Bug 21563 - unrar new security issues CVE-2017-12938 and CVE-2017-1294[0-2]
Summary: unrar new security issues CVE-2017-12938 and CVE-2017-1294[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks: 21134
  Show dependency treegraph
 
Reported: 2017-08-18 22:48 CEST by David Walser
Modified: 2017-08-24 23:19 CEST (History)
5 users (show)

See Also:
Source RPM: unrar-5.50-0.beta4.1.mga6.nonfree.src.rpm
CVE:
Status comment:


Attachments
test rar (11.11 KB, application/x-rar)
2017-08-23 13:20 CEST, PC LX
Details

Description David Walser 2017-08-18 22:48:22 CEST
A CVE has been issued for a security issue in unrar:
http://openwall.com/lists/oss-security/2017/08/18/2

The issue is fixed upstream in 5.5.7.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-18 22:48:32 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-08-18 22:49:50 CEST
And now there's three more CVEs:
http://openwall.com/lists/oss-security/2017/08/18/6

Summary: unrar new security issue CVE-2017-12938 => unrar new security issues CVE-2017-12938 and CVE-2017-1294[0-2]
Blocks: (none) => 21134

Marja Van Waes 2017-08-19 07:40:01 CEST

Assignee: bugsquad => anssi.hannula
CC: (none) => marja11

Comment 2 Nicolas Lécureuil 2017-08-19 23:25:25 CEST
pushed in updates_testing:
src.rpm:
        unrar-5.50-0.beta4.1.1.mga5
        unrar-5.50-0.beta4.1.1.mga6

Version: Cauldron => 6
CC: (none) => mageia
Assignee: anssi.hannula => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 David Walser 2017-08-19 23:34:40 CEST
Advisory:
========================

Updated unrar package fixes security vulnerabilities:

Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
EncodeFileName::Decode call within the Archive::ReadHeader15 function
(CVE-2017-12940).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
Unpack::Unpack20 function (CVE-2017-12941).

libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ
function (CVE-2017-12942).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942
http://openwall.com/lists/oss-security/2017/08/18/2
http://openwall.com/lists/oss-security/2017/08/18/6
========================

Updated packages in core/updates_testing:
========================
unrar-5.50-0.beta4.1.1.mga5
unrar-5.50-0.beta4.1.1.mga6

from SRPMS:
unrar-5.50-0.beta4.1.1.mga5.src.rpm
unrar-5.50-0.beta4.1.1.mga6.src.rpm
Comment 4 Frédéric "LpSolit" Buclin 2017-08-20 01:29:52 CEST
(In reply to Nicolas Lécureuil from comment #2)
> pushed in updates_testing:
> src.rpm:
>         unrar-5.50-0.beta4.1.1.mga5
>         unrar-5.50-0.beta4.1.1.mga6

FYI, unrar 5.50 is no longer in beta state: http://www.rarlab.com/rarnew.htm

And the output of unrar confirms this.
Comment 5 PC LX 2017-08-20 02:03:41 CEST
Installed and tested without issues. Tested on a bunch of years old and more recent rar files. Also tested by compressing a directory, decompressing and then comparing.

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q unrar
unrar-5.50-0.beta4.1.1.mga5.nonfree

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Lewis Smith 2017-08-20 10:42:00 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory

Comment 6 Nicolas Lécureuil 2017-08-20 13:38:47 CEST
please test with new version number, this is not a beta anymore so i just upgraded release.
Comment 7 PC LX 2017-08-20 14:24:06 CEST
Installed and tested without issues.

I used the following commands to test unrar.

find ~/ -ipath '*.rar' -exec unrar t '{}' ';'
RAR="~/tmp/test.rar" ; SRC=~/tmp/test1/ ; DST=~/tmp/test2/ ; cd "$SRC" ; rar a "$RAR" ./ ; mkdir -p "$DST" ; cd "$DST" ; unrar x "$RAR" ./ ; diff -r "$SRC" "$DST"

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q unrar
unrar-5.50-1.mga5
Comment 8 David Walser 2017-08-20 15:11:25 CEST
Moving Mageia 5 to Bug 21134 as there's another CVE fixed there.

Mageia 6 update is now:
unrar-5.50-1.mga6

from unrar-5.50-1.mga6.src.rpm

Whiteboard: MGA5TOO MGA5-64-OK advisory => (none)

Lewis Smith 2017-08-20 21:00:54 CEST

Whiteboard: (none) => advisory

Comment 9 Lewis Smith 2017-08-23 11:07:48 CEST
@PC_LX
Thanks you for your Mageia 5 tests and command examples.
Willing to test this M6/64, but baffled by how to produce a .rar file. I cannot find 'rar' at all... [implied by your comments 5 & 7].
If we do not offer rar for M6, perhaps you could please add a .rar file attachment to this bug to play with.
Comment 10 PC LX 2017-08-23 13:19:37 CEST
The rar binary can be fetched from:
http://www.rarlab.com/download.htm

For those that don't want to install some mystery binary named rar, I will attach a test.rar file for testing.

