Another directory traversal issue in cabxtract has been fixed upstream: http://openwall.com/lists/oss-security/2015/02/18/3 The above message contains a CVE request, PoC, and link to the upstream fix, and mentions that a new cabextract release with the fix is expected soon. Despite the URL, it looks like the fix is in cabextract itself, rather than libmspack. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CC: (none) => mageiaAssignee: bugsquad => shlomif
This should be fixed in Cauldron with cabextract-1.5-3.mga5 , but when trying to build in Mageia 4 for updates_testing, I am getting: D: [iurt_root_command] chroot examining synthesis file [/var/lib/urpmi/core_release/synthesis.hdlist.cz] examining synthesis file [/var/lib/urpmi/core_updates/synthesis.hdlist.cz] examining synthesis file [/var/lib/urpmi/core_updates_testing/synthesis.hdlist.cz] A requested package cannot be installed: cabextract-1.5-1.1.mga4.src (due to unsatisfied pkgconfig(libmspack)) While some packages may have been installed, there were failures. A requested package cannot be installed: cabextract-1.5-1.1.mga4.src (due to unsatisfied pkgconfig(libmspack)) I: [iurt_root_command] ERROR: chroot Should we package libmspack for Mageia 4?
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
No, we shouldn't be backporting the change to use the system libmspack to Mageia 4.
Fixed in SVN.
(In reply to David Walser from comment #3) > Fixed in SVN. Thanks! I submitted the package. Here is the suggested update advisory: Suggested advisory: ======================== Updated cabextract packages fix security vulnerabilities: This update fixes a bug found with directory traversal in cabextract. References: http://openwall.com/lists/oss-security/2015/02/18/3 ======================== Updated packages in core/updates_testing: ======================== cabextract-1.5-1.1.mga4 Source RPMs: cabextract-1.5-1.1.mga5.src.rpm
Assigning to QA.
Assignee: shlomif => qa-bugs
PoC here: http://openwall.com/lists/oss-security/2015/02/18/3 You need to install lcab and cabextract to run it. For the cabextract command, don't prefix it with "./" Before the update, it will create /tmp/abs when you use cabextract to extract test.cab. After the update, it will create tmp/abs in your current working directory. Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
CVE-2015-2060 was assigned: http://openwall.com/lists/oss-security/2015/02/23/24
Summary: cabextract new directory traversal issue => cabextract new directory traversal issue (CVE-2015-2060)
Testing on Mageia 4x64 real hardware following procedure mentioned in comment 6 From current package : -------------------- cabextract-1.5-1.mga4 (using lcab-1.0-0.b12.4.mga4 to run the PoC) Could reproduce the directory traversal vulnerability (creation of a /tmp/abs) Updated to testing package : -------------------------- cabextract-1.5-1.1.mga4 Followed same procedure. The tmp/abs directory is created in user's current directory, not at the root anymore. OK
CC: (none) => olchalWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Want to add to the advisory David?
A directory traversal issue in cabextract allows writing to locations outside of the current working directory, when extracting a crafted cab file that encodes the filenames in a certain manner (CVE-2015-2060). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2060 http://openwall.com/lists/oss-security/2015/02/18/3 http://openwall.com/lists/oss-security/2015/02/23/24
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0086.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/634992/