Bug 22570 - zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-16548, CVE-2018-17828
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-10 22:40 CET by David Walser
Modified: 2019-02-20 23:19 CET (History)
7 users (show)

See Also:
Source RPM: zziplib-0.13.62-9.mga7.src.rpm
CVE:
Status comment:


Attachments
Shows results of POC tests for zziplib (7.42 KB, text/plain)
2019-02-14 16:57 CET, Len Lawrence
Details

Description David Walser 2018-02-10 22:40:13 CET
Fedora has issued an advisory on February 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5NI6QBHJA6ZI7AYP4BYGADTML3F2LNO/

Mageia 5 and Mageia 6 may also be affected.
David Walser 2018-02-10 22:40:21 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-02-10 23:38:58 CET
Note that it may be that only 0.13.67 is affected, but it's not entirely clear.

There is a PoC linked from the upstream bug that confirm one way or another:
https://github.com/gdraheim/zziplib/issues/12

It should cause a segfault if vulnerable, so it should be pretty easy to test.

Status comment: (none) => We may not be vulnerable, but a PoC is available to test

Comment 2 Marja Van Waes 2018-02-11 17:35:54 CET
Assigning to the registered maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 3 David Walser 2018-02-24 16:56:30 CET
Fedora has issued an advisory on February 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5F2Q7GQYRYWHMTEF2OKBIHBBFV6SZBY/

Two more CVEs, also minor issues.  Fixed upstream in 0.13.68.

Summary: zziplib new security issue CVE-2018-6381 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6869

Comment 4 David Walser 2018-03-03 21:28:48 CET
openSUSE has issued an advisory on February 28:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00110.html

It fixes one additional issue, which openSUSE has a patch for.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6869 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869

Comment 5 David Walser 2018-04-14 03:41:25 CEST
openSUSE has issued an advisory today (April 13):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00031.html

It fixes two additional issues.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869, CVE-2018-772[56]

Comment 6 David Walser 2018-06-07 23:33:52 CEST
openSUSE has issued an advisory today (June 7):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00017.html

It fixes one additional issue.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[02], CVE-2018-6869, CVE-2018-772[56]

Comment 7 David Walser 2018-07-03 23:15:23 CEST
Ubuntu has issued an advisory for this today (July 3):
https://usn.ubuntu.com/3699-1/

It fixes one additional issue.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[02], CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[56]

Comment 8 David Walser 2018-08-02 18:11:55 CEST
Fedora has issued an advisory on July 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I6J523IVLVVPUEHRDYT54A5QOKM5XVTO/

It says 0.13.69 fixes all known CVEs.
Comment 9 David Walser 2018-10-15 22:35:46 CEST
Fedora advisory from September 13, same deal as Comment 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKVLTCQZTM4IO2OP63CRKPLX6NQKLQ2O/

It also lists a new CVE.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[56] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7]

Comment 10 David Walser 2018-10-23 17:03:40 CEST
openSUSE has issued an advisory today (October 23):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00130.html

It fixes a new issue.

Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7] => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-17828

Comment 11 David GEIGER 2019-02-11 07:44:45 CET
All CVE should be fixed for Cauldron!

CC: (none) => geiger.david68210

Comment 12 David Walser 2019-02-11 13:24:53 CET
zziplib-0.13.69-1.mga7 has patches for CVE-2018-16548 and CVE-2018-17828.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Status comment: We may not be vulnerable, but a PoC is available to test => Mostly fixed in 0.13.69 with patches available for the rest

Comment 13 David GEIGER 2019-02-11 17:32:01 CET
So now fixed for mga6 too!
Comment 14 David Walser 2019-02-11 20:21:14 CET
Advisory:
========================

Updated zziplib packages fix security vulnerabilities:

In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid memory
access in the zzip_disk_fread function (zzip/mmapped.c) because the size
variable is not validated against the amount of file->stored data
(CVE-2018-6381).

An unaligned memory access bug was found in the way ZZIPlib handled ZIP files.
This flaw could potentially be used to crash the application using ZZIPlib by
tricking the application into processing specially crafted ZIP files
(CVE-2018-6484).

In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned
address in the zzip_disk_findfirst function of zzip/mmapped.c. Remote
attackers could leverage this vulnerability to cause a denial of service via a
crafted zip file (CVE-2018-6540).

