Bug 21650 - libzip new security issue CVE-2017-14107
Summary: libzip new security issue CVE-2017-14107
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-01 03:35 CEST by David Walser
Modified: 2018-01-02 16:03 CET (History)
7 users (show)

See Also:
Source RPM: libzip-1.1.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-01 03:35:41 CEST
Fedora has issued an advisory today (August 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5U7FN2GZ6AC4Q6E34EZ43WS3S6AVG645/

Mageia 6 is also affected.  Mageia 5 may be as well.
David Walser 2017-09-01 03:35:55 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-09-01 12:30:15 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-09-03 15:07:25 CEST
More info:
http://openwall.com/lists/oss-security/2017/09/02/2

Another security issue fixed upstream in libzip has also been announced:
http://openwall.com/lists/oss-security/2017/09/02/1

The messages above contain commit links for fixes, and the issues were also fixed in 1.3.0.

Summary: libzip new security issue CVE-2017-12858 => libzip new security issue CVE-2017-12858 and CVE-2017-14107

Comment 3 Nicolas Lécureuil 2017-09-04 00:21:41 CEST
i added a patch in mga6 to fix 21650 - CVE-2017-14107 ( comment #2 ).

I don't pass to do a patch for CVE-2017-12858

CC: (none) => mageia

Comment 4 David Walser 2017-09-04 17:31:37 CEST
Updating to 1.3.0 should be fine.
Comment 5 Nicolas Lécureuil 2017-09-04 17:48:17 CEST
major is increased so we will have to rebuild packages
Comment 6 David Walser 2017-09-04 18:05:43 CEST
Well that's unfortunate.  At least there aren't that many.  On Mageia 5 I see amftools, ds9, ebook-tools, mysql-workbench, php, repsnapper, subsurface, and yainstall.
Comment 8 David Walser 2017-09-22 18:55:55 CEST
openSUSE has issued an advisory for CVE-2017-14107 today (September 22):
https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html

They patched the same version that we have in Mageia 5.
José Jorge 2017-09-22 19:01:51 CEST

Assignee: pkg-bugs => lists.jjorge
CC: (none) => lists.jjorge

José Jorge 2017-09-22 19:05:17 CEST

Assignee: lists.jjorge => bugsquad

José Jorge 2017-09-22 19:05:42 CEST

Assignee: bugsquad => pkg-bugs

José Jorge 2017-09-22 19:05:53 CEST

CC: lists.jjorge => (none)

Comment 9 David Walser 2017-12-28 20:26:02 CET
CVE-2017-12858 only affected 1.2.0.

Advisory:
========================

Updated libzip packages fix security vulnerability:

The _zip_read_eocd64 function mishandled EOCD records, which allowed remote
attackers to cause a denial of service (memory allocation failure in
_zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive (CVE-2017-14107).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107
https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html
========================

Updated packages in core/updates_testing:
========================
libzip-0.11.2-4.1.mga5
libzip2-0.11.2-4.1.mga5
libzip-devel-0.11.2-4.1.mga5
libzip-1.1.3-1.1.mga6
libzip4-1.1.3-1.1.mga6
libzip-devel-1.1.3-1.1.mga6

from SRPMS:
libzip-0.11.2-4.1.mga5.src.rpm
libzip-1.1.3-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Summary: libzip new security issue CVE-2017-12858 and CVE-2017-14107 => libzip new security issue CVE-2017-14107
Assignee: pkg-bugs => qa-bugs

Comment 10 Lewis Smith 2017-12-30 12:01:19 CET
To prioritise.
Comment 11 Brian Rockwell 2017-12-31 01:41:48 CET
The following 2 packages are going to be installed:

- lib64zip4-1.1.3-1.1.mga6.x86_64
- libzip-1.1.3-1.1.mga6.x86_64

160KB of additional disk space will be used.

79KB of packages will be retrieved.

Is it ok to continue?


--- 

it adds utility called ziptool

$ ziptool -n brian.zip add_file brian brian.txt 0 16

I’m able to open the resulting zip file and it’s content


$ uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok

Dave Hodgins 2018-01-01 07:26:14 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 12 Herman Viaene 2018-01-01 11:43:22 CET
I find no trace of this ziptool in the M5 packages???

CC: (none) => herman.viaene

Comment 13 Herman Viaene 2018-01-01 12:00:07 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
I have a Documenten.orig folder which is largely the same as Documenten. So at CLI:
$ pwd
/home/tester5/Documenten
$  zip ziptest.orig ../Documenten.orig/*
  adding: ../Documenten.orig/christusv.dvi (deflated 24%)
  adding: ../Documenten.orig/christusv.log (deflated 86%)
  adding: ../Documenten.orig/christusv.tex (deflated 50%)
  adding: ../Documenten.orig/kursustekstorig.pdf (deflated 27%)
  adding: ../Documenten.orig/kursustekst.pdf (deflated 32%)
  adding: ../Documenten.orig/kursustekst.ps (deflated 28%)
  adding: ../Documenten.orig/memcac.php (deflated 15%)
  adding: ../Documenten.orig/phpmail (deflated 59%)
  adding: ../Documenten.orig/phpmailer.php (deflated 59%)
  adding: ../Documenten.orig/pvrtccompressor/ (stored 0%)
$  zip ziptest *
  adding: christusv.dvi (deflated 24%)
  adding: christusv.log (deflated 86%)
  adding: christusv.tex (deflated 50%)
  adding: kurstext.txt (deflated 72%)
  adding: kursustekstorig.pdf (deflated 27%)
  adding: kursustekst.pdf (deflated 32%)
  adding: kursustekst.ps (deflated 28%)
  adding: memcac.php (deflated 15%)
  adding: phpmail (deflated 59%)
  adding: phpmailer.php (deflated 59%)
  adding: rubyexample.rb (deflated 11%)
  adding: ziptest.orig (deflated 0%)
the zipcmp command is in libzip
$ zipcmp ziptest.orig ziptest.zip 
--- ziptest.orig
+++ ziptest.zip
-        400 6ed0f700 ../Documenten.orig/christusv.dvi
-       4113 ff7b5ebb ../Documenten.orig/christusv.log
-        738 a961c97e ../Documenten.orig/christusv.tex
-    1642925 09d5d594 ../Documenten.orig/kursustekst.pdf
-   11698263 11c530ea ../Documenten.orig/kursustekst.ps
-    2101900 3244c1ca ../Documenten.orig/kursustekstorig.pdf
-        147 35e18764 ../Documenten.orig/memcac.php
-       2078 e24b3a7d ../Documenten.orig/phpmail
-       2020 3d7e6867 ../Documenten.orig/phpmailer.php
-          0 00000000 ../Documenten.orig/pvrtccompressor/
+        400 6ed0f700 christusv.dvi
+       4113 ff7b5ebb christusv.log
+        738 a961c97e christusv.tex
+     181767 18b65442 kurstext.txt
+    1642925 09d5d594 kursustekst.pdf
+   11698263 11c530ea kursustekst.ps
+    2101900 3244c1ca kursustekstorig.pdf
+        147 35e18764 memcac.php
+       2078 e24b3a7d phpmail
+       2020 3d7e6867 phpmailer.php
+         65 aafb3a18 rubyexample.rb
+   11089488 e39e3006 ziptest.orig
Looks OK

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO MGA6-64-OK MGA5-32-OK

Comment 14 Lewis Smith 2018-01-02 13:42:56 CET
Validating as this has OKs for both releases & both architectures.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 15 Mageia Robot 2018-01-02 16:03:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.