Bug 22459

Assigning to all packagers collectively, since the registered maintainer for this package seems unavailable.

@ Oden

Please reassign to yourself if I'm wrong about that!

CC: (none) => marja11, oe
Assignee: bugsquad => pkg-bugs

The issue was also fixed in the 0.8 release.  Cauldron is not affected.

Version: Cauldron => 6
Source RPM: gcab-0.8-1.mga7.src.rpm => gcab-0.7-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)

Patched packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated gcab packages fix security vulnerabilities:

It was discovered that gcab is prone to a stack-based buffer overflow
vulnerability when extracting .cab files. An attacker can take advantage of
this flaw to cause a denial-of-service or, potentially the execution of
arbitrary code with the privileges of the user running gcab, if a specially
crafted .cab file is processed (CVE-2018-5345).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5345
https://www.debian.org/security/2018/dsa-4095
========================

Updated packages in core/updates_testing:
========================
gcab-0.4-6.1.mga5
libgcab1.0_0-0.4-6.1.mga5
libgcab-gir1.0-0.4-6.1.mga5
libgcab-devel-0.4-6.1.mga5
gcab-0.7-1.1.mga6
libgcab1.0_0-0.7-1.1.mga6
libgcab-gir1.0-0.7-1.1.mga6
libgcab-devel-0.7-1.1.mga6

from SRPMS:
gcab-0.4-6.1.mga5.src.rpm
gcab-0.7-1.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => MGA5TOO

Testing M5/64
There is no PoC.

BEFORE upodate, installed:
 gcab-0.4-6.mga5
 lib64gcab1.0_0-0.4-6.mga5
 lib64gcab-gir1.0-0.4-6.mga5
and the following commands from a randomly populated directory showed use of lib64gcab1.0_0 only for all main operations:
1. Create a CAB file:
 $ strace gcab -cv cabfile.cab * 2>&1 | grep libgcab
 open("/lib64/libgcab-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3

2. List it:
 $ strace gcab -tv cabfile.cab 2>&1 | grep libgcab
 open("/lib64/libgcab-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3

3. Extract it to a lower-level directory:
 $ mkdir tmp
 $ strace gcab -xv -C tmp cabfile.cab 2>&1 | grep libgcab
 open("/lib64/libgcab-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3
whose contents were the same as the original.

AFTER update:
- gcab-0.4-6.1.mga5.x86_64
- lib64gcab-gir1.0-0.4-6.1.mga5.x86_64
- lib64gcab1.0_0-0.4-6.1.mga5.x86_64

1. Create a CAB file:
 $ gcab -cv cabfile.cab *
...
List of files as archived.

2. List the archive :
 $ gcab -tv cabfile.cab
...
The same file list.

3. Extract it to anothert directory:
 $ mkdir tmp
 $ gcab -xv -C tmp cabfile.cab
...
The files listed as extracted.
Final directory same as the original. Update OK for M5, advisorying.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Keywords: (none) => advisory

Mageia 6 :: x86_64

Thanks to Lewis for pathfinding.

Installed and exercized the utility before updating.

Updated:
- gcab-0.7-1.1.mga6.x86_64
- lib64gcab-devel-0.7-1.1.mga6.x86_64
- lib64gcab-gir1.0-0.7-1.1.mga6.x86_64
- lib64gcab1.0_0-0.7-1.1.mga6.x86_64

Followed tests detailed in comment 4.

$ cd Documents
$ gcab -cv odt.cab *.odt
$ ll *.cab
-rw-r--r-- 1 lcl lcl 12942584 Feb  5 07:53 odt.cab
$ gcab -tv odt.cab
abbreviations.odt
Apology.odt
audit_tasklist.odt
....
TV_Licence.odt
Untitled 1.odt
wingandaprayer.odt

$ mkdir tests
$ gcab -xv -C tests odt.cab
$ ls tests
abbreviations.odt           Front_1.odt           parkingcharge_2.odt
............................
flooding.odt                openjpeg.odt          wingandaprayer.odt

Working for x86_64.

CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0111.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED