Bug 19312 - file-roller new security issue CVE-2016-7162
Summary: file-roller new security issue CVE-2016-7162
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/700116/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-09-08 15:03 CEST by David Walser
Modified: 2016-09-21 22:39 CEST (History)
3 users (show)

See Also:
Source RPM: file-roller-3.14.2-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-09-08 15:03:13 CEST 
A CVE has been assigned to an issue fixed in file-roller 3.20.3:
http://www.openwall.com/lists/oss-security/2016/09/08/4

The commit to fix the issue is linked in the message above.
Comment 1 David Walser 2016-09-09 17:39:36 CEST 
Ubuntu has issued an advisory for this on September 8:
http://www.ubuntu.com/usn/usn-3074-1/

Patched package uploaded for Mageia 5:

Advisory:
========================

Updated file-roller package fixes security vulnerability:

It was discovered that File Roller incorrectly handled symlinks. If a user were
tricked into extracting a specially-crafted archive, an attacker could delete
files outside of the extraction directory (CVE-2016-7162).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7162
http://www.ubuntu.com/usn/usn-3074-1/
========================

Updated packages in core/updates_testing:
========================
file-roller-3.14.2-1.1.mga5

from file-roller-3.14.2-1.1.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/700116/
Assignee: olav => qa-bugs
Severity: normal => major

Comment 2 Chris B 2016-09-10 15:39:00 CEST 
[root@localhost chris]# urpmi file-roller
Package file-roller-3.14.2-1.1.mga5.x86_64 is already installed
[root@localhost chris]# 

[root@localhost chris]# urpmi file-roller
Package file-roller-3.14.2-1.1.mga5.i586 is already installed
[root@localhost chris]# 


Installed without issues in both 32 and 64 bit on M5.

Basic testing on both systems: created an archive, added files, in a file manager (thunar) via context menu extracted the archive. Works.

I don't know if it's up to me to mark it ok, and if yes, how I'd do that. Sorry, new to the QA-team.

CC: (none) => shybluenight

Comment 3 Chris B 2016-09-15 23:22:20 CEST 
On both arch, following the correct testing procedure, first installing
file-roller-3.14.2-1.mga5, then updating to file-roller-3.14.2-1.1.mga5 (from update_testing).

[root@localhost chris]# urpmi file-roller

    $MIRRORLIST: media/core/updates_testing/file-roller-3.14.2-1.1.mga5.x86_64.rpm
installing file-roller-3.14.2-1.1.mga5.x86_64.rpm from /var/cache/urpmi/rpms   
Preparing...                     #############################################
      1/1: file-roller           #############################################
      1/1: removing file-roller-3.14.2-1.mga5.x86_64
                                 #############################################
[root@localhost chris]#

No issues.

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 4 Lewis Smith 2016-09-16 08:18:12 CEST 
Thanks Chris for a great job speedily done.

Update validated, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2016-09-21 22:39:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0313.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.