A CVE has been assigned for a security issue in gcab: http://openwall.com/lists/oss-security/2015/01/05/7 Looking at the upstream bug, it sounds like a fix has been committed upstream. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOOCC: (none) => olav
Cauldron fixed with gcab-0.4-6.mga5
Submitted 0.4-2.1 to updates_testing for Mageia 4. gcab-0.4-2.1.mga4.src.rpm gcab-0.4-2.1.mga4.x86_64.rpm lib64gcab1.0_0-0.4-2.1.mga4.x86_64.rpm lib64gcab-gir1.0-0.4-2.1.mga4.x86_64.rpm lib64gcab-devel-0.4-2.1.mga4.x86_64.rpm gcab-debuginfo-0.4-2.1.mga4.x86_64.rpm
Thanks Olav! Advisory: ======================== Updated gcab packages fix security vulnerability: Jakub Wilk reported a directory traversal vulnerability due to gcab not filtering leading slashes from paths in CAB files (CVE-2015-0552). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0552 http://openwall.com/lists/oss-security/2015/01/05/7 ======================== Updated packages in core/updates_testing: ======================== gcab-0.4-2.1.mga4 libgcab1.0_0-0.4-2.1.mga4 libgcab-gir1.0-0.4-2.1.mga4 libgcab-devel-0.4-2.1.mga4 from gcab-0.4-2.1.mga4.src.rpm
Assignee: oe => qa-bugsWhiteboard: MGA4TOO => (none)Version: Cauldron => 4
In VirtualBox, M4, KDE, 32-bit Package(s) under test: gcab libgcab1 default install of gcab & libgcab1 [root@localhost gcab]# urpmi gcab Package gcab-0.4-2.mga4.i586 is already installed [root@localhost gcab]# urpmi libgcab1 Package libgcab1.0_0-0.4-2.mga4.i586 is already installed gcab -c test.cab mageia_4_install.txt ( creates test.cab ) gcab -t test.cab ( lists contents of test.cab ) install gcab & libgcab1 from updates_testing [root@localhost wilcal]# urpmi gcab Package gcab-0.4-2.1.mga4.i586 is already installed [root@localhost gcab]# urpmi libgcab1 Package libgcab1.0_0-0.4-2.1.mga4.i586 is already installed gcab -c test1.cab mageia_4_install.txt ( creates test1.cab ) gcab -t test1.cab ( lists contents of test1.cab ) gcab -t test.cab ( lists contents of test.cab ) Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK
Well done Bill. We've not updated this one before.
Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: gcab lib64gcab1 default install of gcab & lib64gcab1 [root@localhost gcab]# urpmi gcab Package gcab-0.4-2.mga4.x86_64 is already installed [root@localhost gcab]# urpmi lib64gcab1 Package lib64gcab1.0_0-0.4-2.mga4.i586 is already installed gcab -c test.cab mageia_4_install.txt ( creates test.cab ) gcab -t test.cab ( lists contents of test.cab ) install gcab & lib64gcab1 from updates_testing [root@localhost wilcal]# urpmi gcab Package gcab-0.4-2.1.mga4.x86_64 is already installed [root@localhost gcab]# urpmi libgcab1 Package lib64gcab1.0_0-0.4-2.1.mga4.i586 is already installed gcab -c test1.cab mageia_4_install.txt ( creates test1.cab ) gcab -t test1.cab ( lists contents of test1.cab ) gcab -t test.cab ( lists contents of test.cab ) Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0018.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/629241/