Upstream has released unshield 1.4 on December 27: https://github.com/twogood/unshield/releases/tag/1.4 It fixes one security issue: https://github.com/twogood/unshield/issues/42 Jani already updated it in Cauldron.
Pushed unshield 1.4 to core/updates_testing for mga5.
Assignee: jani.valimaa => qa-bugs
Advisory: ======================== Updated unshield packages fix security vulnerability: unshield is vulnerable to directory traversal via "../" sequences (CVE-2015-1386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1386 https://github.com/twogood/unshield/issues/42 https://github.com/twogood/unshield/releases/tag/1.4 ======================== Updated packages in core/updates_testing: ======================== unshield-1.4-1.mga5 libunshield0-1.4-1.mga5 libunshield-devel-1.4-1.mga5 from unshield-1.4-1.mga5.src.rpm
Starting tests on x86_64 real hardware.
CC: (none) => tarazed25
The link https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193 provides a PoC for this bug. Installed unshield, downloaded the data1.cab file and ran the PoC test on it. The result was not quite what was expected: $ ls /tmp/moo ls: cannot access /tmp/moo: No such file or directory $ unshield x data1.cab Failed to open data1.cab as an InstallShield Cabinet File The file header starts with IS and file identifies it: $ file data1.cab data1.cab: InstallShield CAB This is what was posted against the PoC, before patching: $ unshield x data1.cab Cabinet: data1.cab extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo -------- ------- 1 files $ ls /tmp/moo /tmp/moo It was unshield-1.0-4.mga5.x86_64 which was installed - maybe that already had the capability to see a problem. Installed unshield-1.0-4-1.mga5.x86_64 and required libraries. $ unshield x ./data1.cab Failed to open ./data1.cab as an InstallShield Cabinet File Same message. It looks as if the issue has been fixed but it would be interesting to see if valid CAB files can be expanded.
Installed lcab and attempted to create a cabinet file: $ lcab -r qa qa.cab lcab v1.0b11 (2003) by Rien (rien@geekshop.be) Segmentation fault Tried something smaller: $ lcab -r python-pillow wireless_script_2.1.sh qa.cab lcab v1.0b11 (2003) by Rien (rien@geekshop.be) nopath : no recursive : yes quiet : no inputfiles : python-pillow/identify python-pillow/kappaCrucis.thumbnail python-pillow/hello2.png python-pillow/pillow/identify python-pillow/pillow/README python-pillow/pillow/identify3 python-pillow/pillow/convert python-pillow/pillow/convert3 python-pillow/pillow/thumbnail python-pillow/pillow/thumbnail3 python-pillow/identify3 python-pillow/fox.png python-pillow/kappaCrucis.png python-pillow/convert python-pillow/convert3 python-pillow/kappaCru.jpg python-pillow/kappaCru.png python-pillow/kappaCrucis.jpg python-pillow/fox.jpg python-pillow/pillow.script python-pillow/thumbnail python-pillow/thumbnail3 python-pillow/kappaCrucis.thumb python-pillow/hello2.jpg wireless_script_2.1.sh outputfile : qa.cab cabfile : 19751320 bytes (approx. 19288.40 Kbytes) cfileInit: python-pillow\identify localtime: cfileInit: python-pillow\kappaCrucis.thumbnail localtime: ..................................................... cfileInit: wireless_script_2.1.sh localtime: tmp,header,folder,......................... done $ ls -l qa.cab -rw-r--r-- 1 lcl vboxusers 19728383 Jan 9 20:58 qa.cab $ cp qa.cab /tmp $ cd /tmp $ unshield x qa.cab Failed to open qa.cab as an InstallShield Cabinet File Feedback needed.
Keywords: (none) => NEEDHELPWhiteboard: (none) => has_procedure
I experimented with unshield and lcab on Cauldron and found the same problem of recognition. The man page for unshield describes the utility thus: Unshield extracts CAB files from InstallShield installers, used to install software on Microsoft Windows based machines. So does that mean that an InstallShield file is a CAB file containing other CAB files?
Another thing to note is that the size of the output file from lcab is less than computed within lcab but perhaps there is some kind of compression applied.
Also, openmw needs to be rebuilt as the soname apparently changed.
Keywords: NEEDHELP => (none)CC: (none) => jani.valimaaWhiteboard: has_procedure => has_procedure feedback
Testing on i586 before installing the update. Downloaded both the data1.cab and data1.hdr files to a new directory. [dave@i5v unshieldtest]$ unshield x data1.cab Cabinet: data1.cab extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo -------- ------- 1 files [dave@i5v unshieldtest]$ cat /tmp/moo moo After installing the update ... $ unshield x data1.cab unshield: symbol lookup error: unshield: undefined symbol: unshield_is_unicode It looks like this commits is needed too ... https://github.com/twogood/unshield/commit/05da199e4baa77af2b6b90b2fe7feba3078cbbd1
CC: (none) => davidwhodgins
This comment got lost: https://bugs.mageia.org/show_bug.cgi?id=20084 --- Comment #10 from Jani Välimaa <jani.valimaa@gmail.com> --- Can't reproduce the undefined symbol issue. You need to install also the updated library pkg lib(,64)unshield0. ____________________________________________________________________________ @ Jani & Dave Is the "feedback" whiteboard tag still needed? Marja
CC: (none) => marja11
Looks like Dave made the same mistake as when testing the recent pidgin update.
Whiteboard: has_procedure feedback => has_procedure
Checking i586 again. Not sure what the problem is, but using wget to download the data1.cab and data1.hdr files fails (invalid cab file). Ended up using firefox to go to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193 and used it to download them. Before the update ... urpmi unshield also install libunshield0. [dave@i5v Downloads]$ unshield x dat data1.cab data1.hdr [dave@i5v Downloads]$ unshield x data1.cab Cabinet: data1.cab extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo -------- ------- 1 files [dave@i5v Downloads]$ cat /tmp/moo moo After enabling the test repos and deleting /tmp/moo ... # urpmi libunshield0 unshield installs the two updated packages. [dave@i5v Downloads]$ unshield x data1.cab Cabinet: data1.cab Extraction failed. Possible directory traversal attack for: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo To be placed at: /tmp/moo -------- ------- 0 files Sorry I missed updating the libunshield0 package before. Repeating the test on an x86_64 install. urpmi unshield also installs lib64unshield0. With the updated versions of both packages installed, same test results as on i586. Advisory added to svn. Validating the update. Sorry for the mess up.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0107.html
Status: NEW => RESOLVEDResolution: (none) => FIXED