17895 – pigz new security issue CVE-2015-1191

Bug 17895 - pigz new security issue CVE-2015-1191

Summary: pigz new security issue CVE-2015-1191

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/633536/
Whiteboard:	advisory has_procedure MGA5-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-03-07 19:08 CET by David Walser
Modified:	2016-03-10 00:28 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	pigz-2.3.1-3.mga5.src.rpm
CVE:
Status comment:

Attachments
PoC for pigz vunerability (547 bytes, text/plain) 2016-03-08 01:27 CET, Len Lawrence	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-03-07 19:08:00 CET

OpenSuSE has issued an advisory on March 4:
http://lists.opensuse.org/opensuse-updates/2016-03/msg00013.html

Patched package uploaded for Mageia 5.

The issue was fixed upstream in version 2.3.3, which is already in Cauldron.

Advisory:
========================

Updated pigz package fixes security vulnerability:

Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote
attackers to write to arbitrary files via a full pathname or .. (dot dot) in
an archive (CVE-2015-1191).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1191
http://lists.opensuse.org/opensuse-updates/2016-03/msg00013.html
========================

Updated packages in core/updates_testing:
========================
pigz-2.3.1-3.1.mga5

from pigz-2.3.1-3.1.mga5.src.rpm

Dave Hodgins 2016-03-07 21:37:05 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Len Lawrence 2016-03-08 01:27:09 CET

Created attachment 7522 [details]
PoC for pigz vunerability

Taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?=774978

CC: (none) => tarazed25

Len Lawrence 2016-03-08 01:27:30 CET

Whiteboard: advisory => advisory has_procedure

Comment 2 Len Lawrence 2016-03-08 02:35:41 CET

mga5  x86_64  Mate

Installed pigz
Ran the PoC check attached to show the vulnerability:
[lcl@vega ~/qa]$ touch tmpabs
[lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz
[lcl@vega ~/qa]$ rm tmpabs
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ pigz -d -N abs.gz
[lcl@vega ~/qa]$ ls /tmp/abs
/tmp/abs
[lcl@vega ~/qa]$ touch xxxrel
[lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz
[lcl@vega ~/qa]$ rm xxxrel
rm: remove regular empty file âxxxrelâ? y
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory
[lcl@vega ~/qa]$ unpigz -N rel.gz
[lcl@vega ~/qa]$ ls ../rel
../rel

Installed the update and ran the check again.

[lcl@vega ~/qa]$ touch tmpabs
[lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz
[lcl@vega ~/qa]$ rm tmpabs
rm: remove regular empty file âtmpabsâ? y
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ unpigz -N abs.gz
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ rm ../rel
rm: cannot remove â../relâ: No such file or directory
[lcl@vega ~/qa]$ touch xxxrel
[lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz
[lcl@vega ~/qa]$ rm xxxrel
rm: remove regular empty file âxxxrelâ? y
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory
[lcl@vega ~/qa]$ unpigz -N rel.gz
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory

Compressed a local file and uncompressed it and examined the first few lines.

[lcl@vega ~/qa]$ ls -l mod
-rw-r--r-- 1 lcl lcl 129185 Mar  8 00:19 mod
[lcl@vega ~/qa]$ less mod
[ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429
[lcl@vega ~/qa]$ ls -l mod.gz
-rw-r--r-- 1 lcl lcl 11424 Feb 29 12:28 mod.gz
[lcl@vega ~/qa]$ pigz -d mod.gz
[lcl@vega ~/qa]$ ls -l mod
-rw-r--r-- 1 lcl lcl 129185 Feb 29 12:28 mod
[lcl@vega ~/qa]$ less mod
[ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429

The update is fine for 64-bits.

Len Lawrence 2016-03-08 02:36:00 CET

Whiteboard: advisory has_procedure => advisory has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2016-03-08 10:49:30 CET

mga5  i586 virtualbox  Mate

Ran the before and after tests based on the PoC and saw exactly the same behaviour as in the 64bit test.

After update:
$ touch base
$ gzip -c base | sed 's|base|/tmp/abs|g' > abs.gz
$ rm base
rm: remove regular empty file âbaseâ? y
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ unpigz -N abs.gz
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ rm ../rel
rm: remove regular empty file â../relâ? y
$ touch base
$ gzip -c base | sed 's|base|../rel|g' > rel.gz
$ rm base
rm: remove regular empty file âbaseâ? y
$ ls ../rel
ls: cannot access ../rel: No such file or directory
$ unpigz -N rel.gz
$ ls ../rel
ls: cannot access ../rel: No such file or directory

Validating this.

Len Lawrence 2016-03-08 10:49:54 CET

Keywords: (none) => validated_update
Whiteboard: advisory has_procedure MGA5-64-OK => advisory has_procedure MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-03-10 00:28:13 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0104.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.