Bug 22571

Summary: unzip new security issues CVE-2018-100003[1-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, marja11, qa-bugs, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: unzip-6.0-18.mga7.src.rpm CVE:
Status comment: Fixed upstream in 6.10c23

Description David Walser 2018-02-10 23:05:24 CET 
An advisory has been issued on February 8:
http://openwall.com/lists/oss-security/2018/02/08/1

The issues are fixed upstream in 6.10c23.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-10 23:05:37 CET

Status comment: (none) => Fixed upstream in 6.10c23
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2018-02-11 17:36:25 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-02-11 18:17:04 CET 
(In reply to Marja van Waes from comment #1)
> Assigning to the registered maintainer.

Does anyone know where the hell can I find the new release's archive? Why can't they mint a new stable release already? It is really hard for me to work this way and the info zip people are being irresponsible.
Comment 3 David Walser 2018-02-11 18:30:11 CET 
See the link in Comment 0.  There's a direct link to 6.10c23 at the bottom.  I just noticed that it says the LZMA vulnerabilities aren't fixed yet, so perhaps that's why they haven't made a new stable release yet.
Comment 4 David Walser 2018-02-13 02:50:45 CET 
A note on how to get it to respect our CFLAGS, which is important:
http://openwall.com/lists/oss-security/2018/02/13/1
Comment 5 David Walser 2018-03-11 14:55:38 CET 
Fedora has issued an advisory for one of these issues on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WN3ZDO5UYFEX36VLDSUJ5HKZQMD2UPI3/
Comment 6 David Walser 2018-07-16 20:42:26 CEST 
openSUSE has issued an advisory for one of these issues on July 7:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00019.html
Comment 7 Bruno Cornec 2018-10-11 01:35:41 CEST 
shlomif pushed 6.10c23 to fix this in cauldron 2018-02-11

CC: (none) => bruno

Comment 8 Bruno Cornec 2018-10-11 02:34:49 CEST 
I pushed 6.10c23 for 6 in core/updates_testing

Status: NEW => ASSIGNED
Target Milestone: --- => Mageia 6
Assignee: shlomif => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => (none)

Comment 9 David Walser 2018-10-12 01:17:08 CEST 
It doesn't look like Comment 4 has been addressed, and I'm not sure all of the CVEs have been either.

Assignee: qa-bugs => shlomif
Whiteboard: (none) => MGA6TOO
CC: (none) => qa-bugs
Target Milestone: Mageia 6 => ---

Comment 10 Bruno Cornec 2018-10-13 01:12:11 CEST 
Updated again with LOCAL_UNZIP used.

As the initial comment was suggesting all CVEs were addressed by that new version, I thought it was the case, but didn't check closely.

Assignee: shlomif => qa-bugs

Comment 11 Bruno Cornec 2018-10-13 01:13:37 CEST 
Cauldron also updated with LOCAL_UNZIP
Comment 12 David Walser 2018-10-13 05:07:04 CEST 
It sounds like everything except CVE-2018-1000034 should be fixed by this update, and if the LZMA code could be disabled that would be fixed too.

unzip-6.0-3.1.mga6

from unzip-6.0-3.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 13 Len Lawrence 2018-10-17 18:48:09 CEST 
Four days and still no sign of unzip in updates_testing.

CC: (none) => tarazed25

Comment 14 Len Lawrence 2018-10-17 19:34:16 CEST 
Before update:
$ sudo urpmi unzip
Package unzip-6.0-17.mga6.x86_64 is already installed
Comment 15 Len Lawrence 2018-10-19 12:21:54 CEST 
Just tried to urpme unzip and it asked if it could remove half the operating system.  How can the installed unzip at 6.0-17 be updated to 6.0-3.1?
Comment 16 Thomas Backlund 2018-10-19 12:56:59 CEST 
Thats because the update is done wrongly…

Here:
http://svnweb.mageia.org/packages/updates/6/unzip/current/SPECS/unzip.spec?r1=1120275&r2=1319460

rel was reset to 1, even if version stayed on 6.0

But according to unzip filename and source, this would be version 6.1

CC: (none) => tmb

Comment 17 Len Lawrence 2018-10-19 16:29:29 CEST 
Thanks for the enlightenment - so we should leave this for the packagers to sort out.
Len Lawrence 2018-10-20 02:12:17 CEST

Keywords: (none) => feedback

Comment 18 Bruno Cornec 2018-10-21 11:03:14 CEST 
In the upstream README, they name that version 6.1c, so I changed the spec files from both cauldron and mga6 to use that.

Packages now uploaded as unzip-6.1c-1.mga6 and unzip-6.1c-1.mga7
Comment 19 Bruno Cornec 2018-10-21 11:05:37 CEST 
Sorry correct versions to test are unzip-6.1c-1.1.mga6 and unzip-6.1c-2.mga7
Comment 20 Len Lawrence 2018-10-21 17:20:01 CEST 
Mageia 6, x86_64

Clean update.

$ unzip vlc-skins.zip
Archive:  vlc-skins.zip
  inflating: Airflow.vlt             
  inflating: argenta.vlt             
[...]

$ unzip -l gliese3.zip
Archive:  gliese3.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   753557  02-25-1995 16:29   GLIESE3.DAT
     8840  02-25-1995 16:28   GLIESE3.DOC
---------                     -------
   762397                     2 files

$ unzip -v pcfont.zip
Archive:  pcfont.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
   40484  Defl:N    21460  47% 12-09-2003 13:22 fc6aac4f  Tiresias PCfont Bold.ttf
   42332  Defl:N    22579  47% 12-06-2003 09:35 9d7a208d  Tiresias PCfont Italic.ttf
   40540  Defl:N    21639  47% 12-05-2003 00:21 e77d7cf0  Tiresias PCfont.ttf
   39340  Defl:N    20898  47% 01-07-2004 18:43 888012d9  TIRESIAS PCFONTZ Bold.TTF
   42412  Defl:N    22602  47% 01-07-2004 20:23 353e4ea8  TIRESIAS PCFONTZ Italic.TTF
   73464  Defl:N    43299  41% 09-19-2000 22:03 2feafe4f  TIRESIAS PCFONTZ.TTF
   23552  Defl:N     3629  85% 12-11-2007 09:09 84133c07  COPYING/copying.doc
   35821  Defl:N    12288  66% 09-18-2007 15:59 ba8cd1a6  COPYING/gpl.txt
--------          -------  ---                            -------
  337945           168394  50%                            8 files

$ unzip pcfont.zip
Archive:  pcfont.zip
  inflating: Tiresias PCfont Bold.ttf  
  inflating: Tiresias PCfont Italic.ttf  
  inflating: Tiresias PCfont.ttf     
  inflating: TIRESIAS PCFONTZ Bold.TTF  
  inflating: TIRESIAS PCFONTZ Italic.TTF  
  inflating: TIRESIAS PCFONTZ.TTF    
  inflating: COPYING/copying.doc     
  inflating: COPYING/gpl.txt         

$ ll
drwxr-xr-x 2 lcl lcl   4096 Oct 21 16:16 COPYING/
-rw-r--r-- 2 lcl lcl 169374 Jan 16  2010 pcfont.zip
-r--r--r-- 1 lcl lcl  40484 Dec  9  2003 'Tiresias PCfont Bold.ttf'
-r--r--r-- 1 lcl lcl  42332 Dec  6  2003 'Tiresias PCfont Italic.ttf'
-r--r--r-- 1 lcl lcl  40540 Dec  5  2003 'Tiresias PCfont.ttf'
-r--r--r-- 1 lcl lcl  39340 Jan  7  2004 'TIRESIAS PCFONTZ Bold.TTF'
-r--r--r-- 1 lcl lcl  42412 Jan  7  2004 'TIRESIAS PCFONTZ Italic.TTF'
-r--r--r-- 1 lcl lcl  73464 Sep 19  2000 'TIRESIAS PCFONTZ.TTF'

That all looks OK.

Keywords: feedback => (none)
Whiteboard: (none) => MGA6-64-OK

Comment 21 Len Lawrence 2018-10-21 17:21:52 CEST 
$ unzip -v
Info-ZIP UnZip 6.1c23-BETA (2017-12-08)  Maintainer: Steven M. Schweda
 Copyright (c) 1990-2017 Info-ZIP.  License: unzip --license
 More info: http://info-zip.org  http://info-zip.org/UnZip.html
 Bugs: http://www.info-zip.org/zip-bug.html  See README for details.

        THIS IS A BETA VERSION OF UNZIP -- NOT FOR GENERAL DISTRIBUTION.

Compiled with GCC 5.5.0 for Unix (Linux ELF) on Oct 20 2018.

UnZip special compilation options/features:
        ARCHIVE_STDIN        (Allow streaming archive from stdin)
        SET_DIR_ATTRIB       (Setting directory attributes supported)
[...]
Comment 22 Bruno Cornec 2018-10-22 10:02:14 CEST 
WRT comment 12, I have desactivated LZMA.
Comment 23 Thomas Andrews 2018-10-30 04:30:35 CET 
Installs OK for me, unzipped a simple file containing a pdf.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-30 18:32:01 CET

Keywords: (none) => advisory

Comment 24 Mageia Robot 2018-10-30 19:02:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0422.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED