| Summary: | unzip new security issues CVE-2016-9844 and CVE-2014-9913 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, lewyssmith, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/708995/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory mga5-32-ok | ||
| Source RPM: | unzip-6.0-16.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | POC test file PoZ.zip for this bug | ||
|
Description
David Walser
2016-12-06 00:43:02 CET
David Walser
2016-12-06 00:43:13 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 Debian-LTS has issued an advisory for this today (December 13): https://lwn.net/Alerts/708934/ URL:
(none) =>
https://lwn.net/Vulnerabilities/708995/ Patched package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated unzip package fixes security vulnerabilities: It was discovered that "unzip -l" (CVE-2014-9913) and "zipinfo" (CVE-2016-9844) were vulnerable to buffer overflows when provided malformed or maliciously-crafted ZIP files. References: http://www.openwall.com/lists/oss-security/2016/12/05/20 https://security-tracker.debian.org/tracker/CVE-2014-9913 https://security-tracker.debian.org/tracker/CVE-2016-9844 https://lwn.net/Alerts/708934/ ======================== Updated packages in core/updates_testing: ======================== unzip-6.0-13.3.mga5 unzip-debuginfo-6.0-13.3.mga5 from unzip-6.0-13.3.mga5.src.rpm I marked this as having test procedures but I'm not sure how well they apply. What I found is in some of the comments for: https://bugs.mageia.org/show_bug.cgi?id=14872 https://bugs.mageia.org/show_bug.cgi?id=16813 There is mention of PoC.zip in comment #1 at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750 CC:
(none) =>
mrambo Testing M5_64 From the unzip/zipinfo man pages: unzip will list, test, or extract files from a ZIP archive zipinfo lists technical information about files in a ZIP archive Note that zipinfo is the same program as unzip (under Unix, a link to it) BEFORE the update: unzip-6.0-13.1.mga5 Using the valuable POC link at the end of Comment 3 (thanks for same, Mike), I downloaded & ran the Python script which produces the test file PoZ.zip - which I will attach to this bug. $ zipinfo PoZ.zip Archive: PoZ.zip Zip file size: 154 bytes, number of entries: 1 *** buffer overflow detected ***: zipinfo terminated ======= Backtrace: ========= then loads of output. $ unzip -l PoZ.zip Archive: PoZ.zip Length Date Time Name --------- ---------- ----- ---- *** buffer overflow detected ***: unzip terminated ======= Backtrace: ========= etc AFTER update to: unzip-6.0-13.3.mga5 $ zipinfo PoZ.zip Archive: PoZ.zip Zip file size: 154 bytes, number of entries: 1 -rw-rw-r-- 3.0 unx 2 tx FFFF 16-Nov-22 02:07 a 1 file, 2 bytes uncompressed, 2 bytes compressed: 0.0% $ unzip -l PoZ.zip Archive: PoZ.zip Length Date Time Name --------- ---------- ----- ---- 2 2016-11-22 02:07 a --------- ------- 2 1 file which is conclusively OK. Oh that things were always so neat. CC:
(none) =>
lewyssmith Created attachment 8840 [details]
POC test file PoZ.zip for this bug
Run with:
$ zipinfo PoZ.zip
$ unzip -l PoZ.zip
Buffer overflows before update; OK after it.
Lewis Smith
2017-01-08 20:06:16 CET
Whiteboard:
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK advisory $ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following package is going to be installed: - unzip-6.0-13.3.mga5.i586 4B of additional disk space will be used. 207KB of packages will be retrieved. $ unzip -v UnZip 6.00 of 20 April 2009, by ALT Linux Team. Original by Info-ZIP. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.9.2 for Unix (Linux ELF) on Jan 6 2017. ---and lots more stuff--- I used the gnome file browser to compress a few items to a zip file. -rw-rw-r-- 1 brian brian 169405691 Jan 12 12:36 sf_vmshare.zip ------------- [brian@localhost uncomp]$ unzip sf*.zip Archive: sf_vmshare.zip inflating: gzread.php inflating: gzread2.php inflating: hdark.tar inflating: hdark11.txt inflating: hello_world.php inflating: libgd_test.php inflating: php12.php inflating: php12_2.php inflating: php529_test inflating: php529_test.php inflating: php_zip.php inflating: read_book.php inflating: slacko-5.7.0-PAE.iso inflating: virt_man_error1 looks like it still works. $ ls gzread2.php* hello_world.php* php529_test* sf_vmshare.zip gzread.php* libgd_test.php* php529_test.php* slacko-5.7.0-PAE.iso* hdark11.txt* php12_2.php* php_zip.php* virt_man_error1* hdark.tar* php12.php* read_book.php* Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0015.html Status:
NEW =>
RESOLVED |