Bug 28081

Summary: zziplib security issue CVE-2018-17828
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, ouaurelien
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2018-17828
Whiteboard: MGA7TOO
Source RPM: zziplib-0.13.69-1.mga7.src.rpm CVE:
Status comment: zziplib-0.13.71-1.mga8.src.rpm is old

Description Zombie Ryushu 2021-01-13 11:51:25 CET 
Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file.

Cauldron does not share this vulnerability but is still out of date.
Comment 1 Aurelien Oudelet 2021-01-13 15:19:16 CET 
https://github.com/gdraheim/zziplib

Here is latest changelog for 0.13.72 tag
=================================
…stall the same

    * The cmake install did need patches for man3 installation on Unix
    * The cmake install did need patches for dll installation on Windows
    * The cmake install did need patches for dylib installation on MacOS
    * The cmake install did need patches for pkgconfig generation
    * Bump testbuilds to modern distro versions (ubuntu 20.04 centos 7.9 / 8.3)
    * Takeover docker_mirror.py for air-gap testings (for testbuilds.py)
    * handle UNZZIP-NOTFOUND in cmake and mark Ubuntu 'unzip' to be broken
    * merge patches for zzip_pread feature from Max Kellermann
    * merge patches for some bugs being found and reported via GitHub issues
    * run azure-pipelines with -DZZIP_TESTCVE=OFF to skip CVE *.zip downloads
    * use zziptests.py --downloadonly to get the CVE zip files for local storage
    * The ninja builds for cmake were run regularly as it seems to be widely used.
    * AND ... rename configure.ac to old.configure.ac to break outdated packaging scripts
    * ....... see testbuilds/*-am-*.dockerfile that it still works to rename them back

!!! The old automake/autconf/libtool system will be dumped soon!!!
==============================================================
Also, in 0.13.71 changelog:
Many CVE fixes, which?

This need an update, clearly.

Assigning to registered maintainer.

Source RPM: zziplib-0.13.69-1.mga7.src => zziplib-0.13.69-1.mga7.src.rpm
Status comment: (none) => zziplib-0.13.71-1.mga8.src.rpm is old
Whiteboard: (none) => MGA7TOO
CC: (none) => jani.valimaa, ouaurelien
Assignee: bugsquad => mageia

Jani Välimaa 2021-01-13 17:20:53 CET

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 2 David Walser 2021-01-13 17:50:47 CET 
Already reported and FIXED.

*** This bug has been marked as a duplicate of bug 22570 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED