Bug 21071 - libmwaw new security issue CVE-2017-9433
Summary: libmwaw new security issue CVE-2017-9433
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-11 16:56 CEST by David Walser
Modified: 2017-06-29 23:50 CEST (History)
4 users (show)

See Also:
Source RPM: libmwaw-0.3.4-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-06-11 16:56:14 CEST 
Debian has issued an advisory on June 9:
https://www.debian.org/security/2017/dsa-3875

Freeze push requested for Cauldron.

Patch checked into Mageia 5 SVN.
Comment 1 David Walser 2017-06-11 17:27:46 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libmwaw packages fix security vulnerability:

It was discovered that a buffer overflow in libmwaw might result in the
execution of arbitrary code if a malformed document is opened (CVE-2017-9433).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9433
https://www.debian.org/security/2017/dsa-3875
========================

Updated packages in core/updates_testing:
========================
libmwaw3-0.3.4-3.1.mga5
libmwaw-devel-0.3.4-3.1.mga5
libmwaw-doc-0.3.4-3.1.mga5
libmwaw-tools-0.3.4-3.1.mga5

from libmwaw-0.3.4-3.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Dave Hodgins 2017-06-13 05:33:20 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 2 Lewis Smith 2017-06-13 21:24:07 CEST 
No previous updates for these packages.

libmwaw is a LibreOffice import filter for various old Mac office software file types.
 http://sourceforge.net/p/libmwaw/wiki/Home/

Name        : lib64mwaw3
The lib64mwaw3 package contains libraries and header files for
developing applications that use libmwaw.
 $ urpmq --whatrequires-recursive lib64mwaw3
shows most LibreOffice applications, & openlp.

Name        : libmwaw-tools
Tools to transform the supported document formats into other formats.
Supported output formats are CSV, XHTML, text and raw.
 mwaw2csv, mwaw2html, mwaw2raw, mwaw2svg, mwaw2text

https://sourceforge.net/projects/libmwaw/files/libmwaw-regression.tar.bz2/download
-> libmwaw-regression.tar.bz2 which looks as if it has multitudes of test files. 1.4Mb makes it too big to attach. To investigate.

Some digging to do to get some relevant files to test this update, but easy thereafter.

CC: (none) => lewyssmith

Comment 3 Lewis Smith 2017-06-14 12:51:56 CEST 
Testing M5_64

ibmwaw-regression/* has the answer. It is a load of sample files with a couple of Perl test scripts:
 regression.pl
 regenerate_raw.pl
run by $ ./<script> in the same directory.
'regression' produces a lot of output.
'regenerate' just produces lots of: "sh: mwaw2odf: command not found"
Should this be in the package?

BEFORE :
 lib64mwaw3-0.3.4-3.mga5
 libmwaw-tools-0.3.4-3.mga5
[libmwaw-regression]$ ./regression.pl         and kept the output.

AFTER:
 lib64mwaw3-0.3.4-3.1.mga5
 libmwaw-tools-0.3.4-3.1.mga5
[libmwaw-regression]$ ./regression.pl         and kept the output.

The output, mostly passed but some failures, was identical before/after update. Good for OK, but I might try the maw2... programs for our edification.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 4 Len Lawrence 2017-06-28 20:56:59 CEST 
i586 virtualbox, mga5.1 Mate

Downloaded the regression test file using the sourceforge link from comment 2.
$ bzip2 -d libmwaw-regression.tar.bz2
then tar xf.
$ ls libmwaw-regression
Acta           FullWrite     MicrosoftWord      SimpleText
ApplePict      GreatWorks    MicrosoftWorks     Style
BeagleWorks    HanMac        MindWrite          SuperPaint
ClarisDraw     LightWayText  More               Wingz
ClarisResolve  MacDoc        MouseWrite         WordPerfectWorks
ClarisWorks    MacDraft      NisusWriter        WriteNow
CricketDraw    MacDraw       PixelPaint         WriterPlus
DOCMaker       MacPaint      PowerPoint         ZWrite
eDOC           MacWrite      RagTime
FreeHand       MarinerWrite  regenerate_raw.pl
FullPaint      MaxWrite      regression.pl

regression.pl runs a suite of tests on the files in these directories and reports on STDOUT.
$ ls MicrosoftWord
1.0  3.0  5.0  regression.in
$ ls MicrosoftWord/5.0
dev113decembre                dev31mars.raw
dev113decembre.html           dev31mars.writerperfect
dev113decembre.raw            Transformations
dev113decembre.writerperfect  Transformations.html
dev31mars                     Transformations.raw
dev31mars.html                Transformations.writerperfect
$ ./regression.pl > before
Smartmatch is experimental at ./regression.pl line 241.
Smartmatch is experimental at ./regression.pl line 260.

Ran the update then the regression tests.
$ ./regression.pl > afterwards
Smartmatch is experimental at ./regression.pl line 241.
Smartmatch is experimental at ./regression.pl line 260.
$ diff before afterwards
No apparent difference in the results.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-06-28 21:10:50 CEST 
Tried to use the conversion utilities in three of the directories using the manpages as a guide but could not get them to operate.  An example:
$ mwaw2text -o mac.txt dev22-15.raw
ERROR: Unsupported file format!

It was the same every time.
Len Lawrence 2017-06-29 18:09:36 CEST

Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK

Len Lawrence 2017-06-29 18:10:30 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-06-29 23:50:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0194.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.