OpenSuSE has issued an advisory on March 4: http://lists.opensuse.org/opensuse-updates/2016-03/msg00013.html Patched package uploaded for Mageia 5. The issue was fixed upstream in version 2.3.3, which is already in Cauldron. Advisory: ======================== Updated pigz package fixes security vulnerability: Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a full pathname or .. (dot dot) in an archive (CVE-2015-1191). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1191 http://lists.opensuse.org/opensuse-updates/2016-03/msg00013.html ======================== Updated packages in core/updates_testing: ======================== pigz-2.3.1-3.1.mga5 from pigz-2.3.1-3.1.mga5.src.rpm
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Created attachment 7522 [details] PoC for pigz vunerability Taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?=774978
CC: (none) => tarazed25
Whiteboard: advisory => advisory has_procedure
mga5 x86_64 Mate Installed pigz Ran the PoC check attached to show the vulnerability: [lcl@vega ~/qa]$ touch tmpabs [lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz [lcl@vega ~/qa]$ rm tmpabs [lcl@vega ~/qa]$ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory [lcl@vega ~/qa]$ pigz -d -N abs.gz [lcl@vega ~/qa]$ ls /tmp/abs /tmp/abs [lcl@vega ~/qa]$ touch xxxrel [lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz [lcl@vega ~/qa]$ rm xxxrel rm: remove regular empty file âxxxrelâ? y [lcl@vega ~/qa]$ ls ../rel ls: cannot access ../rel: No such file or directory [lcl@vega ~/qa]$ unpigz -N rel.gz [lcl@vega ~/qa]$ ls ../rel ../rel Installed the update and ran the check again. [lcl@vega ~/qa]$ touch tmpabs [lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz [lcl@vega ~/qa]$ rm tmpabs rm: remove regular empty file âtmpabsâ? y [lcl@vega ~/qa]$ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory [lcl@vega ~/qa]$ unpigz -N abs.gz [lcl@vega ~/qa]$ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory [lcl@vega ~/qa]$ rm ../rel rm: cannot remove â../relâ: No such file or directory [lcl@vega ~/qa]$ touch xxxrel [lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz [lcl@vega ~/qa]$ rm xxxrel rm: remove regular empty file âxxxrelâ? y [lcl@vega ~/qa]$ ls ../rel ls: cannot access ../rel: No such file or directory [lcl@vega ~/qa]$ unpigz -N rel.gz [lcl@vega ~/qa]$ ls ../rel ls: cannot access ../rel: No such file or directory Compressed a local file and uncompressed it and examined the first few lines. [lcl@vega ~/qa]$ ls -l mod -rw-r--r-- 1 lcl lcl 129185 Mar 8 00:19 mod [lcl@vega ~/qa]$ less mod [ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429 [lcl@vega ~/qa]$ ls -l mod.gz -rw-r--r-- 1 lcl lcl 11424 Feb 29 12:28 mod.gz [lcl@vega ~/qa]$ pigz -d mod.gz [lcl@vega ~/qa]$ ls -l mod -rw-r--r-- 1 lcl lcl 129185 Feb 29 12:28 mod [lcl@vega ~/qa]$ less mod [ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429 The update is fine for 64-bits.
Whiteboard: advisory has_procedure => advisory has_procedure MGA5-64-OK
mga5 i586 virtualbox Mate Ran the before and after tests based on the PoC and saw exactly the same behaviour as in the 64bit test. After update: $ touch base $ gzip -c base | sed 's|base|/tmp/abs|g' > abs.gz $ rm base rm: remove regular empty file âbaseâ? y $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ unpigz -N abs.gz $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ rm ../rel rm: remove regular empty file â../relâ? y $ touch base $ gzip -c base | sed 's|base|../rel|g' > rel.gz $ rm base rm: remove regular empty file âbaseâ? y $ ls ../rel ls: cannot access ../rel: No such file or directory $ unpigz -N rel.gz $ ls ../rel ls: cannot access ../rel: No such file or directory Validating this.
Keywords: (none) => validated_updateWhiteboard: advisory has_procedure MGA5-64-OK => advisory has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0104.html
Status: NEW => RESOLVEDResolution: (none) => FIXED