Ubuntu has issued an advisory on February 14: https://usn.ubuntu.com/usn/usn-3570-1/ The issue is fixed upstream in 2.1. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 2.1Whiteboard: (none) => MGA6TOO
Updated to 2.1 in Cauldron.
advancecomp-1.20-3.1.mga6 is available in updates_testing. I'll try to come up with a test plan. Do we care about mga5 any longer?
Created attachment 9998 [details] POC bad zip file Here's a QA test procedure. With the valgrind package installed, run this command after downloading the bug attachment to the current directory: valgrind advzip -l CVE-2018-1056.zip A vulnerable advancecomp will result in "Source and destination overlap", "Invalid read" and other valgrind errors, and at the end will display the message "Invalid end of central dir signature on CVE-2018-1056.zip". A fixed advancecomp will not display any valgrind errors and at the end will display the message "Invalid central directory data on CVE-2018-1056.zip"
Assignee: dan => qa-bugsWhiteboard: MGA6TOO => MGA6TOO, has_procedure
Suggested advisory: ======================== Updated advancecomp to fix a security vulnerability. Joonun Jang discovered a vulnerability in AdvanceCOMP that could be used to crash or run programs if it opened a specially crafted ZIP file. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1056 Updated packages in core/updates_testing: ======================== advancecomp-1.20-3.1.mga6 Source RPMs: advancecomp-1.20-3.1.mga6.src.rpm
CC: (none) => dan
Mageia 6 :: x86_64 Installed advancecomp and downloaded the POC file. Ran the advzip program under valgrind: $ valgrind advzip -l CVE-2018-1056.zip ............... ==16993== Source and destination overlap in memcpy(0x5eba3f0, 0x5eba11e, 65535) ==16993== at 0x4C2C333: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018) ==16993== by 0x40A9AF: ??? (in /usr/bin/advzip) ............... ==16993== Invalid read of size 1 ==16993== at 0x4C2C474: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018) ............... ==16993== by 0x5B155FF: (below main) (in /usr/lib64/libc-2.22.so) ==16993== Invalid end of central dir signature on CVE-2018-1056.zip ==16993== Updated the package to advancecomp-1.20-3.1.mga6 and ran the test again. ==29284== Command: advzip -l CVE-2018-1056.zip ==29284== Invalid central directory data on CVE-2018-1056.zip Thanks Dan for the POC test. The updated package works as you said. Looks like there are four utilities associated with this package: $ ls /bin/adv* /bin/advdef* /bin/advmng* /bin/advpng* /bin/advzip* $ urpmq -i advancecomp .............. AdvanceCOMP contains recompression utilities for your .zip archives, .png images, .mng video clips and .gz files. $ advpng -l Comet67P.png IHDR 13 width:1024 height:768 depth:8 color_type:6 compression:0 filter:0 interlace:0 bKGD 6 pHYs 9 tIME 7 IDAT 8192 ............ Used ffmpeg to split an mp4 clip into a sequence of PNG images. $ ffmpeg -i AlainaHuffman.mp4 -vframes 80 Alaina%03d.png -hide_banner $ advpng -z -2 -q -f Alaina*.png This compressed the first 16 files only - ??? Create an MNG file from all the PNG files. $ advmng -a 16 alaina.mng Alaina*.png The same with zlib compression: $ advmng -1 -a 16 alainaz.mng Alaina*.png Running the "insane" compression option, which took a long time: $ advmng -4 -a 16 alainax.mng Alaina*.png $ ll alaina*.mng AlainaHuffman.mp4 -rw-r--r-- 1 lcl lcl 2058636 Feb 21 09:34 AlainaHuffman.mp4 -rw-r--r-- 1 lcl lcl 4005271 Feb 21 10:13 alaina.mng -rw-r--r-- 1 lcl lcl 3893623 Feb 21 10:21 alainax.mng -rw-r--r-- 1 lcl lcl 4189083 Feb 21 10:23 alainaz.mng $ advmng -l alainax.mng MHDR 28 width:600 height:340 frequency:16 simplicity:615(bit,0,1,2,5,6,9) FRAM 1 mode:1 DEFI 4 id:1 visible:yes concrete:concrete IHDR 13 width:600 height:340 depth:8 color_type:2 compression:0 filter:0 interlace:0 IDAT 626 IEND 0 FRAM 1 mode:1 DHDR 4 id:1 img:png delta:no_change IEND 0 ............................ That is enough to show that the utilities work.
Whiteboard: MGA6TOO, has_procedure => MGA6TOO, has_procedure MGA6-64-OKCC: (none) => tarazed25
CC: (none) => tmbWhiteboard: MGA6TOO, has_procedure MGA6-64-OK => has_procedure MGA6-64-OKVersion: Cauldron => 6
(In reply to Dan Fandrich from comment #2) > Do we care about mga5 any longer? Not for this package. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0141.html
Status: NEW => RESOLVEDResolution: (none) => FIXED