Bug 18490

Summary: p7zip new security issues CVE-2016-2334 and CVE-2016-2335
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, geiger.david68210, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/688051/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: p7zip-15.14.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-05-19 16:58:59 CEST 
Cisco TALOS has issued an advisory on May 11:
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

A comment there, plus one on the Debian bug, says 9.20 isn't affected by CVE-2016-2334, as the code was probably introduced in 9.32.  As for 9.20.1, I don't know, but one could check the patch, linked from the upstream bug.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824160
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit
David Walser 2016-05-19 16:59:04 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2016-05-19 17:54:16 CEST 
Ok done for Cauldron!

Also I confirm that 9.20.1 release isn't affected by CVE-2016-2334, patch cannot be applied because code is not at all the same as 15.14.1 release.

So what to do for mga5? just apply the patch for CVE-2016-2335?
Comment 2 David Walser 2016-05-19 18:08:20 CEST 
(In reply to David GEIGER from comment #1)
> So what to do for mga5? just apply the patch for CVE-2016-2335?

Yes.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David GEIGER 2016-05-19 18:18:19 CEST 
Well! done also for mga5!
Comment 4 David Walser 2016-05-19 18:31:56 CEST 
Thanks!

Advisory:
========================

Updated p7zip package fixes security vulnerability:

An out of bound read vulnerability exists in the CInArchive::ReadFileItem
method functionality of 7zip for handling UDF files that can lead to denial of
service or code execution (CVE-2016-2335).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2335
http://www.talosintel.com/reports/TALOS-2016-0094/
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
========================

Updated packages in core/updates_testing:
========================
p7zip-9.20.1-6.2.mga5

from p7zip-9.20.1-6.2.mga5.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Brian Rockwell 2016-05-20 21:34:10 CEST 
MGA5-64

[root@localhost brian]# urpmi p7zip
Package p7zip-9.20.1-6.2.mga5.x86_64 is already installed

[brian@localhost ~]$ 7z

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,3 CPUs)

7z a -r emlp.7z ./*.flac

-rw-r--r-- 1 brian brian 2079565218 May 20 14:12 emlp.7z

moving file to a new location to extract.

Opened with Archive Manager.  (Archive Manager is using 7z to extract)

First file and last files play correctly.

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

claire robinson 2016-05-21 21:18:36 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-05-22 00:12:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0202.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED