Bug 22739

Summary: sharutils new heap buffer overflow security issue (CVE-2018-1000097)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: smelror, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok
Source RPM: sharutils-4.15.2-2.mga6.src.rpm CVE:
Status comment: Patch available from Fedora

Description David Walser 2018-03-11 14:54:01 CET 
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LSTLNKMVXDRS7L32VJ5TIEL4Q4PVSGNE/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-11 14:54:20 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA6TOO

Stig-Ørjan Smelror 2018-03-12 00:55:51 CET

CC: (none) => smelror
Assignee: bugsquad => smelror

Comment 1 Stig-Ørjan Smelror 2018-03-12 01:09:53 CET 
Advisory
========

It was discovered that unshar from sharutils contained a heap buffer overflow flaw that could result in a Denial of Service attack when processing a shar archive if the archive contains overlong lines.

References
==========
https://bugzilla.redhat.com/show_bug.cgi?id=1548018
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LSTLNKMVXDRS7L32VJ5TIEL4Q4PVSGNE/

Files
=====

Uploaded to core/update_testing:

sharutils-4.15.2-2.1.mga6

from sharutils-4.15.2-2.1.mga6.src.rpm

Assignee: smelror => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 claire robinson 2018-03-16 18:54:52 CET 
Testing complete mga6 64

Before
------
$ echo "blah blah blah" >testfile

$ shar testfile > testfile.shar
shar: Saving testfile (text)

$ file testfile.shar
testfile.shar: shell archive text

$ rm testfile
rm: remove regular file 'testfile'? y

$ unshar testfile.shar
testfile.shar:
x - created lock directory _sh24030.
x - extracting testfile (text)
x - removed lock directory _sh24030.

$ cat testfile
blah blah blah


After
-----
$ rm testfile.shar
rm: remove regular file 'testfile.shar'? y

$ shar testfile > testfile.shar
shar: Saving testfile (text)

$ file testfile.shar
testfile.shar: shell archive text

$ rm testfile
rm: remove regular file 'testfile'? y

$ unshar testfile.shar
testfile.shar:
x - created lock directory _sh24838.
x - extracting testfile (text)
x - removed lock directory _sh24838.

$ cat testfile
blah blah blah

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => has_procedure

Comment 3 Lewis Smith 2018-03-17 21:09:18 CET 
Thanks Claire for the test. Validating it.

@David @Stig
The advisory has no CVE; it is uploaded as per comment 1. It can be added.
Done for Mageia 6 only, but comment 0
> Mageia 5 and Mageia 6 are also affected
makes this unsure. Unvalidate it quickly if you really do want both.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2018-03-17 22:46:05 CET 
Thanks.  Like with most other issues also affecting Mageia 5, I didn't consider the package important enough to push a build for Mageia 5.  I'm trying to mark the ones that really should be fixed on mga5 with MGA5TOO.  I still report in the Comment 0's that Mageia 5 is affected just to document that fact.
Comment 5 Mageia Robot 2018-03-19 13:14:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0174.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2018-03-31 21:31:11 CEST 
Ubuntu has issued an advisory for this on March 22:
https://usn.ubuntu.com/3605-1/

It has CVE-2018-1000097.

Severity: normal => major
Summary: sharutils new heap buffer overflow security issue => sharutils new heap buffer overflow security issue (CVE-2018-1000097)