Bug 23285

Summary: perl-Archive-Zip new security issue CVE-2018-10860
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, marja11, shlomif, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: perl-Archive-Zip-1.600.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-07-05 20:56:21 CEST 
Ubuntu has issued an advisory on July 4:
https://usn.ubuntu.com/3703-1/

Mageia 5 and Mageia 6 are also affected.
Comment 1 David Walser 2018-07-05 20:57:13 CEST 
Please be mindful of whether perl also bundles this module.  Bug 23148 in Archive::Tar still isn't fixed yet for that reason.

Whiteboard: (none) => MGA6TOO

Comment 2 Marja Van Waes 2018-07-06 14:41:47 CEST 
Assigning to the Perl stack maintainers, CC'ing the registered maintainer.

CC: (none) => marja11, shlomif
Assignee: bugsquad => perl

Comment 3 David Walser 2018-07-06 17:05:13 CEST 
perl-Archive-Zip-1.600.0-2.mga7 uploaded by Shlomi for Cauldron to fix this.  No word yet whether perl also bundles it.
Comment 4 Shlomi Fish 2018-07-06 17:34:32 CEST 
(In reply to David Walser from comment #3)
> perl-Archive-Zip-1.600.0-2.mga7 uploaded by Shlomi for Cauldron to fix this.
> No word yet whether perl also bundles it.

it does not.

shlomif[rpms]:$mageia/6/perl$ ag -g Zip
BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip.pm
BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip/Constants.pm
shlomif[rpms]:$mageia/6/perl$ ack -g Zip
BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip.pm
BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip/Constants.pm
shlomif[rpms]:$mageia/6/perl$ ack -g Archive
BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar/File.pm
BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar/Constant.pm
BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar.pm
BUILD/perl-5.22.3/cpan/Archive-Tar/t/02_methods.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/03_file.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/04_resolved_issues.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/08_ptargrep.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/90_symlink.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/01_use.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/src/short/b
BUILD/perl-5.22.3/cpan/Archive-Tar/t/src/long/b
BUILD/perl-5.22.3/cpan/Archive-Tar/t/06_error.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/99_pod.t
BUILD/perl-5.22.3/cpan/Archive-Tar/t/05_iter.t
BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptargrep
BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptar
BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptardiff
shlomif[rpms]:$mageia/6/perl$
David Walser 2018-07-06 20:44:50 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 David Walser 2018-07-06 20:51:36 CEST 
Updated package uploaded by Shlomi for Mageia 6.

Advisory:
========================

Updated perl-Archive-Zip package fixes security vulnerability:

It was discovered that the Archive::Zip module incorrectly handled certain
inputs. An attacker could possibly use this to access sensitive information
(CVE-2018-10860).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10860
========================

Updated packages in core/updates_testing:
========================
perl-Archive-Zip-1.600.0-1.mga6

from perl-Archive-Zip-1.600.0-1.mga6.src.rpm

Assignee: perl => qa-bugs

Comment 6 Len Lawrence 2018-07-07 02:23:46 CEST 
Mageia 6, x86_64

Installed perl-Archive-Zip-1.570.0-2.mga6 and attempted to emulate the symbolic link test from bug 23148 by using the example scripts zip.pl and unzipAll.pl from /usr/share/doc/perl-Archive-Zip/examples/ 

Created a file /tmp/moo with content "Moo!" and added a symbolic link to it in the test directory.
$ ll
lrwxrwxrwx 1 lcl lcl   8 Jul  7 00:36 moo -> /tmp/moo
$ ./zip.pl traversal.zip moo
$ rm -f /tmp/moo
$ unlink moo
$ ./unzipAll.pl traversal.zip
$ ll
-rw-r--r-- 1 lcl lcl   5 Jul  7 00:49 moo
$ cat moo
Moo!
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory

This demonstrates that the pre-update package does not unpack contents outside the current directory.  Whatever the problem is with this package it is not the same as the Tar issue.

Leaving the update until later, after checking the CVE again.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-07-07 09:33:51 CEST 
Worked back through various links from the CVE looking for hints on reproducing the '..' issue but none were helpful.
Updated to perl-Archive-Zip-1.600.0-1.mga6.
Copied files from /usr/share/doc/perl-Archive-Zip/examples/ (probably unnecessary).

Created a test directory and populated it then created a zip archive of test.
$ ./zip.pl test.zip test
$ ll test.zip
-rw-r--r-- 1 lcl lcl 9550916 Jul  7 08:08 test.zip

$ mkdir tmp
$ cp test.zip tmp
$ cd tmp
$ ../unzipAll.pl test.zip
That worked fine.  Checked for particular files known to exist in the original directory.
$ pwd
/home/lcl/qa/perl-Archive-Zip/tmp
$ ll
drwxr-xr-x 4 lcl lcl    4096 Jul  7 08:13 test/
-rw-r--r-- 1 lcl lcl 9550916 Jul  7 08:08 test.zip
$ ll test/bookshelf test/servercheck 
-rwxr-xr-x 1 lcl lcl 2527 Jul  7 08:04 test/bookshelf*
-rwxr-xr-x 1 lcl lcl 6874 Jul  7 08:04 test/servercheck*

$ rm -rf test
$ ../extract.pl test.zip test/servercheck
$ ../extract.pl test.zip test/fontdemo
$ ll test
-rwxr-xr-x 1 lcl lcl 1285 Jul  7 08:04 fontdemo*
-rwxr-xr-x 1 lcl lcl 6874 Jul  7 08:04 servercheck*

Finally
$ cd ..
$ $ ./extract.pl traversal.zip moo
Extracting moo
$ cat moo
Moo!
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory

Everything looks OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2018-07-08 09:51:33 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-07-11 22:17:50 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2018-07-11 23:09:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0311.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED