p7zip has a directory traversal flaw. Debian has patches for it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Debian has issued an advisory for this on June 15: https://www.debian.org/security/2015/dsa-3289
Patch added in Mageia 4 and Cauldron SVN. This will need to be added in Mageia 5 SVN once it's branched.
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated p7zip package fixes security vulnerability: Alexander Cherepanov discovered that p7zip is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory (CVE-2015-1038). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038 https://www.debian.org/security/2015/dsa-3289 ======================== Updated packages in core/updates_testing: ======================== p7zip-9.20.1-4.1.mga4 p7zip-9.20.1-6.1.mga5 from SRPMS: p7zip-9.20.1-4.1.mga4.src.rpm p7zip-9.20.1-6.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
trying my hand at it - mga5 - x86_64
CC: (none) => brtians1
testing mga5 - x86_64 Seems to be working okay. Messed with symbolic links, seemed to be okay so far.
Ok - working as designed. Can update the http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. Brian
(In reply to Brian Rockwell from comment #6) > Ok - working as designed. Can update the > http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. > > Brian Cannot udpate ...
(In reply to Brian Rockwell from comment #6) > Ok - working as designed. Can update the > http://mageia.madb.org/tools/updates site. mga5 - x86_64 is where I tested. > > Brian You update it through Bugzilla, right here. If you have successfully tested on mga5 x86_64, you add MGA5-64-OK to the whiteboard field above.
Just in case anyone didn't see, there's a simple PoC here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660
Whiteboard: MGA4TOO => MGA4TOO, MGA5-64-OK
MGA4-32 on AcerD620 Xfce and MGA5-64 on HP Probook 6555b KDE. No installation issues. At CLI on last step of PoC: $ 7z x test.7z 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=nl_BE.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: test.7z Extracting dir can not open output file dir/file Skipping dir/file Sub items Errors: 1
CC: (none) => herman.viaeneWhiteboard: MGA4TOO, MGA5-64-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK
PoC verified to be fixed on an MGA4-i586 VM. Adding MGA4-32-OK.
OK, now I'm going to try it on MGA4-64.
CC: (none) => shlomif
MGA4-64-OKing because the PoC does not work after update.
Whiteboard: MGA4TOO, MGA5-64-OK MGA4-32-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK
Advisory commited to svn. Someone from the sysadmin team please push 16122.adv to updates for Mageia 4 and 5.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK => MGA4TOO, MGA5-64-OK MGA4-32-OK MGA4-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0252.html
Status: NEW => RESOLVEDResolution: (none) => FIXED