Bug 16427

Summary: squashfs-tools new security issues CVE-2015-4645 and CVE-2015-4646
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, sysadmin-bugs, tmb, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/651775/
Whiteboard: MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
Source RPM: squashfs-tools-4.3-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-20 21:02:45 CEST 
Fedora has issued an advisory on June 26:
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162171.html

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-20 21:02:55 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-21 18:35:17 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

There's quite some discussion about this on the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1234886

Thomas, do you want to proceed with the current patch, or wait for further work?

Advisory:
========================

Updated squashfs-tools package fixes security vulnerabilities:

The unsquashfs command from squashfs-tools is vulnerable to integer
(CVE-2015-4645) and stack (CVE-2015-4646) overflows.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4646
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162171.html
========================

Updated packages in core/updates_testing:
========================
squashfs-tools-4.2-7.1.mga4
squashfs-tools-4.3-4.1.mga5

from SRPMS:
squashfs-tools-4.2-7.1.mga4.src.rpm
squashfs-tools-4.3-4.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 David Walser 2015-09-02 20:03:40 CEST 
The discussion on the RedHat bug did not continue, pushing this to QA.

Advisory and package list in Comment 1.

CC: (none) => tmb
Assignee: tmb => qa-bugs

Comment 3 Yann Cantin 2015-09-04 19:17:15 CEST 
mga5 x86_64

Installed package :
squashfs-tools-4.3-4.1.mga5.x86_64.rpm

Using https://fedoraproject.org/wiki/QA:Testcase_squashfs-tools_compression :
gzip and xz compression OK

lzma and lz4 failed but they failed also with the current mga5 squashfs-tools, and the spec file enable only gzip and xz, so i guess it's normal.

Update OK (no regression).

CC: (none) => yann.cantin
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 4 Lewis Smith 2015-09-07 10:12:12 CEST 
Testing Mageia 4 x64
Thanks to Yann Comment 3 for the test link. Invaluable.

Installed: squashfs-tools-4.2-7.mga4
Installed & ran the test script from:
 https://fedoraproject.org/wiki/QA:Testcase_squashfs-tools_compression
 $ . tmp/Squashfs-compression-test.sh
It worked for gzip & xz (the only compressors available).
It failed for lzo lzma lz4 (not supported = ? not available).

Updated to: squashfs-tools-4.2-7.1.mga4 and re-ran the script. The output was identical (apart from minute differences of inode table size). Update deemed OK.

CC: (none) => lewyssmith
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-64-OK

Comment 5 claire robinson 2015-09-07 17:08:53 CEST 
Validating. Advisory uploaded.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-09-08 09:21:36 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0335.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED