Bug 20285

Summary:	zziplib new security issues CVE-2017-597[4-9] and CVE-2017-598[01]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA5-32-OK advisory MGA5-64-OK
Source RPM:	zziplib-0.13.62-7.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2017-02-14 12:07:45 CET

CVEs have been assigned for several security issues in zziplib:
http://openwall.com/lists/oss-security/2017/02/14/3

CVE requests were originally filed on February 9:
http://openwall.com/lists/oss-security/2017/02/09/

I don't believe any fixes are available yet.

Mageia 5 is also affected.

David Walser 2017-02-14 12:08:05 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-05-09 16:48:19 CEST

openSUSE has issued an advisory for this on May 8:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html

Comment 2 David Walser 2017-06-04 21:51:10 CEST

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated zziplib packages fix security vulnerabilities:

Heap-based buffer overflow in __zzip_get32 in fetch.c (CVE-2017-5974).

Heap-based buffer overflow in __zzip_get64 in fetch.c (CVE-2017-5975).

Heap-based buffer overflow in zzip_mem_entry_extra_block in memdisk.c
(CVE-2017-5976).

Invalid memory read in zzip_mem_entry_extra_block in memdisk.c (CVE-2017-5977).

Out of bounds read in zzip_mem_entry_new in memdisk.c (CVE-2017-5978).

NULL pointer dereference in prescan_entry in fseeko.c (CVE-2017-5979).

NULL pointer dereference in zzip_mem_entry_new in memdisk.c (CVE-2017-5980).

Assertion failure in seeko.c (CVE-2017-5981).

NULL pointer dereference in main in unzzipcat-mem.c (bsc#1024532).

NULL pointer dereference in main in unzzipcat.c (bsc#1024537).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html
========================

Updated packages in core/updates_testing:
========================
libzziplib0-0.13.62-5.1.mga5
libzziplib-devel-0.13.62-5.1.mga5

from zziplib-0.13.62-5.1.mga5.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 Herman Viaene 2017-06-06 14:18:13 CEST

MGA5-32 on Asus A6000VM Xfce
No installation issues
urpmq --whatrequires-recursive libzziplib0
returns a long list, but none of these are familiar to me, so I have no idea how to test this thingie.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2017-06-06 14:39:57 CEST

Just noticed that swftools is in that list, and bug 20486 requires testing it.
Tracing jpeg2swf shows that libzzip-0 is called, so OK to me.

Whiteboard: (none) => MGA5-32-OK

Comment 5 Dave Hodgins 2017-06-07 07:47:54 CEST

That's bug 20846. Confirmed the update is working on x86_64. Thanks for the suggestion to use gnash to view the swf file, as web browsers open/close the
single frame too quickly to verify it's ok.

Advisory committed, validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Nicolas Lécureuil 2017-06-08 23:26:55 CEST

Update ID assignment failed

Checking for QA validation keywordâ¦   â
Checking dependent bugsâ¦              â (None found)
Checking SRPMsâ¦                       â (5/core/zziplib-0.13.62-5.1) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 Lewis Smith 2017-06-09 20:31:35 CEST

A confusion over names.
BEFORE the update, I have: lib64zziplib0-0.13.62-5.mga5
Updates Testing has: lib64zziplib0-0.13.62-5.1.mga5 , presumably what was tested (comments 2 & 3).
Both Comment 2 and the advisory have: zziplib-0.13.62-5.1.mga5[.src.rpm]
Missing '0' at the end of the pkg name.
Advisory corrected accordingly; re-validating.

CC: (none) => lewyssmith
Keywords: (none) => validated_update

Comment 8 David Walser 2017-06-09 20:39:20 CEST

The package names in Comment 2 were correct.  The advisory in SVN should only have the SRPM name, which doesn't have a 0.

Comment 9 David Walser 2017-06-09 20:40:21 CEST

From Comment 6 it looks like it was actually missing the .mga5

Comment 10 David Walser 2017-06-09 21:39:39 CEST

I fixed the advisory in SVN.

Comment 11 Mageia Robot 2017-06-10 01:06:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 Lewis Smith 2017-06-12 20:56:14 CEST

(In reply to David Walser from comment #8)
> The package names in Comment 2 were correct.  The advisory in SVN should
> only have the SRPM name, which doesn't have a 0.
(In reply to David Walser from comment #9)
> From Comment 6 it looks like it was actually missing the .mga5
Egg on my face! Sorry for the wrong move.

(In reply to David Walser from comment #10)
> I fixed the advisory in SVN.
Thanks.