Fedora has issued an advisory on June 26: https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162171.html Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. There's quite some discussion about this on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234886 Thomas, do you want to proceed with the current patch, or wait for further work? Advisory: ======================== Updated squashfs-tools package fixes security vulnerabilities: The unsquashfs command from squashfs-tools is vulnerable to integer (CVE-2015-4645) and stack (CVE-2015-4646) overflows. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4646 https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162171.html ======================== Updated packages in core/updates_testing: ======================== squashfs-tools-4.2-7.1.mga4 squashfs-tools-4.3-4.1.mga5 from SRPMS: squashfs-tools-4.2-7.1.mga4.src.rpm squashfs-tools-4.3-4.1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
The discussion on the RedHat bug did not continue, pushing this to QA. Advisory and package list in Comment 1.
CC: (none) => tmbAssignee: tmb => qa-bugs
mga5 x86_64 Installed package : squashfs-tools-4.3-4.1.mga5.x86_64.rpm Using https://fedoraproject.org/wiki/QA:Testcase_squashfs-tools_compression : gzip and xz compression OK lzma and lz4 failed but they failed also with the current mga5 squashfs-tools, and the spec file enable only gzip and xz, so i guess it's normal. Update OK (no regression).
CC: (none) => yann.cantinWhiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Testing Mageia 4 x64 Thanks to Yann Comment 3 for the test link. Invaluable. Installed: squashfs-tools-4.2-7.mga4 Installed & ran the test script from: https://fedoraproject.org/wiki/QA:Testcase_squashfs-tools_compression $ . tmp/Squashfs-compression-test.sh It worked for gzip & xz (the only compressors available). It failed for lzo lzma lz4 (not supported = ? not available). Updated to: squashfs-tools-4.2-7.1.mga4 and re-ran the script. The output was identical (apart from minute differences of inode table size). Update deemed OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 & 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0335.html
Status: NEW => RESOLVEDResolution: (none) => FIXED