Bug 21134 - unrar new security issue CVE-2012-6706
Summary: unrar new security issue CVE-2012-6706
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on: 21563
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 23:40 CEST by David Walser
Modified: 2017-08-24 23:19 CEST (History)
2 users (show)

See Also:
Source RPM: unrar-5.31-1.mga6.nonfree.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-23 23:40:59 CEST
An old security issue in unrar has surfaced publicly with a CVE:
http://openwall.com/lists/oss-security/2017/06/22/8

I'm not sure if a fix is available.

Mageia 5 is also affected.
David Walser 2017-06-23 23:41:09 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-06-24 00:43:41 CEST
Apparently it's fixed in 5.5.5.

openSUSE has issued an advisory for this today (June 23):
https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html
Comment 2 Rémi Verschelde 2017-07-01 10:36:07 CEST
Assigning to Götz who started updating unrar in Cauldron but never asked for a freeze push request (don't do that - either you get the package built for Mageia 6, or you don't modify the spec in SVN until the updates/6 branching is done).

Assignee: anssi.hannula => goetz.waschk

Comment 3 David Walser 2017-07-01 20:46:24 CEST
SUSE has issued advisories for this on June 29 and June 30:
https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00041.html
https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00049.html

The latter shows that clamav is also affected, as detailed here:
http://openwall.com/lists/oss-security/2017/06/29/8
Comment 4 David Walser 2017-07-02 20:22:35 CEST
Fixed in Cauldron by Götz.  clamav isn't affected as we don't ship clamunrar.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

David Walser 2017-08-18 22:49:50 CEST

Depends on: (none) => 21563

Comment 5 David Walser 2017-08-20 15:13:47 CEST
Advisory:
========================

Updated unrar package fixes security vulnerabilities:

VMSF_DELTA memory corruption (CVE-2012-6706).

Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
EncodeFileName::Decode call within the Archive::ReadHeader15 function
(CVE-2017-12940).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
Unpack::Unpack20 function (CVE-2017-12941).

libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ
function (CVE-2017-12942).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942
https://lists.opensuse.org/opensuse-updates/2017-06/msg00085.html
http://openwall.com/lists/oss-security/2017/08/18/2
http://openwall.com/lists/oss-security/2017/08/18/6
========================

Updated packages in core/updates_testing:
========================
unrar-5.50-1.mga5

from unrar-5.50-1.mga5.src.rpm

Assignee: goetz.waschk => qa-bugs
Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-08-20 20:57:33 CEST
Advisory uploaded.
Validating because this new version was tested M5/64 OK under bug 21134 in advance of creating this separate bug: https://bugs.mageia.org/show_bug.cgi?id=21563#c7

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Nicolas Lécureuil 2017-08-21 13:12:11 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 21563
Dependent bug! Publish anyway? [y/N]:  â
Checking SRPMs⦠                      â (5/core/unrar-5.50-1.mga5) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 8 David Walser 2017-08-21 13:41:25 CEST
The package is in nonfree, not core.
Comment 9 Lewis Smith 2017-08-21 20:22:02 CEST
My comment 6 should have back-referred to bug 21563 (not 21134).

@Nicolas comment 7
Do not understand the dependance on bug 21563. I thought they were now independant. I was careful with both advisories (but to revise anyway). Perhaps the error was due to:

@David comment 8
OK, I will amend both advisories accordingly. Took info from Comment 5.
Comment 10 David Walser 2017-08-21 21:01:39 CEST
The bug is dependent on the other one because the Mageia 5 update cannot be pushed before the Mageia 6 update, otherwise it would create an upgrade issue.
Comment 11 Lewis Smith 2017-08-24 11:45:47 CEST
Re-validating now that bug 21563 has also been validated. Hope it sticks this time.

Keywords: (none) => validated_update

Comment 12 Nicolas Lécureuil 2017-08-24 14:29:17 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 21563
Dependent bug! Publish anyway? [y/N]:  â
Checking SRPMs⦠                      â (5/core/unrar-5.50-1.mga5) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Lewis Smith 2017-08-24 21:24:49 CEST

Keywords: (none) => validated_update

Comment 13 Mageia Robot 2017-08-24 23:19:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0302.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.