabextract packages fix security vulnerabilities:

This update fixes a bug found with directory traversal in cabextract.

References:

http://openwall.com/lists/oss-security/2015/02/18/3
========================

Updated packages in core/updates_testing:
========================
cabextract-1.5-1.1.mga4

Source RPMs: 
cabextract-1.5-1.1.mga5.src.rpm
Comment 5 Shlomi Fish 2015-02-22 16:35:34 CET 
Assigning to QA.

Assignee: shlomif => qa-bugs

Comment 6 David Walser 2015-02-23 00:13:22 CET 
PoC here:
http://openwall.com/lists/oss-security/2015/02/18/3

You need to install lcab and cabextract to run it.  For the cabextract command, don't prefix it with "./"

Before the update, it will create /tmp/abs when you use cabextract to extract test.cab.  After the update, it will create tmp/abs in your current working directory.

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 7 David Walser 2015-02-24 17:17:43 CET 
CVE-2015-2060 was assigned:
http://openwall.com/lists/oss-security/2015/02/23/24

Summary: cabextract new directory traversal issue => cabextract new directory traversal issue (CVE-2015-2060)

Comment 8 olivier charles 2015-02-24 23:31:01 CET 
Testing on Mageia 4x64 real hardware following procedure mentioned in comment 6

From current package :
--------------------
cabextract-1.5-1.mga4

(using lcab-1.0-0.b12.4.mga4 to run the PoC)

Could reproduce the directory traversal vulnerability (creation of a /tmp/abs)

Updated to testing package :
--------------------------
cabextract-1.5-1.1.mga4

Followed same procedure.
The tmp/abs directory is created in user's current directory, not at the root anymore.

OK

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 9 claire robinson 2015-02-25 21:52:52 CET 
Want to add to the advisory David?
Comment 10 David Walser 2015-02-25 22:05:21 CET 
A directory traversal issue in cabextract allows writing to locations outside
of the current working directory, when extracting a crafted cab file that
encodes the filenames in a certain manner (CVE-2015-2060).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2060
http://openwall.com/lists/oss-security/2015/02/18/3
http://openwall.com/lists/oss-security/2015/02/23/24
Comment 11 claire robinson 2015-02-25 22:37:14 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-02-26 09:27:30 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0086.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-26 19:58:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/634992/