An old security issue in unrar has surfaced publicly with a CVE: http://openwall.com/lists/oss-security/2017/06/22/8 I'm not sure if a fix is available. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Apparently it's fixed in 5.5.5. openSUSE has issued an advisory for this today (June 23): https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html
Assigning to Götz who started updating unrar in Cauldron but never asked for a freeze push request (don't do that - either you get the package built for Mageia 6, or you don't modify the spec in SVN until the updates/6 branching is done).
Assignee: anssi.hannula => goetz.waschk
SUSE has issued advisories for this on June 29 and June 30: https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00041.html https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00049.html The latter shows that clamav is also affected, as detailed here: http://openwall.com/lists/oss-security/2017/06/29/8
Fixed in Cauldron by Götz. clamav isn't affected as we don't ship clamunrar.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Depends on: (none) => 21563
Advisory: ======================== Updated unrar package fixes security vulnerabilities: VMSF_DELTA memory corruption (CVE-2012-6706). Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938). libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function (CVE-2017-12940). libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function (CVE-2017-12941). libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function (CVE-2017-12942). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942 https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html http://openwall.com/lists/oss-security/2017/08/18/2 http://openwall.com/lists/oss-security/2017/08/18/6 ======================== Updated packages in core/updates_testing: ======================== unrar-5.50-1.mga5 from unrar-5.50-1.mga5.src.rpm
Assignee: goetz.waschk => qa-bugsWhiteboard: (none) => MGA5-64-OK
Advisory uploaded. Validating because this new version was tested M5/64 OK under bug 21134 in advance of creating this separate bug: https://bugs.mageia.org/show_bug.cgi?id=21563#c7
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â 21563 Dependent bug! Publish anyway? [y/N]: â Checking SRPMs⦠â (5/core/unrar-5.50-1.mga5) 'validated_update' keyword reset.
Keywords: validated_update => (none)
The package is in nonfree, not core.
My comment 6 should have back-referred to bug 21563 (not 21134). @Nicolas comment 7 Do not understand the dependance on bug 21563. I thought they were now independant. I was careful with both advisories (but to revise anyway). Perhaps the error was due to: @David comment 8 OK, I will amend both advisories accordingly. Took info from Comment 5.
The bug is dependent on the other one because the Mageia 5 update cannot be pushed before the Mageia 6 update, otherwise it would create an upgrade issue.
Re-validating now that bug 21563 has also been validated. Hope it sticks this time.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0302.html
Status: NEW => RESOLVEDResolution: (none) => FIXED