A flaw was found in ZZIPlib 0.13.67, there is a bus error caused by loading of
a misaligned address (when handling disk64_trailer local entries) in
__zzip_fetch_disk_trailer (zzip/zip.c). Remote attackers could leverage this
vulnerability to cause a denial of service via a crafted zip file
(CVE-2018-6541).

In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_trailer seek
value) caused by loading of a misaligned address in the zzip_disk_findfirst
function of zzip/mmapped.c (CVE-2018-6542).

An uncontrolled memory allocation was found in ZZIPlib that could lead to a
crash in the __zzip_parse_root_directory function of zzip/zip.c if the package
is compiled with Address Sanitizer. Remote attackers could leverage this
vulnerability to cause a denial of service via a crafted zip file
(CVE-2018-6869).

An out of bounds read was found in function zzip_disk_fread of ZZIPlib, up to
0.13.68, when ZZIPlib mem_disk functionality is used. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted zip
file (CVE-2018-7725).

An improper input validation was found in function __zzip_fetch_disk_trailer
of ZZIPlib, up to 0.13.68, that could lead to a crash in
__zzip_parse_root_directory function of zzip/zip.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted zip
file (CVE-2018-7726).

A memory leak was found in unzip-mem.c and unzzip-mem.c of ZZIPlib, up to
v0.13.68, that could lead to resource exhaustion. Local attackers could
leverage this vulnerability to cause a denial of service via a crafted zip
file (CVE-2018-7727).

An issue was discovered in ZZIPlib through 0.13.69. There is a memory leak
triggered in the function __zzip_parse_root_directory in zip.c, which could
lead to a denial of service attack (CVE-2018-16548).

A flaw was found in ZZIPlib 0.13.69. A directory traversal vulnerability
allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip
file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file
(CVE-2018-17828).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17828
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5NI6QBHJA6ZI7AYP4BYGADTML3F2LNO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5F2Q7GQYRYWHMTEF2OKBIHBBFV6SZBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I6J523IVLVVPUEHRDYT54A5QOKM5XVTO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKVLTCQZTM4IO2OP63CRKPLX6NQKLQ2O/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16548
https://lists.opensuse.org/opensuse-updates/2018-02/msg00110.html
https://lists.opensuse.org/opensuse-updates/2018-06/msg00017.html
https://lists.opensuse.org/opensuse-updates/2018-10/msg00130.html
========================

Updated packages in core/updates_testing:
========================
zziplib-utils-0.13.69-1.mga6
libzziplib-0_13-0.13.69-1.mga6
libzziplib-devel-0.13.69-1.mga6

from zziplib-0.13.69-1.mga6.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs
Status comment: Mostly fixed in 0.13.69 with patches available for the rest => (none)
Summary: zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-17828 => zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-16548, CVE-2018-17828

Comment 15 Herman Viaene 2019-02-12 12:13:14 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Created a zip file (zip is not part of this update)
$ zip testzipDocs ~/Documenten/*
  adding: home/tester6/Documenten/180130-Overleg computervrijwilligers.doc (deflated 76%)
  adding: home/tester6/Documenten/abc-1.ppm (deflated 95%)
  adding: home/tester6/Documenten/Adressen Viaene.xls (deflated 70%)
  adding: home/tester6/Documenten/align.epsi (deflated 59%)
and more
then used zzdir (from this update)
$ zzdir testzipDocs.zip 
 59392 defl:N    76% home/tester6/Documenten/180130-Overleg computervrijwilligers.doc
 6375K defl:N    95% home/tester6/Documenten/abc-1.ppm
 13312 defl:N    71% home/tester6/Documenten/Adressen Viaene.xls
  5347 defl:N    59% home/tester6/Documenten/align.epsi
and more, the list is corect.
Ref to bug20285 and bug 20846
used swftools which uses the library under test
$ cd Afbeeldingen/ (pictures)
$ jpeg2swf *.jpg
which produces output.swf
I have not found an alternative to gnash to disply the swf file,
but
$ swfdump output.swf 
[HEADER]        File version: 4
[HEADER]        File size: 3308721
[HEADER]        Frame rate: 1.000000
[HEADER]        Frame count: 14
[HEADER]        Movie width: 3264.00
[HEADER]        Movie height: 2448.00
shows that there is content in the swf file
OK for me unless someone objects.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 16 Dave Hodgins 2019-02-14 07:47:34 CET
When I was double checking the srpm while preparing to add the advisory to svn,
I noticed the packages appeared to be new to Mageia 6. Then I realized it was
renamed packages, so wanted to double check that the newly named packages would
replace the existing packages properly.

# rpm -qa|grep zzip|sort
lib64zziplib0-0.13.62-8.mga6
lib64zziplib-devel-0.13.62-8.mga6
libzziplib0-0.13.62-8.mga6
libzziplib-devel-0.13.62-8.mga6

With updates testing enabled ...
[root@x6v ~]# urpmi zziplib-utils libzziplib-0_13 lib64zziplib-0_13 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64SDL-devel                 1.2.15       19.mga6       x86_64  
  lib64aa-devel                  1.4.0        0.rc5.31.mga6 x86_64  
  lib64alsa2-devel               1.1.4.1      1.mga6        x86_64  
  lib64bsd-devel                 0.8.3        1.mga6        x86_64  
  lib64expat-devel               2.2.1        1.mga6        x86_64  
  lib64ggi-devel                 2.2.2        24.mga6       x86_64  
  lib64gpm-devel                 1.20.7       7.mga6        x86_64  
  lib64pciaccess-devel           0.13.5       1.mga6        x86_64  
  lib64slang-devel               2.3.0        1.mga6        x86_64  
  lib64xau-devel                 1.0.8        7.mga6        x86_64  
  lib64xcb-devel                 1.12         2.mga6        x86_64  
  lib64xcb-screensaver0          1.12         2.mga6        x86_64  
  lib64xcb-xf86dri0              1.12         2.mga6        x86_64  
  lib64xcb-xtest0                1.12         2.mga6        x86_64  
  lib64xcb-xvmc0                 1.12         2.mga6        x86_64  
  lib64xdamage-devel             1.1.4        8.mga6        x86_64  
  lib64xdmcp-devel               1.1.2        5.mga6        x86_64  
  lib64xext-devel                1.3.3        4.mga6        x86_64  
  lib64xfixes-devel              5.0.3        1.mga6        x86_64  
  lib64xshmfence-devel           1.2          2.mga6        x86_64  
  lib64xxf86dga-devel            1.1.4        6.mga6        x86_64  
  lib64xxf86vm-devel             1.1.4        2.mga6        x86_64  
  libpthread-stubs               0.3          7.mga6        x86_64  
  x11-proto-devel                7.7          28.mga6       noarch  
(medium "Core Updates (distrib3)")
  lib64drm-devel                 2.4.91       1.1.mga6      x86_64  
  lib64glapi0-devel              17.3.9       1.mga6        x86_64  
  lib64mesagl1-devel             17.3.9       1.mga6        x86_64  
  lib64mesaglu1-devel            9.0.0        6.1.mga6      x86_64  
  lib64x11-devel                 1.6.5        1.1.mga6      x86_64  
(medium "Core Updates Testing (distrib5)")
  lib64gii-devel                 1.0.2        21.1.mga6     x86_64  
  lib64gii1                      1.0.2        21.1.mga6     x86_64  
  lib64zziplib-0_13              0.13.69      1.mga6        x86_64  
  lib64zziplib-devel             0.13.69      1.mga6        x86_64  
  libgii                         1.0.2        21.1.mga6     x86_64  
  zziplib-utils                  0.13.69      1.mga6        x86_64  
(medium "Core 32bit Updates Testing (distrib33)")
  libzziplib-0_13                0.13.69      1.mga6        i586    
  libzziplib-devel               0.13.69      1.mga6        i586    
12MB of additional disk space will be used.
4.2MB of packages will be retrieved.
Proceed with the installation of the 37 packages? (Y/n)

So it's trying to pull in other packages from the srpm libgii-1.0.2-21.1.mga6
which is also in updates testing, apparently from bug 23487, but which has not
been assigned to qa.

Herman, can you confirm you tested without the updates testing versions of
the libgii package installed? If not, either re-test, ensuring those updates
have not been installed, or, if that fails, add 23487 to the depends on field
for this bug report. Removing the MGA6-32-OK whiteboard entry, pending
confirmation.

CC: (none) => davidwhodgins
Whiteboard: MGA6-32-OK => (none)

Comment 17 Herman Viaene 2019-02-14 09:41:25 CET
libgii does not ring a bell to me, and bug 23487 is not in the update list. So I ckecked the bug itself. I cann't remember seeing it, and I have made no entries in it, so I can reasonably conclude that I haven't done anything with libgii. I will try yo check the package version on my testing laptop later in the day or tomorrow.
Comment 18 Len Lawrence 2019-02-14 10:25:02 CET
@Dave Hodgins, comment #16
mga6, x86_64
Before updates:
$ rpm -qa | grep zz
lib64zziplib-devel-0.13.62-8.mga6
lib64zziplib0-0.13.62-8.mga6
$ rpm -qa | grep gii
lib64gii1-1.0.2-21.mga6

CC: (none) => tarazed25

Comment 19 Len Lawrence 2019-02-14 10:45:29 CET
Re comment 18; not all that informative.
Without zziplib installed lib64gii1 was already present.
$ urpme lib64gii1 
offered to remove 49 packages - zziplib was not amongst them.
There does not seem to be any demonstrable connection between zziplib and libgii.
Comment 20 Len Lawrence 2019-02-14 11:07:18 CET
But, libgii is among the dependencies when the zziplib development package is installed, which does not square with these:
$ urpmq --requires-recursive lib64zziplib0 | sort -u | grep gii
$ urpmq --requires-recursive lib64zziplib-devel | sort -u | grep gii
$
Comment 21 Len Lawrence 2019-02-14 11:33:55 CET
Comment 20 needs more clarification.

Before the update neither libzziplib nor libzzlib-devel tried to install libgii packages.  After the update the development package installed the three libgii packages.
Comment 22 Herman Viaene 2019-02-14 14:04:04 CET
I have libgii-1.0.2-21, so as I expected none of the updates of bug 23487.
Comment 23 David Walser 2019-02-14 14:07:04 CET
In response to Comment 20, these packages are not new to Mageia 6 and they are not renamed, they just upgrade existing packages.  Since the version was updated, it is possible that the dependency on libgii is new.  However, the update in Bug 23487 was a simple subpackage interdependency fix, not a new major version, so this update should work fine with or without the update in that bug.

Whiteboard: (none) => MGA6-32-OK

Comment 24 Len Lawrence 2019-02-14 16:54:50 CET
mga6, x86_64
Ran POC tests for the various CVEs - report attached.
Enabled updates testing and installed packages individually.
zziplib-utils pulled in lib64gii1,libgii and lib64gii-devel as well as the main libraries.

Ran the POC tests again - see attachment.
The general impression is that the vulnerabilities have all been covered by the patches.

With deference to Herman, passing on the utility tests.

Good for 64-bits.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 25 Len Lawrence 2019-02-14 16:57:08 CET
Created attachment 10751 [details]
Shows results of POC tests for zziplib

Includes a C script  which needs to be compiled and recompiled for one of the POC.
Comment 26 Dave Hodgins 2019-02-14 19:44:34 CET
This is a good case for using the qarepo package to install the updates.
We have to ensure the update works with the existing version of libgii, and
does not require the updates testing version to work. Whether is should work
or not, doesn't matter. We need to test it that it does.

Yes the packages have been renamed. The rpm package libzziplib0 has been
renamed to libzziplib-0_13.

It does replace the existing package ok, so the rename is not a problem, but
it's what prompted me to look closer at this update.
Comment 27 David Walser 2019-02-14 20:05:37 CET
Hold the phone then.  Is the 0_13 providing the same SONAME or does stuff need to be rebuilt?
Comment 28 Dave Hodgins 2019-02-20 20:48:45 CET
Looks to me like the .so names are the same with just the version changed ...
[dave@x3 ~]$ urpmq -l libzziplib0|grep '13\.'
/usr/lib/libzzip-0.so.13.0.62
/usr/lib/libzzipfseeko-0.so.13.0.62
/usr/lib/libzzipmmapped-0.so.13.0.62
/usr/lib/libzzipwrap-0.so.13.0.62
[dave@x3 ~]$ urpmq -l libzziplib-0_13|grep '13\.'
/usr/lib/libzzip-0.so.13.0.69
/usr/lib/libzzipfseeko-0.so.13.0.69
/usr/lib/libzzipmmapped-0.so.13.0.69
/usr/lib/libzzipwrap-0.so.13.0.69

It appears to be just the package name and the directory name under
/usr/share/doc/ that have changed.

Testing using qarepo shortly.
Comment 29 Dave Hodgins 2019-02-20 21:30:44 CET
Testing complete, ensuring no other packages from the testing repo included.
Advisory committed to svn.
Validating the update.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 30 Mageia Robot 2019-02-20 23:19:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0093.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.