Bug 20084 - unshield new security issue CVE-2015-1386
Summary: unshield new security issue CVE-2015-1386
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-07 22:12 CET by David Walser
Modified: 2017-04-16 00:23 CEST (History)
5 users (show)

See Also:
Source RPM: unshield-1.0-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-07 22:12:49 CET
Upstream has released unshield 1.4 on December 27:
https://github.com/twogood/unshield/releases/tag/1.4

It fixes one security issue:
https://github.com/twogood/unshield/issues/42

Jani already updated it in Cauldron.
Comment 1 Jani Välimaa 2017-01-08 13:18:26 CET
Pushed unshield 1.4 to core/updates_testing for mga5.

Assignee: jani.valimaa => qa-bugs

Comment 2 David Walser 2017-01-08 16:00:52 CET
Advisory:
========================

Updated unshield packages fix security vulnerability:

unshield is vulnerable to directory traversal via "../" sequences
(CVE-2015-1386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1386
https://github.com/twogood/unshield/issues/42
https://github.com/twogood/unshield/releases/tag/1.4
========================

Updated packages in core/updates_testing:
========================
unshield-1.4-1.mga5
libunshield0-1.4-1.mga5
libunshield-devel-1.4-1.mga5

from unshield-1.4-1.mga5.src.rpm
Comment 3 Len Lawrence 2017-01-09 20:43:12 CET
Starting tests on x86_64 real hardware.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-01-09 21:42:41 CET
The link https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193 provides a PoC for this bug.  Installed unshield, downloaded the data1.cab file and ran the PoC test on it.
The result was not quite what was expected:
$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ unshield x data1.cab
Failed to open data1.cab as an InstallShield Cabinet File

The file header starts with IS and file identifies it:
$ file data1.cab
data1.cab: InstallShield CAB

This is what was posted against the PoC, before patching:
$ unshield x data1.cab
Cabinet: data1.cab
 extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
--------  -------
         1 files

$ ls /tmp/moo
/tmp/moo

It was unshield-1.0-4.mga5.x86_64 which was installed - maybe that already had the capability to see a problem.

Installed unshield-1.0-4-1.mga5.x86_64 and required libraries.
$ unshield x ./data1.cab
Failed to open ./data1.cab as an InstallShield Cabinet File

Same message.
It looks as if the issue has been fixed but it would be interesting to see if valid CAB files can be expanded.
Comment 5 Len Lawrence 2017-01-09 22:06:24 CET
Installed lcab and attempted to create a cabinet file:

$ lcab -r qa qa.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
Segmentation fault

Tried something smaller:

$ lcab -r python-pillow wireless_script_2.1.sh qa.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
nopath          : no
recursive       : yes
quiet           : no
inputfiles      : python-pillow/identify python-pillow/kappaCrucis.thumbnail python-pillow/hello2.png python-pillow/pillow/identify python-pillow/pillow/README python-pillow/pillow/identify3 python-pillow/pillow/convert python-pillow/pillow/convert3 python-pillow/pillow/thumbnail python-pillow/pillow/thumbnail3 python-pillow/identify3 python-pillow/fox.png python-pillow/kappaCrucis.png python-pillow/convert python-pillow/convert3 python-pillow/kappaCru.jpg python-pillow/kappaCru.png python-pillow/kappaCrucis.jpg python-pillow/fox.jpg python-pillow/pillow.script python-pillow/thumbnail python-pillow/thumbnail3 python-pillow/kappaCrucis.thumb python-pillow/hello2.jpg wireless_script_2.1.sh 
outputfile      : qa.cab
cabfile         : 19751320 bytes (approx. 19288.40 Kbytes)
cfileInit: python-pillow\identify localtime:
cfileInit: python-pillow\kappaCrucis.thumbnail localtime:
.....................................................
cfileInit: wireless_script_2.1.sh localtime:
tmp,header,folder,.........................
done
$ ls -l qa.cab
-rw-r--r-- 1 lcl vboxusers 19728383 Jan  9 20:58 qa.cab
$ cp qa.cab /tmp
$ cd /tmp
$ unshield x qa.cab
Failed to open qa.cab as an InstallShield Cabinet File

