A CVE has been assigned for a security issue in arj: http://openwall.com/lists/oss-security/2015/03/29/1 There is a PoC in the Debian bug linked in the message above, which also contains a link to a Debian patch that fixes the issue. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched version pushed to Cauldron.
Status: NEW => ASSIGNEDCC: (none) => lists.jjorgeHardware: i586 => All
I have uploaded a patched package for Mageia 4. Please remove arj-3.10.22-7 rpms and srpms I wrongly submitted in testing. You can test this with the example files of the debian bug report. Suggested advisory: =================== Updated arj packages fix security vulnerabilities: A buffer overflow on specialy crafted arj file (CVE-2015-2782). Fix absolute path directory traversal (CVE-2015-0557). Fix symlink directory traversal (CVE-2015-0556). References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015#20 ======================== Updated packages in core/updates_testing: ======================== arj-3.10.22-9.mga4 Source RPMs: arj-3.10.22-9.mga4.src.rpm
Assignee: lists.jjorge => qa-bugs
Thanks José! Let's wait on the assignment to QA until it's pushed in Cauldron. Do you have any references for the CVE-2015-0556 and CVE-2015-0557? Also, for future reference, you should have just added a subrel of 1 rather than changing the release tag. Since it's still less than Cauldron's release tag, we can live with it this time.
CC: (none) => qa-bugsAssignee: qa-bugs => lists.jjorge
arj-3.10.22-11.mga5 uploaded for Cauldron. There are PoCs in the Debian bugs. Suggested advisory: =================== Updated arj package fixes security vulnerabilities: ARJ follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process, making it vulnerable to a directory traversal (CVE-2015-0556). To protect from directory traversals, ARJ strips leading slash from the path when unpacking, but this protection can be easily bypassed by adding more than one leading slash to the path (CVE-2015-0557). ARJ is vulnerable to a buffer overflow when processing a specially crafted arj file (CVE-2015-2782). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774434 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015 ======================== Updated packages in core/updates_testing: ======================== arj-3.10.22-9.mga4 from arj-3.10.22-9.mga4.src.rpm
CC: qa-bugs => (none)Version: Cauldron => 4Assignee: lists.jjorge => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Debian has issued an advisory for this on April 6: https://www.debian.org/security/2015/dsa-3213 Using the DSA for the advisory. Suggested advisory: =================== Updated arj package fixes security vulnerabilities: ARJ follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process, making it vulnerable to a directory traversal (CVE-2015-0556). To protect from directory traversals, ARJ strips leading slash from the path when unpacking, but this protection can be easily bypassed by adding more than one leading slash to the path (CVE-2015-0557). ARJ is vulnerable to a buffer overflow when processing a specially crafted arj file (CVE-2015-2782). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782 https://www.debian.org/security/2015/dsa-3213
URL: (none) => http://lwn.net/Vulnerabilities/639393/
In VirtualBox, M4, KDE, 32-bit Package(s) under test: arj default install of arj [root@localhost wilcal]# urpmi arj Package arj-3.10.22-7.mga4.i586 is already installed arj a arj_test1 /home/wilcal/mageia_4_install creates an arj file of all my working M4 install files arj l arj_test1.arj lists all the files in that arj file arj e arj_test1 extracts all the files from that arj files install arj from updates_testing [root@localhost wilcal]# urpmi arj Package arj-3.10.22-9.mga4.i586 is already installed arj a arj_test2 /home/wilcal/mageia_4_install creates an arj file of all my working M4 install files arj l arj_test1.arj lists all the files in that arj file arj l arj_test2.arj lists all the files in that arj file arj e arj_test1 extracts all the files from that arj file arj e arj_test2 extracts all the files from that arj file Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: arj default install of arj [root@localhost arj_test]# urpmi arj Package arj-3.10.22-7.mga4.x86_64 is already installed arj a arj_test1 /home/wilcal/mageia_4_install creates an arj file of all my working M4 install files arj l arj_test1.arj lists all the files in that arj file arj e arj_test1 extracts all the files from that arj file install arj from updates_testing [root@localhost wilcal]# urpmi arj Package arj-3.10.22-9.mga4.x86_64 is already installed arj a arj_test2 /home/wilcal/mageia_4_install creates an arj file of all my working M4 install files arj l arj_test1.arj lists all the files in that arj file arj l arj_test2.arj lists all the files in that arj file arj e arj_test1 extracts all the files from that arj file arj e arj_test2 extracts all the files from that arj file Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This looks good to go to me David. What you say?
It'd be worth checking the PoC from the Debian bug (see the message linked in Comment 0). Otherwise, it should be good.
(In reply to David Walser from comment #9) > It'd be worth checking the PoC from the Debian bug (see the message linked > in Comment 0). Otherwise, it should be good. I didn't see any instability or crashing during my testing.
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
Advisory uploaded. Really validating.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0150.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED