Bug 21650

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

More info:
http://openwall.com/lists/oss-security/2017/09/02/2

Another security issue fixed upstream in libzip has also been announced:
http://openwall.com/lists/oss-security/2017/09/02/1

The messages above contain commit links for fixes, and the issues were also fixed in 1.3.0.

Summary: libzip new security issue CVE-2017-12858 => libzip new security issue CVE-2017-12858 and CVE-2017-14107

i added a patch in mga6 to fix 21650 - CVE-2017-14107 ( comment #2 ).

I don't pass to do a patch for CVE-2017-12858

CC: (none) => mageia

Updating to 1.3.0 should be fine.

major is increased so we will have to rebuild packages

Well that's unfortunate.  At least there aren't that many.  On Mageia 5 I see amftools, ds9, ebook-tools, mysql-workbench, php, repsnapper, subsurface, and yainstall.

Fedora has issued advisories for this on September 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSWGXFUKXQMEWTXGHKJPX34G4X5F3FRO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QRCEUPQSAGAC63E4H52XCXTI6464JS2F/

In the second one, they patched CVE-2017-12858, so we can steal their patch.

openSUSE has issued an advisory for CVE-2017-14107 today (September 22):
https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html

They patched the same version that we have in Mageia 5.

CVE-2017-12858 only affected 1.2.0.

Advisory:
========================

Updated libzip packages fix security vulnerability:

The _zip_read_eocd64 function mishandled EOCD records, which allowed remote
attackers to cause a denial of service (memory allocation failure in
_zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive (CVE-2017-14107).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107
https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html
========================

Updated packages in core/updates_testing:
========================
libzip-0.11.2-4.1.mga5
libzip2-0.11.2-4.1.mga5
libzip-devel-0.11.2-4.1.mga5
libzip-1.1.3-1.1.mga6
libzip4-1.1.3-1.1.mga6
libzip-devel-1.1.3-1.1.mga6

from SRPMS:
libzip-0.11.2-4.1.mga5.src.rpm
libzip-1.1.3-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Summary: libzip new security issue CVE-2017-12858 and CVE-2017-14107 => libzip new security issue CVE-2017-14107
Assignee: pkg-bugs => qa-bugs

To prioritise.

The following 2 packages are going to be installed:

- lib64zip4-1.1.3-1.1.mga6.x86_64
- libzip-1.1.3-1.1.mga6.x86_64

160KB of additional disk space will be used.

79KB of packages will be retrieved.

Is it ok to continue?


--- 

it adds utility called ziptool

$ ziptool -n brian.zip add_file brian brian.txt 0 16

I’m able to open the resulting zip file and it’s content


$ uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok

I find no trace of this ziptool in the M5 packages???

CC: (none) => herman.viaene

MGA5-32 on Dell Latitude D600 Xfce
No installation issues
I have a Documenten.orig folder which is largely the same as Documenten. So at CLI:
$ pwd
/home/tester5/Documenten
$  zip ziptest.orig ../Documenten.orig/*
  adding: ../Documenten.orig/christusv.dvi (deflated 24%)
  adding: ../Documenten.orig/christusv.log (deflated 86%)
  adding: ../Documenten.orig/christusv.tex (deflated 50%)
  adding: ../Documenten.orig/kursustekstorig.pdf (deflated 27%)
  adding: ../Documenten.orig/kursustekst.pdf (deflated 32%)
  adding: ../Documenten.orig/kursustekst.ps (deflated 28%)
  adding: ../Documenten.orig/memcac.php (deflated 15%)
  adding: ../Documenten.orig/phpmail (deflated 59%)
  adding: ../Documenten.orig/phpmailer.php (deflated 59%)
  adding: ../Documenten.orig/pvrtccompressor/ (stored 0%)
$  zip ziptest *
  adding: christusv.dvi (deflated 24%)
  adding: christusv.log (deflated 86%)
  adding: christusv.tex (deflated 50%)
  adding: kurstext.txt (deflated 72%)
  adding: kursustekstorig.pdf (deflated 27%)
  adding: kursustekst.pdf (deflated 32%)
  adding: kursustekst.ps (deflated 28%)
  adding: memcac.php (deflated 15%)
  adding: phpmail (deflated 59%)
  adding: phpmailer.php (deflated 59%)
  adding: rubyexample.rb (deflated 11%)
  adding: ziptest.orig (deflated 0%)
the zipcmp command is in libzip
$ zipcmp ziptest.orig ziptest.zip 
--- ziptest.orig
+++ ziptest.zip
-        400 6ed0f700 ../Documenten.orig/christusv.dvi
-       4113 ff7b5ebb ../Documenten.orig/christusv.log
-        738 a961c97e ../Documenten.orig/christusv.tex
-    1642925 09d5d594 ../Documenten.orig/kursustekst.pdf
-   11698263 11c530ea ../Documenten.orig/kursustekst.ps
-    2101900 3244c1ca ../Documenten.orig/kursustekstorig.pdf
-        147 35e18764 ../Documenten.orig/memcac.php
-       2078 e24b3a7d ../Documenten.orig/phpmail
-       2020 3d7e6867 ../Documenten.orig/phpmailer.php
-          0 00000000 ../Documenten.orig/pvrtccompressor/
+        400 6ed0f700 christusv.dvi
+       4113 ff7b5ebb christusv.log
+        738 a961c97e christusv.tex
+     181767 18b65442 kurstext.txt
+    1642925 09d5d594 kursustekst.pdf
+   11698263 11c530ea kursustekst.ps
+    2101900 3244c1ca kursustekstorig.pdf
+        147 35e18764 memcac.php
+       2078 e24b3a7d phpmail
+       2020 3d7e6867 phpmailer.php
+         65 aafb3a18 rubyexample.rb
+   11089488 e39e3006 ziptest.orig
Looks OK

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO MGA6-64-OK MGA5-32-OK

Validating as this has OKs for both releases & both architectures.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED