Bug 14962 - gcab new security issue CVE-2015-0552
Summary: gcab new security issue CVE-2015-0552
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/629241/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-06 00:48 CET by David Walser
Modified: 2015-01-12 19:17 CET (History)
3 users (show)

See Also:
Source RPM: gcab-0.4-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-06 00:48:30 CET
A CVE has been assigned for a security issue in gcab:
http://openwall.com/lists/oss-security/2015/01/05/7

Looking at the upstream bug, it sounds like a fix has been committed upstream.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-06 00:48:42 CET

Whiteboard: (none) => MGA4TOO
CC: (none) => olav

Comment 1 Olav Vitters 2015-01-06 01:42:52 CET
Cauldron fixed with gcab-0.4-6.mga5
Comment 2 Olav Vitters 2015-01-06 01:52:32 CET
Submitted 0.4-2.1 to updates_testing for Mageia 4.

gcab-0.4-2.1.mga4.src.rpm

gcab-0.4-2.1.mga4.x86_64.rpm
lib64gcab1.0_0-0.4-2.1.mga4.x86_64.rpm
lib64gcab-gir1.0-0.4-2.1.mga4.x86_64.rpm
lib64gcab-devel-0.4-2.1.mga4.x86_64.rpm
gcab-debuginfo-0.4-2.1.mga4.x86_64.rpm
Comment 3 David Walser 2015-01-06 02:14:48 CET
Thanks Olav!

Advisory:
========================

Updated gcab packages fix security vulnerability:

Jakub Wilk reported a directory traversal vulnerability due to gcab not
filtering leading slashes from paths in CAB files (CVE-2015-0552).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0552
http://openwall.com/lists/oss-security/2015/01/05/7
========================

Updated packages in core/updates_testing:
========================
gcab-0.4-2.1.mga4
libgcab1.0_0-0.4-2.1.mga4
libgcab-gir1.0-0.4-2.1.mga4
libgcab-devel-0.4-2.1.mga4

from gcab-0.4-2.1.mga4.src.rpm

Assignee: oe => qa-bugs
Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4

Comment 4 William Kenney 2015-01-08 18:48:19 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
gcab libgcab1

default install of gcab & libgcab1

[root@localhost gcab]# urpmi gcab
Package gcab-0.4-2.mga4.i586 is already installed
[root@localhost gcab]# urpmi libgcab1
Package libgcab1.0_0-0.4-2.mga4.i586 is already installed

gcab -c test.cab mageia_4_install.txt ( creates test.cab )
gcab -t test.cab ( lists contents of test.cab )

install gcab & libgcab1 from updates_testing

[root@localhost wilcal]# urpmi gcab
Package gcab-0.4-2.1.mga4.i586 is already installed
[root@localhost gcab]# urpmi libgcab1
Package libgcab1.0_0-0.4-2.1.mga4.i586 is already installed

gcab -c test1.cab mageia_4_install.txt ( creates test1.cab )
gcab -t test1.cab ( lists contents of test1.cab )
gcab -t test.cab ( lists contents of test.cab )

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2015-01-08 18:48:34 CET

Whiteboard: (none) => MGA4-32-OK

Comment 5 claire robinson 2015-01-08 18:51:50 CET
Well done Bill. We've not updated this one before.

Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK

Comment 6 William Kenney 2015-01-08 19:06:29 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
gcab lib64gcab1

default install of gcab & lib64gcab1

[root@localhost gcab]# urpmi gcab
Package gcab-0.4-2.mga4.x86_64 is already installed
[root@localhost gcab]# urpmi lib64gcab1
Package lib64gcab1.0_0-0.4-2.mga4.i586 is already installed

gcab -c test.cab mageia_4_install.txt ( creates test.cab )
gcab -t test.cab ( lists contents of test.cab )

install gcab & lib64gcab1 from updates_testing

[root@localhost wilcal]# urpmi gcab
Package gcab-0.4-2.1.mga4.x86_64 is already installed
[root@localhost gcab]# urpmi libgcab1
Package lib64gcab1.0_0-0.4-2.1.mga4.i586 is already installed

gcab -c test1.cab mageia_4_install.txt ( creates test1.cab )
gcab -t test1.cab ( lists contents of test1.cab )
gcab -t test.cab ( lists contents of test.cab )

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2015-01-08 19:07:17 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 claire robinson 2015-01-09 16:28:32 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 9 Mageia Robot 2015-01-09 17:44:48 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-12 19:17:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/629241/


Note You need to log in before you can comment on or make changes to this bug.