Bug 19932

Summary: libgsf new security issue CVE-2016-9888
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/708871/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: libgsf-1.14.31-1.mga5.src.rpm CVE:
Status comment:
Attachments: test program

Description David Walser 2016-12-12 20:26:37 CET 
Fedora has issued an advisory on December 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNGPD6IEEBZDLN6EMGXQ2ATUACQSTOWQ/

The issue is fixed in 1.14.41, which is already in Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libgsf packages fix security vulnerability:

An error within the "tar_directory_for_file()" function (gsf-infile-tar.c) in
GNOME Structured File Library before 1.14.41 can be exploited to trigger a Null
pointer dereference and subsequently cause a crash via a crafted TAR file
(CVE-2016-9888).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9888
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNGPD6IEEBZDLN6EMGXQ2ATUACQSTOWQ/
========================

Updated packages in core/updates_testing:
========================
libgsf-1.14.31-1.1.mga5
libgsf1_114-1.14.31-1.1.mga5
libgsf-devel-1.14.31-1.1.mga5
libgsf-gir1-1.14.31-1.1.mga5

from libgsf-1.14.31-1.1.mga5.src.rpm
David Walser 2016-12-12 20:27:25 CET

URL: (none) => https://lwn.net/Vulnerabilities/708871/

Comment 1 Herman Viaene 2016-12-22 16:14:20 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
# urpmq --whatrequires libgsf
libgsf
Not very usefull.
Googled and found a possible testcase (attached file) but get into problems with it
supposed to put some zip archive myarchive.zip and the testfile in a folder and run there
$ valac --pkg libgsf-1 gsf-sample.vala
$ ./gsf-sample

but at first command I get:
$ valac --pkg libgsf-1 gsf-sample.vala
In file included from /home/tester5/Video/gsf-sample.vala.c:14:0:
/usr/include/libgsf-1/gsf/gsf-outfile-impl.h:30:12: fout: field âparentâ has incomplete type
  GsfOutput parent;
            ^
/usr/include/libgsf-1/gsf/gsf-outfile-impl.h:34:2: fout: unknown type name âGsfOutputClassâ
  GsfOutputClass output_class;
  ^
error: cc exited with status 256
Compilation failed: 1 error(s), 0 warning(s)

CC: (none) => herman.viaene

Comment 2 Herman Viaene 2016-12-22 16:15:18 CET 
Created attachment 8810 [details]
test program
Comment 3 David Walser 2016-12-22 16:16:19 CET 
Usually only the library package is directly required.

Try:
urpmq --whatrequires libgsf1_114
or:
urpmq --whatrequires lib64gsf1_114
Comment 4 Herman Viaene 2016-12-23 11:56:26 CET 
Following David's advice, I found gchemtable.
Running 
$ strace -o libgsf.txt gchemtable
gave me in the file:
open("/lib/libgsf-1.so.114", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\265\0\0004\0\0\0"..., 512) = 512
and gchem works OK.

Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2016-12-28 11:25:51 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 5 Len Lawrence 2016-12-28 15:20:25 CET 
Testing on X86_64 real hardware.
There does not appear to be any means for reproducing the security problem.
Installed:
- libgsf-1.14.31-1.1.mga5
- lib64gsf1_114-1.14.31-1.1.mga5
- lib64gsf-devel-1.14.31-1.1.mga5
- lib64gsf-gir1-1.14.31-1.1.mga5

Used link derived from program sample : https://wiki.gnome.org/Projects/Vala/GSFSample
to check compilation requirements.

$ sudo urpmi vala
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64ffi-devel                 3.1          4.mga5        x86_64  
  lib64vala0.26_0                0.26.2       1.mga5        x86_64  
  vala                           0.26.2       1.mga5        x86_64  
(medium "Core Updates (distrib3)")
  glib-gettextize                2.42.1       2.1.mga5      x86_64  
  lib64glib2.0-devel             2.42.1       2.1.mga5      x86_64  
  lib64pcre-devel                8.38         1.mga5        x86_64  

$ valac --pkg libgsf-1 gsf-sample.vala
Produced the same errors as reported in comment 1 for i586.

$ strace -o gchem.trace gchemtable 
$ grep gsf gchem.trace
open("/usr/lib64/libgsf-1.so.114", O_RDONLY|O_CLOEXEC) = 3
stat("/home/lcl/qa/libgsf", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libgsf.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/libgsf.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/libgsf.mo", O_RDONLY) = 13

This gets as far as the i586 tests - marking it as OK.

CC: (none) => tarazed25

Len Lawrence 2016-12-28 15:20:43 CET

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK

Comment 6 Lewis Smith 2016-12-29 11:09:15 CET 
Validated; advisory already in place.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-12-29 11:30:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0427.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED