Fedora has issued an advisory today (August 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5U7FN2GZ6AC4Q6E34EZ43WS3S6AVG645/ Mageia 6 is also affected. Mageia 5 may be as well.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
More info: http://openwall.com/lists/oss-security/2017/09/02/2 Another security issue fixed upstream in libzip has also been announced: http://openwall.com/lists/oss-security/2017/09/02/1 The messages above contain commit links for fixes, and the issues were also fixed in 1.3.0.
Summary: libzip new security issue CVE-2017-12858 => libzip new security issue CVE-2017-12858 and CVE-2017-14107
i added a patch in mga6 to fix 21650 - CVE-2017-14107 ( comment #2 ). I don't pass to do a patch for CVE-2017-12858
CC: (none) => mageia
Updating to 1.3.0 should be fine.
major is increased so we will have to rebuild packages
Well that's unfortunate. At least there aren't that many. On Mageia 5 I see amftools, ds9, ebook-tools, mysql-workbench, php, repsnapper, subsurface, and yainstall.
Fedora has issued advisories for this on September 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSWGXFUKXQMEWTXGHKJPX34G4X5F3FRO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QRCEUPQSAGAC63E4H52XCXTI6464JS2F/ In the second one, they patched CVE-2017-12858, so we can steal their patch.
openSUSE has issued an advisory for CVE-2017-14107 today (September 22): https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html They patched the same version that we have in Mageia 5.
Assignee: pkg-bugs => lists.jjorgeCC: (none) => lists.jjorge
Assignee: lists.jjorge => bugsquad
Assignee: bugsquad => pkg-bugs
CC: lists.jjorge => (none)
CVE-2017-12858 only affected 1.2.0. Advisory: ======================== Updated libzip packages fix security vulnerability: The _zip_read_eocd64 function mishandled EOCD records, which allowed remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive (CVE-2017-14107). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107 https://lists.opensuse.org/opensuse-updates/2017-09/msg00096.html ======================== Updated packages in core/updates_testing: ======================== libzip-0.11.2-4.1.mga5 libzip2-0.11.2-4.1.mga5 libzip-devel-0.11.2-4.1.mga5 libzip-1.1.3-1.1.mga6 libzip4-1.1.3-1.1.mga6 libzip-devel-1.1.3-1.1.mga6 from SRPMS: libzip-0.11.2-4.1.mga5.src.rpm libzip-1.1.3-1.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOSummary: libzip new security issue CVE-2017-12858 and CVE-2017-14107 => libzip new security issue CVE-2017-14107Assignee: pkg-bugs => qa-bugs
To prioritise.
The following 2 packages are going to be installed: - lib64zip4-1.1.3-1.1.mga6.x86_64 - libzip-1.1.3-1.1.mga6.x86_64 160KB of additional disk space will be used. 79KB of packages will be retrieved. Is it ok to continue? --- it adds utility called ziptool $ ziptool -n brian.zip add_file brian brian.txt 0 16 I’m able to open the resulting zip file and it’s content $ uname -a Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => brtians1Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
CC: (none) => davidwhodginsKeywords: (none) => advisory
I find no trace of this ziptool in the M5 packages???
CC: (none) => herman.viaene
MGA5-32 on Dell Latitude D600 Xfce No installation issues I have a Documenten.orig folder which is largely the same as Documenten. So at CLI: $ pwd /home/tester5/Documenten $ zip ziptest.orig ../Documenten.orig/* adding: ../Documenten.orig/christusv.dvi (deflated 24%) adding: ../Documenten.orig/christusv.log (deflated 86%) adding: ../Documenten.orig/christusv.tex (deflated 50%) adding: ../Documenten.orig/kursustekstorig.pdf (deflated 27%) adding: ../Documenten.orig/kursustekst.pdf (deflated 32%) adding: ../Documenten.orig/kursustekst.ps (deflated 28%) adding: ../Documenten.orig/memcac.php (deflated 15%) adding: ../Documenten.orig/phpmail (deflated 59%) adding: ../Documenten.orig/phpmailer.php (deflated 59%) adding: ../Documenten.orig/pvrtccompressor/ (stored 0%) $ zip ziptest * adding: christusv.dvi (deflated 24%) adding: christusv.log (deflated 86%) adding: christusv.tex (deflated 50%) adding: kurstext.txt (deflated 72%) adding: kursustekstorig.pdf (deflated 27%) adding: kursustekst.pdf (deflated 32%) adding: kursustekst.ps (deflated 28%) adding: memcac.php (deflated 15%) adding: phpmail (deflated 59%) adding: phpmailer.php (deflated 59%) adding: rubyexample.rb (deflated 11%) adding: ziptest.orig (deflated 0%) the zipcmp command is in libzip $ zipcmp ziptest.orig ziptest.zip --- ziptest.orig +++ ziptest.zip - 400 6ed0f700 ../Documenten.orig/christusv.dvi - 4113 ff7b5ebb ../Documenten.orig/christusv.log - 738 a961c97e ../Documenten.orig/christusv.tex - 1642925 09d5d594 ../Documenten.orig/kursustekst.pdf - 11698263 11c530ea ../Documenten.orig/kursustekst.ps - 2101900 3244c1ca ../Documenten.orig/kursustekstorig.pdf - 147 35e18764 ../Documenten.orig/memcac.php - 2078 e24b3a7d ../Documenten.orig/phpmail - 2020 3d7e6867 ../Documenten.orig/phpmailer.php - 0 00000000 ../Documenten.orig/pvrtccompressor/ + 400 6ed0f700 christusv.dvi + 4113 ff7b5ebb christusv.log + 738 a961c97e christusv.tex + 181767 18b65442 kurstext.txt + 1642925 09d5d594 kursustekst.pdf + 11698263 11c530ea kursustekst.ps + 2101900 3244c1ca kursustekstorig.pdf + 147 35e18764 memcac.php + 2078 e24b3a7d phpmail + 2020 3d7e6867 phpmailer.php + 65 aafb3a18 rubyexample.rb + 11089488 e39e3006 ziptest.orig Looks OK
Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO MGA6-64-OK MGA5-32-OK
Validating as this has OKs for both releases & both architectures.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0020.html
Status: NEW => RESOLVEDResolution: (none) => FIXED