Bug 20084 - unshield new security issue CVE-2015-1386
: unshield new security issue CVE-2015-1386
Status: NEW
Product: Mageia
Classification: Unclassified
Component: Security
: 5
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: has_procedure feedback
  Show dependency treegraph
Reported: 2017-01-07 22:12 CET by David Walser
Modified: 2017-01-11 11:36 CET (History)
2 users (show)

See Also:
Source RPM: unshield-1.0-4.mga5.src.rpm
Status comment:


Description David Walser 2017-01-07 22:12:49 CET
Upstream has released unshield 1.4 on December 27:

It fixes one security issue:

Jani already updated it in Cauldron.
Comment 1 Jani Välimaa 2017-01-08 13:18:26 CET
Pushed unshield 1.4 to core/updates_testing for mga5.
Comment 2 David Walser 2017-01-08 16:00:52 CET

Updated unshield packages fix security vulnerability:

unshield is vulnerable to directory traversal via "../" sequences


Updated packages in core/updates_testing:

from unshield-1.4-1.mga5.src.rpm
Comment 3 Len Lawrence 2017-01-09 20:43:12 CET
Starting tests on x86_64 real hardware.
Comment 4 Len Lawrence 2017-01-09 21:42:41 CET
The link https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193 provides a PoC for this bug.  Installed unshield, downloaded the data1.cab file and ran the PoC test on it.
The result was not quite what was expected:
$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ unshield x data1.cab
Failed to open data1.cab as an InstallShield Cabinet File

The file header starts with IS and file identifies it:
$ file data1.cab
data1.cab: InstallShield CAB

This is what was posted against the PoC, before patching:
$ unshield x data1.cab
Cabinet: data1.cab
 extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
--------  -------
         1 files

$ ls /tmp/moo

It was unshield-1.0-4.mga5.x86_64 which was installed - maybe that already had the capability to see a problem.

Installed unshield-1.0-4-1.mga5.x86_64 and required libraries.
$ unshield x ./data1.cab
Failed to open ./data1.cab as an InstallShield Cabinet File

Same message.
It looks as if the issue has been fixed but it would be interesting to see if valid CAB files can be expanded.
Comment 5 Len Lawrence 2017-01-09 22:06:24 CET
Installed lcab and attempted to create a cabinet file:

$ lcab -r qa qa.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
Segmentation fault

Tried something smaller:

$ lcab -r python-pillow wireless_script_2.1.sh qa.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
nopath          : no
recursive       : yes
quiet           : no
inputfiles      : python-pillow/identify python-pillow/kappaCrucis.thumbnail python-pillow/hello2.png python-pillow/pillow/identify python-pillow/pillow/README python-pillow/pillow/identify3 python-pillow/pillow/convert python-pillow/pillow/convert3 python-pillow/pillow/thumbnail python-pillow/pillow/thumbnail3 python-pillow/identify3 python-pillow/fox.png python-pillow/kappaCrucis.png python-pillow/convert python-pillow/convert3 python-pillow/kappaCru.jpg python-pillow/kappaCru.png python-pillow/kappaCrucis.jpg python-pillow/fox.jpg python-pillow/pillow.script python-pillow/thumbnail python-pillow/thumbnail3 python-pillow/kappaCrucis.thumb python-pillow/hello2.jpg wireless_script_2.1.sh 
outputfile      : qa.cab
cabfile         : 19751320 bytes (approx. 19288.40 Kbytes)
cfileInit: python-pillow\identify localtime:
cfileInit: python-pillow\kappaCrucis.thumbnail localtime:
cfileInit: wireless_script_2.1.sh localtime:
$ ls -l qa.cab
-rw-r--r-- 1 lcl vboxusers 19728383 Jan  9 20:58 qa.cab
$ cp qa.cab /tmp
$ cd /tmp
$ unshield x qa.cab
Failed to open qa.cab as an InstallShield Cabinet File

Feedback needed.
Comment 6 Len Lawrence 2017-01-09 22:46:31 CET
I experimented with unshield and lcab on Cauldron and found the same problem of recognition.  The man page for unshield describes the utility thus:
Unshield extracts CAB files from InstallShield installers, used to install software on Microsoft Windows based machines.

So does that mean that an InstallShield file is a CAB file containing other CAB files?
Comment 7 Len Lawrence 2017-01-09 22:50:17 CET
Another thing to note is that the size of the output file from lcab is less than computed within lcab but perhaps there is some kind of compression applied.
Comment 8 David Walser 2017-01-11 11:36:34 CET
Also, openmw needs to be rebuilt as the soname apparently changed.

Note You need to log in before you can comment on or make changes to this bug.