Bug 25281

Summary: flightcrew new security issues CVE-2019-13032 and CVE-2019-13241
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, marja11, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: flightcrew-0.9.0-10.mga7.src.rpm CVE: CVE-2019-13032, CVE-2019-13241
Status comment:

Description David Walser 2019-08-12 00:56:24 CEST 
Ubuntu has issued an advisory on July 15:
https://usn.ubuntu.com/4055-1/

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 00:56:36 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:17:13 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing the de facto maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11

Comment 2 Nicolas Salguero 2019-12-17 10:44:01 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() or GetRelativePathsToXhtmlDocuments() when a NULL pointer is passed to xc::XMLUri::isValidURI(). This affects third-party software (not Sigil) that uses FlightCrew as a library. (CVE-2019-13032)

FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. (CVE-2019-13241)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13241
https://usn.ubuntu.com/4055-1/
========================

Updated packages in core/updates_testing:
========================
flightcrew-common-0.9.0-10.1.mga7
flightcrew-cli-0.9.0-10.1.mga7
flightcrew-gui-0.9.0-10.1.mga7
flightcrew-plugin-0.9.0-10.1.mga7
lib(64)flightcrew0.7.2-0.9.0-10.1.mga7
lib(64)flightcrew-devel-0.9.0-10.1.mga7

from SRPMS:
flightcrew-0.9.0-10.1.mga7.src.rpm

Version: Cauldron => 7
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-13032, CVE-2019-13241
Whiteboard: MGA7TOO, MGA6TOO => (none)

Comment 3 Thomas Andrews 2019-12-18 21:56:58 CET 
Flightcrew sounds like a good name for a game,but is actually an epub analyser, used in conjunction with epub editors. 

I installed flightcrew, and ran flightcrew-gui to analyze a couple of epub-format ebooks. I them got the updates, and ran it again on the same ebooks. The results were the same.

Looks like it's doing what it's supposed to do. Giving it a 64-bit OK, and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-19 13:07:48 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-12-19 14:45:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0396.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED