Bug 25282

Summary: zipios++ new security issue CVE-2019-13453
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, cjw, geiger.david68210, herman.viaene, marja11, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: zipios++-0.1.5.9-6.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-08-12 00:56:27 CEST 
Ubuntu has issued an advisory on July 15:
https://usn.ubuntu.com/4057-1/

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 00:56:39 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:19:04 CEST 
Assigning to the registered maintainer, but CC'ing cjw, who was the only one to touch this package after it was imported.

Assignee: bugsquad => shlomif
CC: (none) => cjw, marja11

Comment 2 David Walser 2019-08-12 15:40:17 CEST 
Shlomi updated Cauldron to 2.2.1.0.  Will need to make sure it includes:
https://sourceforge.net/p/zipios/code-git/ci/96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch
Comment 3 Lewis Smith 2019-11-28 15:13:49 CET 
Re-assigning globally due to change to no specific maintainer.

Assignee: shlomif => pkg-bugs

Comment 4 David GEIGER 2019-11-28 16:39:24 CET 
(In reply to David Walser from comment #2)
> Shlomi updated Cauldron to 2.2.1.0.  Will need to make sure it includes:
> https://sourceforge.net/p/zipios/code-git/ci/
> 96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch

zipios 2.2.1.0 is no more zipios++ so this patch is unneeded as the zipios++/zipheadio.h file doesn't exist anymore in source.

CC: (none) => geiger.david68210

David Walser 2019-11-28 16:42:57 CET

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7

Comment 5 David GEIGER 2019-11-28 17:04:18 CET 
Fixed for mga7!
Comment 6 David Walser 2019-11-28 17:06:59 CET 
Advisory:
========================

Updated zipios++ packages fix security vulnerability:

Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files.
An attacker could use this vulnerability to cause a denial of service or
consume system resources (CVE-2019-13453).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13453
https://usn.ubuntu.com/4057-1/
========================

Updated packages in core/updates_testing:
========================
libzipios++0-0.1.5.9-6.1.mga7
libzipios++-devel-0.1.5.9-6.1.mga7

from zipios++-0.1.5.9-6.1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2019-11-29 12:10:45 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
At CLI:
# urpmq --whatrequires lib64zipios++0
enigma
freecad
lib64zipios++-devel
lib64zipios++0
Decided for enigma, played a bit but had some trouble trying to exit this thing, but
$ strace -o zipios.txt enigma 
showed a call to 
openat(AT_FDCWD, "/lib64/libzipios.so.0", O_RDONLY|O_CLOEXEC) = 3
in the early part of the trace.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2019-11-29 22:15:58 CET 
Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:00:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-11-30 14:07:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0341.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED