Fedora has issued an advisory on February 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5NI6QBHJA6ZI7AYP4BYGADTML3F2LNO/ Mageia 5 and Mageia 6 may also be affected.
Whiteboard: (none) => MGA6TOO
Note that it may be that only 0.13.67 is affected, but it's not entirely clear. There is a PoC linked from the upstream bug that confirm one way or another: https://github.com/gdraheim/zziplib/issues/12 It should cause a segfault if vulnerable, so it should be pretty easy to test.
Status comment: (none) => We may not be vulnerable, but a PoC is available to test
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => mageia
Fedora has issued an advisory on February 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5F2Q7GQYRYWHMTEF2OKBIHBBFV6SZBY/ Two more CVEs, also minor issues. Fixed upstream in 0.13.68.
Summary: zziplib new security issue CVE-2018-6381 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6869
openSUSE has issued an advisory on February 28: https://lists.opensuse.org/opensuse-updates/2018-02/msg00110.html It fixes one additional issue, which openSUSE has a patch for.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6869 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869
openSUSE has issued an advisory today (April 13): https://lists.opensuse.org/opensuse-updates/2018-04/msg00031.html It fixes two additional issues.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869, CVE-2018-772[56]
openSUSE has issued an advisory today (June 7): https://lists.opensuse.org/opensuse-updates/2018-06/msg00017.html It fixes one additional issue.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[02], CVE-2018-6869, CVE-2018-772[56]
Ubuntu has issued an advisory for this today (July 3): https://usn.ubuntu.com/3699-1/ It fixes one additional issue.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[02], CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[56]
Fedora has issued an advisory on July 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I6J523IVLVVPUEHRDYT54A5QOKM5XVTO/ It says 0.13.69 fixes all known CVEs.
Fedora advisory from September 13, same deal as Comment 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKVLTCQZTM4IO2OP63CRKPLX6NQKLQ2O/ It also lists a new CVE.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7]
openSUSE has issued an advisory today (October 23): https://lists.opensuse.org/opensuse-updates/2018-10/msg00130.html It fixes a new issue.
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-17828
All CVE should be fixed for Cauldron!
CC: (none) => geiger.david68210
zziplib-0.13.69-1.mga7 has patches for CVE-2018-16548 and CVE-2018-17828.
Whiteboard: MGA6TOO => (none)Status comment: We may not be vulnerable, but a PoC is available to test => Mostly fixed in 0.13.69 with patches available for the restVersion: Cauldron => 6
So now fixed for mga6 too!
Advisory: ======================== Updated zziplib packages fix security vulnerabilities: In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid memory access in the zzip_disk_fread function (zzip/mmapped.c) because the size variable is not validated against the amount of file->stored data (CVE-2018-6381). An unaligned memory access bug was found in the way ZZIPlib handled ZIP files. This flaw could potentially be used to crash the application using ZZIPlib by tricking the application into processing specially crafted ZIP files (CVE-2018-6484). In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-6540). A flaw was found in ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address (when handling disk64_trailer local entries) in __zzip_fetch_disk_trailer (zzip/zip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-6541). In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_trailer seek value) caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c (CVE-2018-6542). An uncontrolled memory allocation was found in ZZIPlib that could lead to a crash in the __zzip_parse_root_directory function of zzip/zip.c if the package is compiled with Address Sanitizer. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-6869). An out of bounds read was found in function zzip_disk_fread of ZZIPlib, up to 0.13.68, when ZZIPlib mem_disk functionality is used. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-7725). An improper input validation was found in function __zzip_fetch_disk_trailer of ZZIPlib, up to 0.13.68, that could lead to a crash in __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-7726). A memory leak was found in unzip-mem.c and unzzip-mem.c of ZZIPlib, up to v0.13.68, that could lead to resource exhaustion. Local attackers could leverage this vulnerability to cause a denial of service via a crafted zip file (CVE-2018-7727). An issue was discovered in ZZIPlib through 0.13.69. There is a memory leak triggered in the function __zzip_parse_root_directory in zip.c, which could lead to a denial of service attack (CVE-2018-16548). A flaw was found in ZZIPlib 0.13.69. A directory traversal vulnerability allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file (CVE-2018-17828). