Bug 16122 - p7zip new security issue CVE-2015-1038
Summary: p7zip new security issue CVE-2015-1038
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/648185/
Whiteboard: MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-6...
Keywords: validated_update
Depends on:
Reported: 2015-06-15 23:05 CEST by David Walser
Modified: 2015-07-01 14:41 CEST (History)
5 users (show)

See Also:
Source RPM: p7zip-9.20.1-6.mga5.src.rpm
Status comment:


Description David Walser 2015-06-15 23:05:26 CEST
p7zip has a directory traversal flaw.  Debian has patches for it:


Steps to Reproduce:
David Walser 2015-06-15 23:05:33 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-16 18:26:50 CEST
Debian has issued an advisory for this on June 15:
Comment 2 David Walser 2015-06-16 18:31:15 CEST
Patch added in Mageia 4 and Cauldron SVN.  This will need to be added in Mageia 5 SVN once it's branched.
Comment 3 David Walser 2015-06-20 16:48:02 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.


Updated p7zip package fixes security vulnerability:

Alexander Cherepanov discovered that p7zip is susceptible to a directory
traversal vulnerability. While extracting an archive, it will extract symlinks
and then follow them if they are referenced in further entries. This can be
exploited by a rogue archive to write files outside the current directory


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 4 Brian Rockwell 2015-06-25 21:42:22 CEST
trying my hand at it - mga5 - x86_64

CC: (none) => brtians1

Comment 5 Brian Rockwell 2015-06-25 23:10:31 CEST
testing mga5 - x86_64

Seems to be working okay.  Messed with symbolic links, seemed to be okay so far.
Comment 6 Brian Rockwell 2015-06-27 19:13:46 CEST
Ok - working as designed.  Can update the http://mageia.madb.org/tools/updates site.  mga5 - x86_64 is where I tested.

Comment 7 Brian Rockwell 2015-06-27 19:14:12 CEST
(In reply to Brian Rockwell from comment #6)
> Ok - working as designed.  Can update the
> http://mageia.madb.org/tools/updates site.  mga5 - x86_64 is where I tested.
> Brian

Cannot udpate ...
Comment 8 David Walser 2015-06-27 19:17:49 CEST
(In reply to Brian Rockwell from comment #6)
> Ok - working as designed.  Can update the
> http://mageia.madb.org/tools/updates site.  mga5 - x86_64 is where I tested.
> Brian

You update it through Bugzilla, right here.  If you have successfully tested on mga5 x86_64, you add MGA5-64-OK to the whiteboard field above.
Comment 9 David Walser 2015-06-27 19:23:16 CEST
Just in case anyone didn't see, there's a simple PoC here:
Brian Rockwell 2015-06-27 20:46:49 CEST

Whiteboard: MGA4TOO => MGA4TOO, MGA5-64-OK

Comment 10 Herman Viaene 2015-06-29 16:16:38 CEST
MGA4-32 on AcerD620 Xfce and MGA5-64 on HP Probook 6555b KDE.
No installation issues.
At CLI on last step of PoC:
$ 7z x test.7z

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=nl_BE.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: test.7z

Extracting  dir
can not open output file dir/file
Skipping    dir/file

Sub items Errors: 1

CC: (none) => herman.viaene
Whiteboard: MGA4TOO, MGA5-64-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK

Comment 11 Shlomi Fish 2015-06-29 16:20:41 CEST
PoC verified to be fixed on an MGA4-i586 VM. Adding MGA4-32-OK.
Comment 12 Shlomi Fish 2015-06-29 16:21:21 CEST
OK, now I'm going to try it on MGA4-64.

CC: (none) => shlomif

Comment 13 Shlomi Fish 2015-06-29 16:28:28 CEST
MGA4-64-OKing because the PoC does not work after update.

Whiteboard: MGA4TOO, MGA5-64-OK MGA4-32-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK

Comment 14 Dave Hodgins 2015-07-01 01:45:15 CEST
Advisory commited to svn.

Someone from the sysadmin team please push 16122.adv to updates for Mageia 4 and 5.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 15 Mageia Robot 2015-07-01 14:41:11 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.