| Summary: | p7zip new security issue CVE-2015-1038 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, herman.viaene, shlomif, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/648185/ | ||
| Whiteboard: | MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | p7zip-9.20.1-6.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-15 23:05:26 CEST
David Walser
2015-06-15 23:05:33 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Debian has issued an advisory for this on June 15: https://www.debian.org/security/2015/dsa-3289 Patch added in Mageia 4 and Cauldron SVN. This will need to be added in Mageia 5 SVN once it's branched. Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated p7zip package fixes security vulnerability: Alexander Cherepanov discovered that p7zip is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory (CVE-2015-1038). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038 https://www.debian.org/security/2015/dsa-3289 ======================== Updated packages in core/updates_testing: ======================== p7zip-9.20.1-4.1.mga4 p7zip-9.20.1-6.1.mga5 from SRPMS: p7zip-9.20.1-4.1.mga4.src.rpm p7zip-9.20.1-6.1.mga5.src.rpm Version:
Cauldron =>
5 trying my hand at it - mga5 - x86_64 CC:
(none) =>
brtians1 testing mga5 - x86_64 Seems to be working okay. Messed with symbolic links, seemed to be okay so far. Ok - working as designed. Can update the http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. Brian (In reply to Brian Rockwell from comment #6) > Ok - working as designed. Can update the > http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. > > Brian Cannot udpate ... (In reply to Brian Rockwell from comment #6) > Ok - working as designed. Can update the > http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. > > Brian You update it through Bugzilla, right here. If you have successfully tested on mga5 x86_64, you add MGA5-64-OK to the whiteboard field above. Just in case anyone didn't see, there's a simple PoC here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660
Brian Rockwell
2015-06-27 20:46:49 CEST
Whiteboard:
MGA4TOO =>
MGA4TOO, MGA5-64-OK MGA4-32 on AcerD620 Xfce and MGA5-64 on HP Probook 6555b KDE. No installation issues. At CLI on last step of PoC: $ 7z x test.7z 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=nl_BE.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: test.7z Extracting dir can not open output file dir/file Skipping dir/file Sub items Errors: 1 CC:
(none) =>
herman.viaene PoC verified to be fixed on an MGA4-i586 VM. Adding MGA4-32-OK. OK, now I'm going to try it on MGA4-64. CC:
(none) =>
shlomif MGA4-64-OKing because the PoC does not work after update. Whiteboard:
MGA4TOO, MGA5-64-OK MGA4-32-OK =>
MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK Advisory commited to svn. Someone from the sysadmin team please push 16122.adv to updates for Mageia 4 and 5. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0252.html Status:
NEW =>
RESOLVED |