A CVE has been issued for a security issue in unrar: http://openwall.com/lists/oss-security/2017/08/18/2 The issue is fixed upstream in 5.5.7. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
And now there's three more CVEs: http://openwall.com/lists/oss-security/2017/08/18/6
Summary: unrar new security issue CVE-2017-12938 => unrar new security issues CVE-2017-12938 and CVE-2017-1294[0-2]Blocks: (none) => 21134
Assignee: bugsquad => anssi.hannulaCC: (none) => marja11
pushed in updates_testing: src.rpm: unrar-5.50-0.beta4.1.1.mga5 unrar-5.50-0.beta4.1.1.mga6
Version: Cauldron => 6CC: (none) => mageiaAssignee: anssi.hannula => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Advisory: ======================== Updated unrar package fixes security vulnerabilities: Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938). libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function (CVE-2017-12940). libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function (CVE-2017-12941). libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function (CVE-2017-12942). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942 http://openwall.com/lists/oss-security/2017/08/18/2 http://openwall.com/lists/oss-security/2017/08/18/6 ======================== Updated packages in core/updates_testing: ======================== unrar-5.50-0.beta4.1.1.mga5 unrar-5.50-0.beta4.1.1.mga6 from SRPMS: unrar-5.50-0.beta4.1.1.mga5.src.rpm unrar-5.50-0.beta4.1.1.mga6.src.rpm
(In reply to Nicolas Lécureuil from comment #2) > pushed in updates_testing: > src.rpm: > unrar-5.50-0.beta4.1.1.mga5 > unrar-5.50-0.beta4.1.1.mga6 FYI, unrar 5.50 is no longer in beta state: http://www.rarlab.com/rarnew.htm And the output of unrar confirms this.
Installed and tested without issues. Tested on a bunch of years old and more recent rar files. Also tested by compressing a directory, decompressing and then comparing. System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q unrar unrar-5.50-0.beta4.1.1.mga5.nonfree
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => lewyssmithWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory
please test with new version number, this is not a beta anymore so i just upgraded release.
Installed and tested without issues. I used the following commands to test unrar. find ~/ -ipath '*.rar' -exec unrar t '{}' ';' RAR="~/tmp/test.rar" ; SRC=~/tmp/test1/ ; DST=~/tmp/test2/ ; cd "$SRC" ; rar a "$RAR" ./ ; mkdir -p "$DST" ; cd "$DST" ; unrar x "$RAR" ./ ; diff -r "$SRC" "$DST" System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q unrar unrar-5.50-1.mga5
Moving Mageia 5 to Bug 21134 as there's another CVE fixed there. Mageia 6 update is now: unrar-5.50-1.mga6 from unrar-5.50-1.mga6.src.rpm
Whiteboard: MGA5TOO MGA5-64-OK advisory => (none)
Whiteboard: (none) => advisory
@PC_LX Thanks you for your Mageia 5 tests and command examples. Willing to test this M6/64, but baffled by how to produce a .rar file. I cannot find 'rar' at all... [implied by your comments 5 & 7]. If we do not offer rar for M6, perhaps you could please add a .rar file attachment to this bug to play with.
The rar binary can be fetched from: http://www.rarlab.com/download.htm For those that don't want to install some mystery binary named rar, I will attach a test.rar file for testing. In the test.rar, there are a few binary files, with /dev/urandom data, and a sha256sum file. To check the integrity of the uncompressed files, use the command: sha256sum --check test.sha256
Created attachment 9624 [details] test rar
Tested Mageia 6 x64 OK Thanks you PX_LX for the very helpful test file, how to use it, & the link to rar (also unrar): http://www.rarlab.com/download.htm That unpacks into a directory rar/ whose important components here are: - 'rar' [executable] which I put into /usr/local/bin/ - 'rar.txt' which has extensive very good documentation. Neither command has a man page, but simply typing them naked displays all their options. For testing, I used the external 'rar' to make an archive 'dessins.rar' of a directory. To control things, I made a cpio archive 'dessins0.cpio' of the same source directory. ----------------- BEFORE the update unrar-5.50-0.beta4.1.mga6.nonfree 1. $ unrar t test.rar [Test the archive] UNRAR 5.50 beta 4 freeware Copyright (c) 1993-2017 Alexander Roshal Testing archive test.rar Testing testrar/test.sha256 OK Testing testrar/test_9.bin OK ... Testing testrar/test_0.bin OK Testing testrar OK All OK 2. $ unrar x test.rar [Unpack it] UNRAR 5.50 beta 4 freeware Copyright (c) 1993-2017 Alexander Roshal Extracting from test.rar Creating testrar OK Extracting testrar/test.sha256 OK Extracting testrar/test_9.bin OK ... Extracting testrar/test_0.bin OK All OK 3. $ cd testrar/ [Verify the unpacked contents] $ sha256sum --check test.sha256 test_0.bin: OK ... test_9.bin: OK $ cd .. 4. $ unrar x dessins.rar before/ [Unpack my own test .rar archive] UNRAR 5.50 beta 4 freeware Copyright (c) 1993-2017 Alexander Roshal Extracting from dessins.rar Extracting before/2pignons.svg OK ... All OK 5. $ cd before/ [Make a cpio archive of the extracted files] $ ls -1 | cpio -ov -F dessins1.cpio ... 2922 blocks 6. $ cmp dessins0.cpio before/dessins1.cpio [Cmp it with the original] dessins0.cpio before/dessins1.cpio differ: byte 3, line 1 Hmmm... $ ls -l dessins0.cpio -rw-r--r-- 1 lewis lewis 1496064 Aws 24 10:11 dessins0.cpio $ ls -l before/dessins1.cpio -rw-r--r-- 1 lewis lewis 1496064 Aws 24 10:28 before/dessins1.cpio Looks better! ------------------- $ rm -rf testrar/ [Remove previous extracted test archive] ------------------- AFTER the update unrar-5.50-1.mga6.nonfree 1. $ unrar t test.rar [Re-test it] UNRAR 5.50 beta 6 freeware Copyright (c) 1993-2017 Alexander Roshal then same as previously. 2. $ unrar x test.rar [Unpack it] UNRAR 5.50 beta 6 freeware Copyright (c) 1993-2017 Alexander Roshal then same as as previously. 3. $ cd testrar/ [Verify the unpacked contents] $ sha256sum --check test.sha256 ... All OK as previously $ cd .. 4. $ unrar x dessins.rar after/ [Unpack my own test archive] UNRAR 5.50 beta 6 freeware Copyright (c) 1993-2017 Alexander Roshal Extracting from dessins.rar Extracting after/2pignons.svg OK ... same as previosusly. 5. $ cd after/ [Make a cpio archive of the extracted files] $ ls -1 | cpio -ov -F dessins2.cpio ... 2922 blocks same as previously. 6. $ cmp dessins0.cpio after/dessins2.cpio [Cmp it with the original] dessins0.cpio after/dessins2.cpio differ: byte 3, line 1 Hmmm again: but the *same* difference as before the update. $ ls -l dessins0.cpio -rw-r--r-- 1 lewis lewis 1496064 Aws 24 10:11 dessins0.cpio $ ls -l after/dessins2.cpio -rw-r--r-- 1 lewis lewis 1496064 Aws 24 10:48 after/dessins2.cpio Same as previously. Update OK! Validating, advisory already done.
Whiteboard: advisory => advisory MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (6/core/unrar-5.50-1.mga6) 'validated_update' keyword reset.
Keywords: validated_update => (none)
Lewis, please fix the unrar advisories in SVN. The unrar packages are in nonfree, not core.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0304.html
Status: NEW => RESOLVEDResolution: (none) => FIXED