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6381 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6542 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6869 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7726 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7727 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17828 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5NI6QBHJA6ZI7AYP4BYGADTML3F2LNO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5F2Q7GQYRYWHMTEF2OKBIHBBFV6SZBY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I6J523IVLVVPUEHRDYT54A5QOKM5XVTO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKVLTCQZTM4IO2OP63CRKPLX6NQKLQ2O/ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16548 https://lists.opensuse.org/opensuse-updates/2018-02/msg00110.html https://lists.opensuse.org/opensuse-updates/2018-06/msg00017.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00130.html ======================== Updated packages in core/updates_testing: ======================== zziplib-utils-0.13.69-1.mga6 libzziplib-0_13-0.13.69-1.mga6 libzziplib-devel-0.13.69-1.mga6 from zziplib-0.13.69-1.mga6.src.rpm
Status comment: Mostly fixed in 0.13.69 with patches available for the rest => (none)CC: (none) => mageiaAssignee: mageia => qa-bugsSummary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-17828 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-16548, CVE-2018-17828
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Created a zip file (zip is not part of this update) $ zip testzipDocs ~/Documenten/* adding: home/tester6/Documenten/180130-Overleg computervrijwilligers.doc (deflated 76%) adding: home/tester6/Documenten/abc-1.ppm (deflated 95%) adding: home/tester6/Documenten/Adressen Viaene.xls (deflated 70%) adding: home/tester6/Documenten/align.epsi (deflated 59%) and more then used zzdir (from this update) $ zzdir testzipDocs.zip 59392 defl:N 76% home/tester6/Documenten/180130-Overleg computervrijwilligers.doc 6375K defl:N 95% home/tester6/Documenten/abc-1.ppm 13312 defl:N 71% home/tester6/Documenten/Adressen Viaene.xls 5347 defl:N 59% home/tester6/Documenten/align.epsi and more, the list is corect. Ref to bug20285 and bug 20846 used swftools which uses the library under test $ cd Afbeeldingen/ (pictures) $ jpeg2swf *.jpg which produces output.swf I have not found an alternative to gnash to disply the swf file, but $ swfdump output.swf [HEADER] File version: 4 [HEADER] File size: 3308721 [HEADER] Frame rate: 1.000000 [HEADER] Frame count: 14 [HEADER] Movie width: 3264.00 [HEADER] Movie height: 2448.00 shows that there is content in the swf file OK for me unless someone objects.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
When I was double checking the srpm while preparing to add the advisory to svn, I noticed the packages appeared to be new to Mageia 6. Then I realized it was renamed packages, so wanted to double check that the newly named packages would replace the existing packages properly. # rpm -qa|grep zzip|sort lib64zziplib0-0.13.62-8.mga6 lib64zziplib-devel-0.13.62-8.mga6 libzziplib0-0.13.62-8.mga6 libzziplib-devel-0.13.62-8.mga6 With updates testing enabled ... [root@x6v ~]# urpmi zziplib-utils libzziplib-0_13 lib64zziplib-0_13 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64SDL-devel 1.2.15 19.mga6 x86_64 lib64aa-devel 1.4.0 0.rc5.31.mga6 x86_64 lib64alsa2-devel 1.1.4.1 1.mga6 x86_64 lib64bsd-devel 0.8.3 1.mga6 x86_64 lib64expat-devel 2.2.1 1.mga6 x86_64 lib64ggi-devel 2.2.2 24.mga6 x86_64 lib64gpm-devel 1.20.7 7.mga6 x86_64 lib64pciaccess-devel 0.13.5 1.mga6 x86_64 lib64slang-devel 2.3.0 1.mga6 x86_64 lib64xau-devel 1.0.8 7.mga6 x86_64 lib64xcb-devel 1.12 2.mga6 x86_64 lib64xcb-screensaver0 1.12 2.mga6 x86_64 lib64xcb-xf86dri0 1.12 2.mga6 x86_64 lib64xcb-xtest0 1.12 2.mga6 x86_64 lib64xcb-xvmc0 1.12 2.mga6 x86_64 lib64xdamage-devel 1.1.4 8.mga6 x86_64 lib64xdmcp-devel 1.1.2 5.mga6 x86_64 lib64xext-devel 1.3.3 4.mga6 x86_64 lib64xfixes-devel 5.0.3 1.mga6 x86_64 lib64xshmfence-devel 1.2 2.mga6 x86_64 lib64xxf86dga-devel 1.1.4 6.mga6 x86_64 lib64xxf86vm-devel 1.1.4 2.mga6 x86_64 libpthread-stubs 0.3 7.mga6 x86_64 x11-proto-devel 7.7 28.mga6 noarch (medium "Core Updates (distrib3)") lib64drm-devel 2.4.91 1.1.mga6 x86_64 lib64glapi0-devel 17.3.9 1.mga6 x86_64 lib64mesagl1-devel 17.3.9 1.mga6 x86_64 lib64mesaglu1-devel 9.0.0 6.1.mga6 x86_64 lib64x11-devel 1.6.5 1.1.mga6 x86_64 (medium "Core Updates Testing (distrib5)") lib64gii-devel 1.0.2 21.1.mga6 x86_64 lib64gii1 1.0.2 21.1.mga6 x86_64 lib64zziplib-0_13 0.13.69 1.mga6 x86_64 lib64zziplib-devel 0.13.69 1.mga6 x86_64 libgii 1.0.2 21.1.mga6 x86_64 zziplib-utils 0.13.69 1.mga6 x86_64 (medium "Core 32bit Updates Testing (distrib33)") libzziplib-0_13 0.13.69 1.mga6 i586 libzziplib-devel 0.13.69 1.mga6 i586 12MB of additional disk space will be used. 4.2MB of packages will be retrieved. Proceed with the installation of the 37 packages? (Y/n) So it's trying to pull in other packages from the srpm libgii-1.0.2-21.1.mga6 which is also in updates testing, apparently from bug 23487, but which has not been assigned to qa. Herman, can you confirm you tested without the updates testing versions of the libgii package installed? If not, either re-test, ensuring those updates have not been installed, or, if that fails, add 23487 to the depends on field for this bug report. Removing the MGA6-32-OK whiteboard entry, pending confirmation.
