18490 – p7zip new security issues CVE-2016-2334 and CVE-2016-2335

Bug 18490 - p7zip new security issues CVE-2016-2334 and CVE-2016-2335

Summary: p7zip new security issues CVE-2016-2334 and CVE-2016-2335

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/688051/
Whiteboard:	has_procedure advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-05-19 16:58 CEST by David Walser
Modified:	2016-05-22 00:12 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	p7zip-15.14.1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-05-19 16:58:59 CEST

Cisco TALOS has issued an advisory on May 11:
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

A comment there, plus one on the Debian bug, says 9.20 isn't affected by CVE-2016-2334, as the code was probably introduced in 9.32.  As for 9.20.1, I don't know, but one could check the patch, linked from the upstream bug.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824160
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit

David Walser 2016-05-19 16:59:04 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2016-05-19 17:54:16 CEST

Ok done for Cauldron!

Also I confirm that 9.20.1 release isn't affected by CVE-2016-2334, patch cannot be applied because code is not at all the same as 15.14.1 release.

So what to do for mga5? just apply the patch for CVE-2016-2335?

Comment 2 David Walser 2016-05-19 18:08:20 CEST

(In reply to David GEIGER from comment #1)
> So what to do for mga5? just apply the patch for CVE-2016-2335?

Yes.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David GEIGER 2016-05-19 18:18:19 CEST

Well! done also for mga5!

Comment 4 David Walser 2016-05-19 18:31:56 CEST

Thanks!

Advisory:
========================

Updated p7zip package fixes security vulnerability:

An out of bound read vulnerability exists in the CInArchive::ReadFileItem
method functionality of 7zip for handling UDF files that can lead to denial of
service or code execution (CVE-2016-2335).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2335
http://www.talosintel.com/reports/TALOS-2016-0094/
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
========================

Updated packages in core/updates_testing:
========================
p7zip-9.20.1-6.2.mga5

from p7zip-9.20.1-6.2.mga5.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Brian Rockwell 2016-05-20 21:34:10 CEST

MGA5-64

[root@localhost brian]# urpmi p7zip
Package p7zip-9.20.1-6.2.mga5.x86_64 is already installed

[brian@localhost ~]$ 7z

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,3 CPUs)

7z a -r emlp.7z ./*.flac

-rw-r--r-- 1 brian brian 2079565218 May 20 14:12 emlp.7z

moving file to a new location to extract.

Opened with Archive Manager.  (Archive Manager is using 7z to extract)

First file and last files play correctly.

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

claire robinson 2016-05-21 21:18:36 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-05-22 00:12:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0202.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.