In the test.rar, there are a few binary files, with /dev/urandom data, and a sha256sum file.

To check the integrity of the uncompressed files, use the command:
sha256sum --check test.sha256
Comment 11 PC LX 2017-08-23 13:20:00 CEST
Created attachment 9624 [details]
test rar
Comment 12 Lewis Smith 2017-08-24 11:41:27 CEST
Tested Mageia 6 x64 OK

Thanks you PX_LX for the very helpful test file, how to use it, & the link to rar (also unrar):
 http://www.rarlab.com/download.htm
That unpacks into a directory rar/ whose important components here are:
- 'rar' [executable] which I put into /usr/local/bin/
- 'rar.txt' which has extensive very good documentation.
Neither command has a man page, but simply typing them naked displays all their options.

For testing, I used the external 'rar' to make an archive 'dessins.rar' of a directory. To control things, I made a cpio archive 'dessins0.cpio' of the same source directory.
-----------------
BEFORE the update
 unrar-5.50-0.beta4.1.mga6.nonfree

1. $ unrar t test.rar           [Test the archive]
UNRAR 5.50 beta 4 freeware      Copyright (c) 1993-2017 Alexander Roshal
Testing archive test.rar
Testing     testrar/test.sha256                                       OK 
Testing     testrar/test_9.bin                                        OK 
...
Testing     testrar/test_0.bin                                        OK 
Testing     testrar                                                   OK
All OK

2. $ unrar x test.rar           [Unpack it]
UNRAR 5.50 beta 4 freeware      Copyright (c) 1993-2017 Alexander Roshal
Extracting from test.rar
Creating    testrar                                                   OK
Extracting  testrar/test.sha256                                       OK 
Extracting  testrar/test_9.bin                                        OK 
...
Extracting  testrar/test_0.bin                                        OK 
All OK

3. $ cd testrar/                  [Verify the unpacked contents]
   $ sha256sum --check test.sha256
test_0.bin: OK
...
test_9.bin: OK
   $ cd ..

4. $ unrar x dessins.rar before/       [Unpack my own test .rar archive]
UNRAR 5.50 beta 4 freeware      Copyright (c) 1993-2017 Alexander Roshal
Extracting from dessins.rar
Extracting  before/2pignons.svg                                       OK 
...
All OK

5. $ cd before/        [Make a cpio archive of the extracted files]
 $ ls -1 | cpio -ov -F dessins1.cpio
...
2922 blocks

6. $ cmp dessins0.cpio before/dessins1.cpio   [Cmp it with the original]
dessins0.cpio before/dessins1.cpio differ: byte 3, line 1
Hmmm...
 $ ls -l dessins0.cpio 
-rw-r--r-- 1 lewis lewis 1496064 Aws  24 10:11 dessins0.cpio
 $ ls -l before/dessins1.cpio 
-rw-r--r-- 1 lewis lewis 1496064 Aws  24 10:28 before/dessins1.cpio
Looks better!
-------------------
 $  rm -rf testrar/      [Remove previous extracted test archive]
-------------------
AFTER the update
 unrar-5.50-1.mga6.nonfree

1. $ unrar t test.rar           [Re-test it]
UNRAR 5.50 beta 6 freeware      Copyright (c) 1993-2017 Alexander Roshal
then same as previously.

2. $ unrar x test.rar           [Unpack it]
UNRAR 5.50 beta 6 freeware      Copyright (c) 1993-2017 Alexander Roshal
then same as as previously.

3. $ cd testrar/                  [Verify the unpacked contents]
   $ sha256sum --check test.sha256
...
All OK as previously
   $ cd ..

4. $ unrar x dessins.rar after/   [Unpack my own test archive]
UNRAR 5.50 beta 6 freeware      Copyright (c) 1993-2017 Alexander Roshal
Extracting from dessins.rar
Extracting  after/2pignons.svg                                        OK 
...
same as previosusly.

5. $ cd after/           [Make a cpio archive of the extracted files]
   $ ls -1 | cpio -ov -F dessins2.cpio
...
2922 blocks
same as previously.

6. $ cmp dessins0.cpio after/dessins2.cpio      [Cmp it with the original]
dessins0.cpio after/dessins2.cpio differ: byte 3, line 1
Hmmm again: but the *same* difference as before the update.
 $ ls -l dessins0.cpio
-rw-r--r-- 1 lewis lewis 1496064 Aws  24 10:11 dessins0.cpio
 $ ls -l after/dessins2.cpio
-rw-r--r-- 1 lewis lewis 1496064 Aws  24 10:48 after/dessins2.cpio
Same as previously.

Update OK! Validating, advisory already done.

Whiteboard: advisory => advisory MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Nicolas Lécureuil 2017-08-24 14:29:38 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (6/core/unrar-5.50-1.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 14 David Walser 2017-08-24 14:34:43 CEST
Lewis, please fix the unrar advisories in SVN.  The unrar packages are in nonfree, not core.
Lewis Smith 2017-08-24 21:25:18 CEST

Keywords: (none) => validated_update

Comment 15 Mageia Robot 2017-08-24 23:19:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0304.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.