Whiteboard: MGA6-32-OK => (none)CC: (none) => davidwhodgins
libgii does not ring a bell to me, and bug 23487 is not in the update list. So I ckecked the bug itself. I cann't remember seeing it, and I have made no entries in it, so I can reasonably conclude that I haven't done anything with libgii. I will try yo check the package version on my testing laptop later in the day or tomorrow.
@Dave Hodgins, comment #16 mga6, x86_64 Before updates: $ rpm -qa | grep zz lib64zziplib-devel-0.13.62-8.mga6 lib64zziplib0-0.13.62-8.mga6 $ rpm -qa | grep gii lib64gii1-1.0.2-21.mga6
CC: (none) => tarazed25
Re comment 18; not all that informative. Without zziplib installed lib64gii1 was already present. $ urpme lib64gii1 offered to remove 49 packages - zziplib was not amongst them. There does not seem to be any demonstrable connection between zziplib and libgii.
But, libgii is among the dependencies when the zziplib development package is installed, which does not square with these: $ urpmq --requires-recursive lib64zziplib0 | sort -u | grep gii $ urpmq --requires-recursive lib64zziplib-devel | sort -u | grep gii $
Comment 20 needs more clarification. Before the update neither libzziplib nor libzzlib-devel tried to install libgii packages. After the update the development package installed the three libgii packages.
I have libgii-1.0.2-21, so as I expected none of the updates of bug 23487.
In response to Comment 20, these packages are not new to Mageia 6 and they are not renamed, they just upgrade existing packages. Since the version was updated, it is possible that the dependency on libgii is new. However, the update in Bug 23487 was a simple subpackage interdependency fix, not a new major version, so this update should work fine with or without the update in that bug.
Whiteboard: (none) => MGA6-32-OK
mga6, x86_64 Ran POC tests for the various CVEs - report attached. Enabled updates testing and installed packages individually. zziplib-utils pulled in lib64gii1,libgii and lib64gii-devel as well as the main libraries. Ran the POC tests again - see attachment. The general impression is that the vulnerabilities have all been covered by the patches. With deference to Herman, passing on the utility tests. Good for 64-bits.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Created attachment 10751 [details] Shows results of POC tests for zziplib Includes a C script which needs to be compiled and recompiled for one of the POC.
This is a good case for using the qarepo package to install the updates. We have to ensure the update works with the existing version of libgii, and does not require the updates testing version to work. Whether is should work or not, doesn't matter. We need to test it that it does. Yes the packages have been renamed. The rpm package libzziplib0 has been renamed to libzziplib-0_13. It does replace the existing package ok, so the rename is not a problem, but it's what prompted me to look closer at this update.
Hold the phone then. Is the 0_13 providing the same SONAME or does stuff need to be rebuilt?
Looks to me like the .so names are the same with just the version changed ... [dave@x3 ~]$ urpmq -l libzziplib0|grep '13\.' /usr/lib/libzzip-0.so.13.0.62 /usr/lib/libzzipfseeko-0.so.13.0.62 /usr/lib/libzzipmmapped-0.so.13.0.62 /usr/lib/libzzipwrap-0.so.13.0.62 [dave@x3 ~]$ urpmq -l libzziplib-0_13|grep '13\.' /usr/lib/libzzip-0.so.13.0.69 /usr/lib/libzzipfseeko-0.so.13.0.69 /usr/lib/libzzipmmapped-0.so.13.0.69 /usr/lib/libzzipwrap-0.so.13.0.69 It appears to be just the package name and the directory name under /usr/share/doc/ that have changed. Testing using qarepo shortly.
Testing complete, ensuring no other packages from the testing repo included. Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0093.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 28081 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu