Bug 21134

Summary: unrar new security issue CVE-2012-6706
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK advisory
Source RPM: unrar-5.31-1.mga6.nonfree.src.rpm CVE:
Status comment:
Bug Depends on: 21563    
Bug Blocks:    

Description David Walser 2017-06-23 23:40:59 CEST 
An old security issue in unrar has surfaced publicly with a CVE:
http://openwall.com/lists/oss-security/2017/06/22/8

I'm not sure if a fix is available.

Mageia 5 is also affected.
David Walser 2017-06-23 23:41:09 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-06-24 00:43:41 CEST 
Apparently it's fixed in 5.5.5.

openSUSE has issued an advisory for this today (June 23):
https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html
Comment 2 Rémi Verschelde 2017-07-01 10:36:07 CEST 
Assigning to Götz who started updating unrar in Cauldron but never asked for a freeze push request (don't do that - either you get the package built for Mageia 6, or you don't modify the spec in SVN until the updates/6 branching is done).

Assignee: anssi.hannula => goetz.waschk

Comment 3 David Walser 2017-07-01 20:46:24 CEST 
SUSE has issued advisories for this on June 29 and June 30:
https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00041.html
https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00049.html

The latter shows that clamav is also affected, as detailed here:
http://openwall.com/lists/oss-security/2017/06/29/8
Comment 4 David Walser 2017-07-02 20:22:35 CEST 
Fixed in Cauldron by Götz.  clamav isn't affected as we don't ship clamunrar.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

David Walser 2017-08-18 22:49:50 CEST

Depends on: (none) => 21563

Comment 5 David Walser 2017-08-20 15:13:47 CEST 
Advisory:
========================

Updated unrar package fixes security vulnerabilities:

VMSF_DELTA memory corruption (CVE-2012-6706).

Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
EncodeFileName::Decode call within the Archive::ReadHeader15 function
(CVE-2017-12940).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
Unpack::Unpack20 function (CVE-2017-12941).

libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ
function (CVE-2017-12942).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942
https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html
http://openwall.com/lists/oss-security/2017/08/18/2
http://openwall.com/lists/oss-security/2017/08/18/6
========================

Updated packages in core/updates_testing:
========================
unrar-5.50-1.mga5

from unrar-5.50-1.mga5.src.rpm

Assignee: goetz.waschk => qa-bugs
Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-08-20 20:57:33 CEST 
Advisory uploaded.
Validating because this new version was tested M5/64 OK under bug 21134 in advance of creating this separate bug: https://bugs.mageia.org/show_bug.cgi?id=21563#c7

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Nicolas Lécureuil 2017-08-21 13:12:11 CEST 
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 21563
Dependent bug! Publish anyway? [y/N]:  â
Checking SRPMs⦠                      â (5/core/unrar-5.50-1.mga5) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 8 David Walser 2017-08-21 13:41:25 CEST 
The package is in nonfree, not core.
Comment 9 Lewis Smith 2017-08-21 20:22:02 CEST 
My comment 6 should have back-referred to bug 21563 (not 21134).

@Nicolas comment 7
Do not understand the dependance on bug 21563. I thought they were now independant. I was careful with both advisories (but to revise anyway). Perhaps the error was due to:

@David comment 8
OK, I will amend both advisories accordingly. Took info from Comment 5.
Comment 10 David Walser 2017-08-21 21:01:39 CEST 
The bug is dependent on the other one because the Mageia 5 update cannot be pushed before the Mageia 6 update, otherwise it would create an upgrade issue.
Comment 11 Lewis Smith 2017-08-24 11:45:47 CEST 
Re-validating now that bug 21563 has also been validated. Hope it sticks this time.

Keywords: (none) => validated_update

Comment 12 Nicolas Lécureuil 2017-08-24 14:29:17 CEST 
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 21563
Dependent bug! Publish anyway? [y/N]:  â
Checking SRPMs⦠                      â (5/core/unrar-5.50-1.mga5) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Lewis Smith 2017-08-24 21:24:49 CEST

Keywords: (none) => validated_update

Comment 13 Mageia Robot 2017-08-24 23:19:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0302.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED