Bug 23126 - scummvm new security issue CVE-2017-17528
Summary: scummvm new security issue CVE-2017-17528
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 18:08 CEST by David Walser
Modified: 2018-06-14 20:15 CEST (History)
4 users (show)

See Also:
Source RPM: scummvm-1.8.1-1.mga6.src.rpm
CVE: CVE-2017-17528
Status comment: Patches available from upstream and Fedora


Attachments

Description David Walser 2018-06-07 18:08:59 CEST
Fedora has issued an advisory on May 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PIW5FWQCDBCYOXITAHY7KFYRXUAJJ2U4/

According to SUSE, 1.8.1 is affected but backporting the fix is too difficult.  Fedora updated to 2.0.0 and applied upstream patches.
Comment 1 David Walser 2018-06-07 18:10:30 CEST
SUSE bug:
https://bugzilla.novell.com/show_bug.cgi?id=1073248

Fedora commit:
https://src.fedoraproject.org/cgit/rpms/scummvm.git/commit/?h=f27&id=3d475bb40e2d7a92d31e764115bfd54b65ffc26a

CC: (none) => lists.jjorge
Status comment: (none) => Patches available from upstream and Fedora

Comment 2 Rémi Verschelde 2018-06-08 08:46:18 CEST
I know a ScummVM upstream maintainer, I'll ask him if it's safe for users to upgrade to 2.0.0 or if he wants to help me backport the patch to 1.8.1.
Comment 3 Rémi Verschelde 2018-06-08 13:15:26 CEST
Patched scummvm-2.0.0-3.mga7 pushed to Cauldron, with the addition of FreeType2 support (which adds one scummvm engine).

I'm pushing the same version to Mageia 6 as scummvm-2.0.0-1.mga6.


Advisory:
=========

Updated scummvm package fixes security vulnerability

  ScummVM 1.8.1's POSIX backend does not validate strings before launching the
  program specified by the BROWSER environment variable, which might allow remote
  attackers to conduct argument-injection attacks via a crafted URL.

  This update fixes it, and updates ScummVM to the latest 2.0.0 upstream release,
  adding support for 23 new games, and several bug fixes.

References:
 - https://bugzilla.novell.com/show_bug.cgi?id=1073248
 - https://www.scummvm.org/news/20171217/

SRPM in core/updates_testing:
=============================

scummvm-2.0.0-1.mga6

RPM in core/updates_testing:
============================

scummvm-2.0.0-1.mga6

Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 4 Rémi Verschelde 2018-06-08 13:16:22 CEST
Forgot to mention the CVE number in the advisory, new one:

Advisory:
=========

Updated scummvm package fixes security vulnerability

  ScummVM 1.8.1's POSIX backend does not validate strings before launching the
  program specified by the BROWSER environment variable, which might allow remote
  attackers to conduct argument-injection attacks via a crafted URL
  (CVE-2017-17528).

  This update fixes it, and updates ScummVM to the latest 2.0.0 upstream release,
  adding support for 23 new games, and several bug fixes.

References:
 - https://bugzilla.novell.com/show_bug.cgi?id=1073248
 - https://www.scummvm.org/news/20171217/

CVE: (none) => CVE-2017-17528

Comment 5 PC LX 2018-06-09 13:00:02 CEST
Installed and tested without issue.

Tested using several games downloaded from https://www.scummvm.org/games/

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q scummvm
scummvm-2.0.0-1.mga6

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 6 claire robinson 2018-06-14 18:10:12 CEST
Validating
claire robinson 2018-06-14 18:10:45 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2018-06-14 18:27:56 CEST
Advisoried from comment 4

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-06-14 20:15:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0278.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.