Bug 23446

Summary: quazip new security issue CVE-2018-1002209
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: quazip-0.7.2-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-14 23:42:33 CEST 
Fedora has issued an advisory today (August 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/

The issue is fixed upstream in 0.7.6 (already in Cauldron):
https://bugzilla.redhat.com/show_bug.cgi?id=1593011

Mageia 5 is also affected.
Comment 1 David GEIGER 2018-08-15 06:30:59 CEST 
Done for mga6 too!
Comment 2 David Walser 2018-08-15 12:08:25 CEST 
Thanks David!

Advisory:
========================

Updated quazip packages fix security vulnerability:

A vulnerability has been found in the way developers have implemented the
archive extraction of files. An arbitrary file write vulnerability, that can be
achieved using a specially crafted zip archive (affects other archives as well,
bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the
filename gets concatenated to the target extraction directory, the final path
ends up outside of the target folder. Of course if an executable or a
configuration file is overwritten with a file containing malicious code, the
problem can turn into an arbitrary code execution issue quite easily. This
affects multiple libraries that lacks of a high level APIs that provide the
archive extraction functionality (CVE-2018-1002209).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002209
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/
========================

Updated packages in core/updates_testing:
========================
libquazip5_1-0.7.6-1.mga6
libquazip-devel-0.7.6-1.mga6
libquazip1-0.7.6-1.mga6
libquazip-qt4-devel-0.7.6-1.mga6

from quazip-0.7.6-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2018-08-15 23:45:31 CEST 
Mageia 6, x86_64

Ran qcad under strace and examined the output file.
$ cat trace | grep libquazip
[...]
open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15

So quazip is opened for potential use - that is about all we can say for this without actually using qcad and saving files.

The same is true of fritzing, a printed circuit board application which lists libquazip5 as a dependency and which opens it when the application is launched.

Updated the four packages.

Checked that the qcad and fritzing applications launched properly.  Installed latex and texstudio.
$ strace -o trace texstudio
Experimented with the interface and attempted to save a document.
$ cat trace | grep quazip
open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15
So, nothing here either to show the libraries being used but one of them is opened.

Giving this the 64-bit OK on the strength of a clean update and availability for packages which need the libraries.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-08-23 10:53:27 CEST 
Nothing else we can do with this so validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-24 00:21:41 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-08-31 23:13:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0362.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED