Bug 22612 - advancecomp new security issue CVE-2018-1056
Summary: advancecomp new security issue CVE-2018-1056
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-16 21:08 CET by David Walser
Modified: 2018-02-25 00:26 CET (History)
5 users (show)

See Also:
Source RPM: advancecomp-2.0-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 2.1


Attachments
POC bad zip file (156 bytes, application/octet-stream)
2018-02-21 01:12 CET, Dan Fandrich
Details

Description David Walser 2018-02-16 21:08:18 CET
Ubuntu has issued an advisory on February 14:
https://usn.ubuntu.com/usn/usn-3570-1/

The issue is fixed upstream in 2.1.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-16 21:08:29 CET

Status comment: (none) => Fixed upstream in 2.1
Whiteboard: (none) => MGA6TOO

Comment 1 Dan Fandrich 2018-02-21 00:00:56 CET
Updated to 2.1 in Cauldron.
Comment 2 Dan Fandrich 2018-02-21 00:41:23 CET
advancecomp-1.20-3.1.mga6 is available in updates_testing. I'll try to come up with a test plan. Do we care about mga5 any longer?
Comment 3 Dan Fandrich 2018-02-21 01:12:55 CET
Created attachment 9998 [details]
POC bad zip file

Here's a QA test procedure. With the valgrind package installed, run this command after downloading the bug attachment to the current directory:

valgrind advzip -l CVE-2018-1056.zip

A vulnerable advancecomp will result in "Source and destination overlap", "Invalid read" and other valgrind errors, and at the end will display the message "Invalid end of central dir signature on CVE-2018-1056.zip". A fixed advancecomp will not display any valgrind errors and at the end will display the message "Invalid central directory data on CVE-2018-1056.zip"
Dan Fandrich 2018-02-21 01:15:49 CET

Assignee: dan => qa-bugs
Whiteboard: MGA6TOO => MGA6TOO, has_procedure

Comment 4 Dan Fandrich 2018-02-21 01:21:02 CET
Suggested advisory:
========================
Updated advancecomp to fix a security vulnerability.

Joonun Jang discovered a vulnerability in AdvanceCOMP that could be used to crash or run programs if it opened a specially crafted ZIP file.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1056

Updated packages in core/updates_testing:
========================
advancecomp-1.20-3.1.mga6

Source RPMs:
advancecomp-1.20-3.1.mga6.src.rpm

CC: (none) => dan

Comment 5 Len Lawrence 2018-02-21 11:31:16 CET
Mageia 6 :: x86_64

Installed advancecomp and downloaded the POC file.
Ran the advzip program under valgrind:
$ valgrind advzip -l CVE-2018-1056.zip
...............
==16993== Source and destination overlap in memcpy(0x5eba3f0, 0x5eba11e, 65535)
==16993==    at 0x4C2C333: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==16993==    by 0x40A9AF: ??? (in /usr/bin/advzip)
...............
==16993== Invalid read of size 1
==16993==    at 0x4C2C474: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
...............
==16993==    by 0x5B155FF: (below main) (in /usr/lib64/libc-2.22.so)
==16993== 
Invalid end of central dir signature on CVE-2018-1056.zip
==16993== 

Updated the package to advancecomp-1.20-3.1.mga6 and ran the test again.

==29284== Command: advzip -l CVE-2018-1056.zip
==29284== 
Invalid central directory data on CVE-2018-1056.zip

Thanks Dan for the POC test.  The updated package works as you said.

Looks like there are four utilities associated with this package:
$ ls /bin/adv*
/bin/advdef*  /bin/advmng*  /bin/advpng*  /bin/advzip*
$ urpmq -i advancecomp
..............
AdvanceCOMP contains recompression utilities for your .zip
archives, .png images, .mng video clips and .gz files.

$ advpng -l Comet67P.png
IHDR      13 width:1024 height:768 depth:8 color_type:6 compression:0 filter:0 interlace:0
bKGD       6
pHYs       9
tIME       7
IDAT    8192
............

Used ffmpeg to split an mp4 clip into a sequence of PNG images.
$ ffmpeg -i AlainaHuffman.mp4 -vframes 80 Alaina%03d.png -hide_banner
$ advpng -z -2 -q -f Alaina*.png
This compressed the first 16 files only - ???
Create an MNG file from all the PNG files.
$ advmng -a 16 alaina.mng Alaina*.png
The same with zlib compression:
$ advmng -1 -a 16 alainaz.mng Alaina*.png
Running the "insane" compression option, which took a long time:
$ advmng -4 -a 16 alainax.mng Alaina*.png
$ ll alaina*.mng AlainaHuffman.mp4
-rw-r--r-- 1 lcl lcl 2058636 Feb 21 09:34 AlainaHuffman.mp4
-rw-r--r-- 1 lcl lcl 4005271 Feb 21 10:13 alaina.mng
-rw-r--r-- 1 lcl lcl 3893623 Feb 21 10:21 alainax.mng
-rw-r--r-- 1 lcl lcl 4189083 Feb 21 10:23 alainaz.mng
$ advmng -l alainax.mng
MHDR      28 width:600 height:340 frequency:16 simplicity:615(bit,0,1,2,5,6,9)
FRAM       1 mode:1
DEFI       4 id:1 visible:yes concrete:concrete
IHDR      13 width:600 height:340 depth:8 color_type:2 compression:0 filter:0 interlace:0
IDAT     626
IEND       0
FRAM       1 mode:1
DHDR       4 id:1 img:png delta:no_change
IEND       0
............................

That is enough to show that the utilities work.

Whiteboard: MGA6TOO, has_procedure => MGA6TOO, has_procedure MGA6-64-OK
CC: (none) => tarazed25

Thomas Backlund 2018-02-22 21:13:16 CET

CC: (none) => tmb
Whiteboard: MGA6TOO, has_procedure MGA6-64-OK => has_procedure MGA6-64-OK
Version: Cauldron => 6

Comment 6 David Walser 2018-02-23 15:59:00 CET
(In reply to Dan Fandrich from comment #2)
> Do we care about mga5 any longer?

Not for this package.  Thanks!
Len Lawrence 2018-02-23 16:15:40 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-24 19:34:42 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2018-02-25 00:26:27 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0141.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.