Bug 21556 - libmspack new security issues CVE-2017-6419 and CVE-2017-11423
Summary: libmspack new security issues CVE-2017-6419 and CVE-2017-11423
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks: 21555
  Show dependency treegraph
Reported: 2017-08-17 22:51 CEST by David Walser
Modified: 2017-08-19 11:59 CEST (History)
3 users (show)

See Also:
Source RPM: libmspack-0.5-0.2.alpha.mga6.src.rpm
CVE: CVE-2017-6419 CVE-2017-11423
Status comment:


Description David Walser 2017-08-17 22:51:38 CEST
Ubuntu has issued an advisory today (August 17):

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-17 22:51:47 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-08-17 23:42:43 CEST
pushed in updates_testing

CVE: (none) => CVE-2017-6419 CVE-2017-11423
CC: (none) => mageia
Assignee: bugsquad => qa-bugs

Nicolas Lécureuil 2017-08-18 00:08:48 CEST

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 2 David Walser 2017-08-18 02:15:52 CEST

Updated libmspack packages fix security vulnerabilities:

It was discovered that libmspack incorrectly handled certain malformed CHM
files. A remote attacker could use this issue to cause libmspack to crash,
resulting in a denial of service, or possibly execute arbitrary code

It was discovered that libmspack incorrectly handled certain malformed CAB
files. A remote attacker could use this issue to cause libmspack to crash,
resulting in a denial of service (CVE-2017-11423).


Updated packages in core/updates_testing:

from SRPMS:

Blocks: (none) => 21555

Comment 3 Len Lawrence 2017-08-18 11:35:59 CEST
mga5  x86_64

CAB files are not readily available so use lcab to create one.
Could not find anything which would help to test the CVEs.

Installed lcab and cabextract and created a small cabinet file.
$ lcab -r work work.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
nopath          : no
recursive       : yes
quiet           : no
inputfiles      : work/report work/sample 
outputfile      : work.cab
cabfile         : 3130 bytes (approx. 3.06 Kbytes)
cfileInit: work\report localtime:
cfileInit: work\sample localtime:
$ ls -l work.cab
-rw-r--r-- 1 lcl lcl 1673 Aug 18 10:05 work.cab
$ mkdir ditto
Integrity check:
$ cabextract -t work.cab
Testing cabinet: work.cab
  work/report  OK                              2b4378746648cb6fbef23d2bf1a73ef5
  work/sample  OK                              6a7d342aae4f9cebb5b94e9a9576e85d
Extract contents to named directory:
$ cabextract -d ditto work.cab
Extracting cabinet: work.cab
  extracting ditto/work/report
  extracting ditto/work/sample

All done, no errors.
$ tree ditto
└── work
    ├── report
    └── sample

Check to show that the library is being accessed:
$ strace cabextract work.cab 2> trace
$ cat trace | grep mspack
open("/lib64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = 3

Installed the updates and ran similar tests on a larger set of files, leaving out the strace.  There were no problems.

CC: (none) => tarazed25

Len Lawrence 2017-08-18 11:37:02 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Len Lawrence 2017-08-18 11:59:02 CEST
mga6  x86_64

Repeated the tests outlined in comment 3 using more files.  Collected  my whole bookshelf into a 766 MB file which passed the integrity check and expanded into a folder on another partition.

Before updates: OK
afterwards: OK
Len Lawrence 2017-08-18 11:59:15 CEST

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 5 Rémi Verschelde 2017-08-19 11:18:24 CEST
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => advisory MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-08-19 11:59:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.