Bug 15193 - cabextract new security issue CVE-2014-9556
Summary: cabextract new security issue CVE-2014-9556
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/631508/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
: 15211 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-02-03 18:04 CET by David Walser
Modified: 2015-02-06 03:25 CET (History)
3 users (show)

See Also:
Source RPM: cabextract-1.4-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-02-03 18:04:38 CET
OpenSuSE has issued an advisory on February 2:
http://lists.opensuse.org/opensuse-updates/2015-02/msg00004.html

More information is in the Novell bug and an oss-security post:
https://bugzilla.suse.com/show_bug.cgi?id=912214
http://openwall.com/lists/oss-security/2015/02/03/12

The referenced Debian bug also has a PoC:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773041

cabextract is in SVN for Mageia 4 and Cauldron.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-04 15:06:19 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated cabextract packages fix security vulnerability:

Libmspack, a library to provide compression and decompression of some file
formats used by Microsoft, is embedded in cabextract. A specially crafted cab
file can cause cabextract to hang forever. If cabextract is exposed to any
remotely-controlled user input, this issue can cause a denial-of-service
(CVE-2014-9556).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9556
http://lists.opensuse.org/opensuse-updates/2015-02/msg00004.html
========================

Updated packages in core/updates_testing:
========================
cabextract-1.5-1.mga4

from cabextract-1.5-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-02-04 15:20:30 CET
PoC file hang.cab is attached to this Debian bug message:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772891#3

Before:
$ cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
^C # (had to kill it because it hung in an infinite loop)

After:
$ cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
limerick: error in CAB data format

All done, errors in processing 1 file(s)


Mageia 4 i586 testing complete.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 3 William Kenney 2015-02-04 19:07:57 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
cabextract

default install of cabextract

[root@localhost Downloads]# urpmi cabextract
Package cabextract-1.4-4.mga4.x86_64 is already installed

[wilcal@localhost Downloads]$ cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
^C
hangs in infinite loop

install cabextract from updates_testing

[root@localhost wilcal]# urpmi cabextract
Package cabextract-1.5-1.mga4.x86_64 is already installed

[wilcal@localhost Downloads]$ cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
limerick: error in CAB data format

All done, errors in processing 1 file(s)

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2015-02-04 19:08:50 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2015-02-05 18:32:44 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 6 Mageia Robot 2015-02-05 23:26:46 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0052.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2015-02-06 03:25:32 CET
*** Bug 15211 has been marked as a duplicate of this bug. ***

CC: (none) => thomas


Note You need to log in before you can comment on or make changes to this bug.