Feedback needed.
Len Lawrence 2017-01-09 22:09:41 CET

Keywords: (none) => NEEDHELP
Whiteboard: (none) => has_procedure

Comment 6 Len Lawrence 2017-01-09 22:46:31 CET
I experimented with unshield and lcab on Cauldron and found the same problem of recognition.  The man page for unshield describes the utility thus:
Unshield extracts CAB files from InstallShield installers, used to install software on Microsoft Windows based machines.

So does that mean that an InstallShield file is a CAB file containing other CAB files?
Comment 7 Len Lawrence 2017-01-09 22:50:17 CET
Another thing to note is that the size of the output file from lcab is less than computed within lcab but perhaps there is some kind of compression applied.
Comment 8 David Walser 2017-01-11 11:36:34 CET
Also, openmw needs to be rebuilt as the soname apparently changed.

Keywords: NEEDHELP => (none)
Whiteboard: has_procedure => has_procedure feedback
CC: (none) => jani.valimaa

Comment 9 Dave Hodgins 2017-04-04 04:49:26 CEST
Testing on i586 before installing the update.
 Downloaded both the data1.cab and data1.hdr files to a new directory.
[dave@i5v unshieldtest]$ unshield x data1.cab
Cabinet: data1.cab
  extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
 --------  -------
          1 files
[dave@i5v unshieldtest]$ cat /tmp/moo
moo

After installing the update ...
$ unshield x data1.cab
unshield: symbol lookup error: unshield: undefined symbol: unshield_is_unicode

It looks like this commits is needed too ...
https://github.com/twogood/unshield/commit/05da199e4baa77af2b6b90b2fe7feba3078cbbd1

CC: (none) => davidwhodgins

Comment 10 Marja van Waes 2017-04-08 16:43:29 CEST
This comment got lost:

https://bugs.mageia.org/show_bug.cgi?id=20084

--- Comment #10 from Jani Välimaa <jani.valimaa@gmail.com> ---
Can't reproduce the undefined symbol issue. You need to install also the
updated library pkg lib(,64)unshield0.



____________________________________________________________________________

@ Jani & Dave

Is the "feedback" whiteboard tag still needed?

Marja

CC: (none) => marja11

Comment 11 David Walser 2017-04-15 16:38:49 CEST
Looks like Dave made the same mistake as when testing the recent pidgin update.

Whiteboard: has_procedure feedback => has_procedure

Comment 12 Dave Hodgins 2017-04-15 18:11:18 CEST
Checking i586 again.
Not sure what the problem is, but using wget to download the data1.cab and data1.hdr files fails (invalid cab file). Ended up using firefox to go to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193
and used it to download them.

Before the update ...
urpmi unshield also install libunshield0.
[dave@i5v Downloads]$ unshield x dat
data1.cab  data1.hdr  
[dave@i5v Downloads]$ unshield x data1.cab 
Cabinet: data1.cab
  extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
 --------  -------
          1 files
[dave@i5v Downloads]$ cat /tmp/moo
moo

After enabling the test repos and deleting /tmp/moo ...
# urpmi libunshield0 unshield
installs the two updated packages.
[dave@i5v Downloads]$ unshield x data1.cab 
Cabinet: data1.cab


Extraction failed.
Possible directory traversal attack for: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
To be placed at: /tmp/moo

 --------  -------
          0 files

Sorry I missed updating the libunshield0 package before.

Repeating the test on an x86_64 install. urpmi unshield also installs lib64unshield0.

With the updated versions of both packages installed, same test results as on i586.

Advisory added to svn. Validating the update. Sorry for the mess up.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2017-04-16 00:23:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.